Vulnerability management teams often face difficulties in patching all of their systems on a timely basis. This is true for traditional OT devices such as HMIs, PLCs, etc. But it is also very true in sensitive IT-like environments such as pharmaceutical labs or hospitals. Recent research says that 81% of CIOs and CISOs delay patches due to operational concerns.
The resolution is typically to prioritize patches most critical to your OT environment based on risk and exploitability. But this raises two questions: How do you effectively prioritize? What do you do with those assets that either cannot be patched or are not top of the priority queue?
360-degree vulnerability assessment
Most organizations use various tools for patching and vulnerability management, network segmentation and management, configuration management, malware protection, and access control. It is difficult to effectively address patching in these critical systems without a full view of the entire vulnerability and protection picture. Without a 360-degree view, it becomes impossible to understand the true vulnerability as well as to prioritize remediation actions.
A 360-degree asset analysis aggregates a full view of the environment into a single database and analysis tool including:
Asset technical details:
- Patch status
- Software vulnerabilities including CVEs, alerts, etc.
- Insecure end point configurations
- 100% software inventory to identify unnecessary and risky software programs
- Dormant, admin, shared and other account risks
- Password settings
- Unapproved or risky ports, services, etc.
- Network protections such as location of asset behind firewalls, ACLs enforced, etc.
- Log data on device and user behavior
Third-party tool information:
- Anti-virus signature status
- Application whitelisting control status (present, lock-down, etc.)
- Backup status
Meta-data (or internal expert knowledge):
- Operational criticality of the asset
- Location, owner, etc.
- System grouping and regulatory environment
Benefits of a 360-degree vulnerability assessment:
Improved efficiency and effectiveness of patch prioritization:
Looking at the CVE and CVSS score and including exploits is an incomplete picture of the risk of an asset. You need to include asset criticality. If that asset is sitting behind a data diode or has application whitelisting with a narrow application set in lockdown mode, the asset may be less at risk than one that has less critical vulnerabilities but has no network protection.
Efficient and effective roadmap of compensating controls:
It is not enough to prioritize patching. Effective security requires there to be a documented compensating control if deployment of critical patches is delayed. A 360-degree view allows organizations to prioritize which compensating control is most efficient and effective given the asset situation. Is whitelisting an effective option or is the system too old to allow for agent deployment? Can you remove risky software (that was part of the IT standard build) that requires regular patching? Can you lock down firewalls more? Should you invest in additional firewalls for specific highly critical, older devices?
Automated documentation and audit:
One of the biggest challenges to vulnerability assessment is gaining visibility into what compensating controls are in place if an asset is not patched. 360-degree assessment removes the silos that separate the various controls allowing much easier audit and documentation, whether your standard is an internally imposed NIST CSF or CIS CSC20 or a regulatory imposed one.
Verve Security Center provides a 360-degree view of vulnerabilities. The platform brings together dozens of different vulnerability views of the environment (patch and software vulnerabilities, endpoint configuration, passwords, access control, network rules and configurations, backup status, whitelisting status, etc.) in one place.
This common database significantly reduces the cost of managing vulnerabilities and increases the speed at which the organization can employ the appropriate compensating controls.
Patching prioritization is important, but if you add the full view, the security of the environment increases significantly as does the efficiency of the security and IT teams.