SANS Control 3—”Continuous Vulnerability Management”

The Core Principle

That first word—continuous—is the core of this control. “Continuous” has seen a bit of hype in tech circles in other contexts. In particular, I’m thinking of continuous integration and continuous delivery from the world of DevOps and continuous improvement from the world of Digital Transformation.  Why not think of security the same way?

Why should CISOs make a big deal of “continuous assessment”? Why not just settle for “regular assessment” or “very frequent assessment”? This is not about lowering the frequency of scans, it’s about decreasing level of effort. If I changed the name of this control to “Effortless Vulnerability Assessment and Remediation,” it would probably evoke a more correct correct image in your mind. 

Effortless is hard, I’ll admit it.

For your fragile systems1i.e. systems that are end of life, or many patches behind, or no one wants to touch them because the lead developer who built it is long gone , effortless is not going to happen without some major changes in your work. This is not a problem you’re going to solve within the security team or with some shiny new security toy.

But the benefits of achieving this are similar to those achieved by devops teams that manage to reduce their batch sizes and get their organization doing 10 deploys a day:

  • Time-to-fix for your vulnerabilities will drop.
  • You suddenly won’t have to spend as much time cleaning up after drive-by hackers who popped your DMZ servers with a newly released metasploit module but clearly didn’t have a clue what they had .
  • You won’t have to spend your non-existent social capital with the dev teams to ask trick them into embarking on major-version upgrade death marches just to patch a emergency CVE.
  • You won’t need to employ a full-time project manager just to whip those dev teams along via the harry potter owl method of patch management.

So how do you get there, if it can’t be done by your team alone? Let’s have some real talk. It’s time for you, as the transcendent CISO, to put your business hat on, go see the CIO/CTO/CEO and have a discussion about setting up cross-functional teams, and how your team wants to be involved in the IT projects that are replacing fragile systems. This will knock their socks off.

Now that we understand why ‘continuous’ matters, why is it important for your company’s security? Two reasons:

First, the Internet is continuously subjecting your company’s systems to low-intensity attacks, so you must be continuously defending—ideally also at low-intensity. It used to be acceptable to patch your system within a few days of a security update. Now, the gap between patch and exploit is so dangerously tight that major security vulnerabilities are actually getting reported and silently fixed by the major vendors weeks or months before the bug is even publicly acknowledged. That’s what happened (and also failed to happen) with Spectre and Meltdown. In a world of continuous low-intensity attacks, you must identify out-of-date systems and patch them almost immediately. Or better yet, blow the minds of your colleagues by humbly suggesting they use managed services that actually patch these vulns for you, before they hit the slash-dot news cycle rather than trying to force some sketchy security vendor tool down everyone’s throat.

Second, continuous assessment is a healthy alternative to a draconian policy about change control. Change control boards are usually terrible and ineffective. Why? Because they are always a bottleneck to Getting Things Done. And also because humans are horrible at exactly the type of work Change Management boards require: slogging through a haystack of tens of changes each week looking for that one change that actually matters. Do you honestly want to pay a vendor five or six figures a year to tell you what vulns you actually need to fix? Can you afford to pay a cyber analyst to do that? Continuous vulnerability assessment and remediation allow you to react in real-time.

Transcending the Control

Now that we’ve covered why it’s important to do this control continuously, a brief word on the Management part of this control. 

A lot of CISOs get hung up on how they’ll achieve the last 20% of this control, and go down a very expensive rabbit-hole. There are crazy solutions in the automated vulnerability / mitigation space. My advice is to start simple and follow the Pareto Principle. Don’t let the perfect be the enemy of the good. There are a lot of solid open-source options, like Facebook’s osquery, that when linked with some simple scripting and log monitoring, can get you pretty far. Or better yet, take advantage of the native services provided by your cloud, like Security Center for Azure, and CloudWatch in AWS.  And get these services to alert your team, so you don’t have to have someone checking these portals every 5 minutes2Hint: you won’t do it, they don’t do it, and no one ever has..

Another hidden way to help achieve these goals is to offload the responsibility on managed platforms that automatically patch the badness away. Worried about out-of-date WordPress sites? Put them on WPEngine, which automatically applies security patches, and behind Cloudflare’s WAF, which actually adds filtering rules pre-patch-release to mitigate a vulnerability, and you’ve basically got this control covered, as it pertains to WordPress deployments.

The next article will talk about the fourth core principle: Controlled Use of Administrative Privileges