Research statistics are finding that the traditional approach to vulnerability management is falling short, and a more proactive strategy is needed to remain ahead.

Speaking at the Qualys Security Conference in San Diego, Joe Petrocelli, vice president of product management, said that the traditional approach fails to ensure that the dynamic attack surface is covered, that unknown assets are being exploited and security teams are overloaded with 2200 new alerts coming from applications on a monthly basis.

Multiplied Pressure

With an average of 76 tools in each environment, and each tool having its own top ten priorities, Petrocelli said multiplying that shows the pressure teams are under to keep up with vulnerability management.

He said there are three basic tenets of an improved vulnerability management: diverse environments, expanded attack surface, and holistic management. “It’s a continuous cycle,” he said.

“To be proactive you really need a solution that has “incredible coverage across CVEs, and has accuracy. You want a solution that has a variety of sensors across the ecosystem. Whether you're talking about virtual, physical, data center, or mobile. Also you want to be able to integrate with any important tool that you choose.”

He also said that you want to be able to assess an inventory, not just Patch Tuesday type releases but software proposition misconfigurations, and to prioritise how to use modern established research methodologies.

“The last thing you want to use are ITSM standards like ServiceNow and Jira in order to automate your workflows across different mitigation strategies,” he said.

Monitoring, Intelligence and Harmony

Petrocelli said in the end, proactive prioritisation boils down to three buckets. The first is continuous monitoring, as you need to have unified access all parts of the attack surface, and he said that “legacy vulnerability management tools do not give you this type of inclusion or commonality in language.”

Secondly, you need to incorporate dynamic, updated, automated threat intelligence to help improve your ability to prioritise cyber risk alongside a business process, and thirdly the walls need to be broken down between hygiene and security.

“You've heard this a few times today, the platform configuration that IT management does not need to happen in a vacuum,” he said. “Separation of duties is one thing, but the ability to automate remediation of critical vulnerabilities, and configuration of the patch jobs and all of your prioritization from is incredibly powerful from a time saving perspective.”

He also said this cannot be done manually, and recommended using a single solution that allows you to automate the discovery of assets across the entire attack surface, and recommended using Qualys’ VMDR tool.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.