Common vulnerabilities remain unpatched; what can the CISO do?

News Desk -

Share

By Eran Livne, Senior Director, Product Management, Qualys

When the United Arab Emirates (UAE) became the scene of mass cloud migration in 2020 and 2021, the move was of enormous importance to business continuity. But for those enterprises that had previously treasured their on-premises autonomy, it was a time of chaos for the IT and security teams tasked with defending their architecture. While end-users got to grips with working remotely, they may have seen little change in their day-to-day interaction with corporate networks. But technologists would scarcely have recognized their own backyard, distributed among multiple clouds and domains.

This led to many problems. Chief among them was vulnerability patching. Consider the rather obvious observation that teams cannot monitor, audit, patch, and protect what they cannot see. The UAE-based SOC became a stressful place to work. In one study from earlier this year, some 155,000 vulnerable assets were uncovered in the UAE and more than 40% of critical flaws were found to have remained unpatched for longer than five years. These figures are mirrored in the 2023 Qualys TruRisk Research Report. Findings included that, on average, attackers take 19.5 days to weaponize a vulnerability that takes 30.6 days to patch. In the 11.1 days in between, attackers do not sit idle. Initial-access brokers (IABs — those who crack the walls and doors open and then sell the holes they have made to other threat actors) are opportunists that will pounce on the easiest prey and punish the unpatched flaw.

Vulnerabilities and misconfigurations are gifts to cybercriminals. But despite patching being a top priority for every CISO, problems like tech sprawl, system compatibility, and downtime scheduling stand in the way of robust vulnerability management. Zerologon (CVE-2020-1472) exploits a flaw in Microsoft’s Netlogon Remote Protocol to elevate privileges to full domain access. Despite a fix being released in August 2020, based on our research, Zerologon was used at least 56 times in 2023. And the Apache Log4j Remote Code Execution vulnerability, more commonly known as “Log4Shell” (CVE-2021-44228), was used 77 times in the same year despite being patched in December 2021.

Action stations

While each organization has its own issues that hold it back from patching, each will face the common testing and staging phases. After that, we can assume a further formal workflow to greenlight a production fix. Whatever time it takes for this process to complete must be added to the 11-day window where organizations stand vulnerable to attacks. And even the 11-day gap is an average. Our research showed a quarter of vulnerabilities had exploits released within a day of the initial disclosure.

So, it is clear that the lag between patch release and implementation is a considerable source of risk. But it is not always easy to shrink that time gap. Patching can be disruptive to business operations and lead to compatibility issues. And in a region where regulatory concerns are a constant, compliance can take a hit after a patch is deployed — ironic, given one of the main reasons for taking cybersecurity and patching so seriously is to satisfy regulators. When taking all of this into account, some organizations may have higher burdens of proof for CIOs and CISOs when deciding to go ahead with a patch, especially if line-of-business leaders are aware that less than 3% of vulnerabilities end up being weaponized.

So, what is a risk-oriented leader to do? If possible, they should ensure that systems are designed to absorb change more flexibly and minimize disruption. Technology leaders should take the time to assure their colleagues that they understand business objectives and operations. They should explain the need for strategic triage that will prioritize those vulnerabilities that are a threat to operations. The board reacts positively to an ROI narrative, so security leaders should demonstrate the virtues of the trade-off between a little disruption today and more serious disruption in the future.

Allied forces

This approach works best if security professionals join forces with IT admin teams and DevOps teams to present a united front. Fortunately, the modern C-suite reads and watches the news headlines about cyber incidents. In light of this awareness, and the reality that Middle East data breaches cost an average U$8 million, it has become easier to join the dots between security risk and business risk. But SOCs must still respect the goals of other departments, liaising with individual leaders on their operational priorities so that security goals become more business-centric — specific, measurable, achievable, relevant, and time-bound (SMART). This methodology will highlight areas for improvement, including within business processes.

It is important to note that system architecture may be an impediment and that collaboration with other departments may have to include a case for investment in new digital assets that will support critical patching. It is here where non-tech allies will be crucial in getting the point across, which is why it makes sense for CISOs to get into the habit of framing all their goals (including patching) in the context of sound investments rather than solutions to technical problems. The end game is to encourage a mindset that recognizes the value of long-term, sustainable solutions and favors them over stop-gap measures that may end up increasing risk.

When things go wrong, the CISO — not company accountants or board members — is the one in the spotlight. If one cannot control budgets or green lights, then one must focus on new narratives that win over the decision-makers. Security leaders should use language like “maximizing ROI” and “derisking operations” alongside “enhancing agility” and “tightening compliance”. The CISO’s role is now one of risk manager and business enabler. They must embrace it to win hearts and minds so that the enterprise they protect can be — from boardroom to breakroom — allied with the SOC in the fight against the threat actor.