Improving your security processes - where to put your focus for real world results

By Paul Baird, Chief Technical Security Officer, Qualys.

  • 1 year ago Posted in

You would be hard pressed to find an organization that doesn’t want to improve their security. Collectively, billions of dollars, pounds and Euros are spent globally on security in an effort to keep threat actors at bay - according to IDC, spending in Europe will grow 10.6 percent in 2023, with total spending estimated to reach $71 billion annually by 2026. But how can we ensure that this spending makes a difference?

Security teams must think holistically about attack paths, examine threat actor behaviours to understand what could wreak the most havoc, and quickly control threat activity when a breach occurs. They must adopt risk-based methodologies that allow cybersecurity technologies, processes, and people to converge and collaborate.

Today’s tools often focus solely on generating more and more detections and alerts, which simply is not enough to help keep organisations secure. Now, more than ever, companies need insights that help prioritise their most severe vulnerabilities across their most critical assets, with a firmer grasp on how to resolve them before attackers can exploit them. The Qualys Threat Research Unit (TRU) looked at trillions of data points in 2022 to see where the biggest risks were for businesses, and where IT security teams can focus their efforts.

Deal with the patching gap

Patching has always been problematic for organisations of all sizes and industries. For small companies, it is difficult to manage as they often have limited staff. For large enterprises, the sheer number of devices, teams, business units and different teams responsible for the variety of IT and security processes involved increases the overall complexity. This slows down how quickly patches get deployed, leaving the gate open for threat attackers to exploit at their leisure.

According to our data, it took attackers 19.5 days on average to weaponise a new software vulnerability. However, it took security teams 30.6 days on average to patch those vulnerabilities. This means that attackers have 11.1 days to exploit that issue before patching is

completed. Patching for those critical issues speeds up once an attack is successful and defenders know they have to concentrate on that particular attack vector, but there is still a gap that can lead to exploits.

The average time to patch is around 30 days, while the time to weaponise malware was nearer to 40 days. Ransomware takes even longer to weaponise, with an average of around 45 days. This means that these attacks take advantage of older issues that have not been patched. By prioritising patching for those vulnerabilities that could be weaponised, or that are specifically risky to your organisation, you can prevent problems as early as possible. This helps you avoid future emergency drills and overtime on responding to those issues.

Automate patching where you can

Understanding the best way to automate patching for your critical applications can drastically reduce the amount of time that it takes to protect applications against attack, as well as supporting the vast majority of users. For example, Chrome and Windows comprise one-third of the weaponised vulnerabilities data set, with 75 percent of these issues used by named threat actor groups. Because of the risk involved in these issues, organisations typically patch them first and most thoroughly. According to our data, the mean time to remediate (MTTR) issues with these products globally is 17.4 days, or about 2 and a half weeks. Secondly, these two products have an effective patch rate of 82.9 percent. In essence, Windows and Chrome are patched twice as fast and twice as often as other applications in the business.

Automating the deployment process helps to speed up the delivery and successful deployment of patches. We can see this in our data - for patches that could be automatically deployed, they were put into place 45 percent more often and 36 percent faster than those that had to be deployed manually. Based on this, you can achieve better patching performance for your team if you take advantage of automated deployment where you can.

Understand who is targeting you

Aside from the new vulnerabilities that might be disclosed, there are a myriad of other attack vectors. A large issue in today’s threat landscape are Initial access brokers (IABs), which look to create footholds within company networks and then sell them on to other groups. IABs look for issues around misconfigurations in perimeter devices or publicly-facing IT assets that they can exploit, or seek out opportunities based on phishing individuals. Their job is to get that foot in the door which they can then monetise, either by finding sensitive company data, deploying ransomware or selling that access to another threat actor.

Because Windows and Chrome are patched so quickly, IABs tend to look at other software products for potential vulnerabilities. These other products tend to be lower priorities for security teams, but they still require patching over time. By understanding this ‘long tail’ of risk, you can manage it appropriately.

Malware is not the only attack approach

While a lot of the attention for security professionals will be spent on preventing malware attacks, misconfigurations are a huge area that must also be addressed. These issues fall into two groups - web applications and cloud infrastructure.

For web applications, misconfigurations can include a range of missed settings that would allow an attacker to get access, receive more data than they should, or build up more information on the rest of the company’s infrastructure. Inadequate or missing encryption can expose data, while site injection attacks can lead to broken web applications or stolen data.

Using the OWASP Top Ten list for web application security best practices can help, but the best approach is to look at how you can collaborate with your organisation’s software and web developer teams to improve deployments ahead of time. By helping these teams to understand potential threats and prioritise risks, you can help them be more efficient in fixing problems that represent the most potential for attacks.

It is not enough to scan your web applications for potential security issues, as every application will display issues - based on our anonymised data from 370,000 web applications, there were 25 million flaws discovered. Instead, you have to help your developer colleagues to prioritise the risks that are the most pressing and potentially dangerous.

On the cloud infrastructure side, similar challenges exist. Cloud deployments can be complex, but there are also opportunities for simple misconfigurations to lead to data breaches. One of the top reasons for data leakage is because cloud storage buckets or databases were mistakenly left accessible without passwords or encryption. Checking for any instances of these misconfigurations in your cloud deployment should be automated, so you can automatically flag any problems for rapid response.

Using cloud security benchmarks can help you improve your security posture. For example, the Center for Internet Security provides benchmarks for the three major popular cloud security platforms - Amazon Web Services, Microsoft Azure and Google Cloud Platform. The CIS Benchmark for AWS provides several security controls to measure public access to data in S3 buckets, and it includes checks on status as well as preventative controls. Using these

preventative measures can make it much harder to make mistakes or inadvertently expose data, but they are less likely to be used.

While a check for public exposure shows that only one percent of buckets are publicly exposed, there are two preventative controls that are implemented only 50 percent of the time. This means that there is a high potential for someone to inadvertently make an S3 bucket public. Although protecting the entire bucket is crucial, it is also essential to safeguard the files stored in the bucket from being publicly accessible. Unfortunately, only 40 percent of organisations are currently using those preventative controls to prevent files from being accessed publicly.

Looking at the whole picture around cloud and infrastructure, taking a proactive approach around security controls and mitigations can help you prevent potential problems more efficiently. Using the CIS Hardening Benchmarks is an effective starting point to address these potential threats, while individual controls associated with ransomware-specific techniques must be reviewed carefully too.

Overall, improving your security approach involves using automation, data and tools to support your team in being effective. However, the biggest opportunity comes from prioritising your own specific infrastructure gaps and risks. No one knows your infrastructure as well as you do, so use automation and data for how it can make you more efficient. At the same time, you can help your team to deliver better results.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.