Former NCSC incident management director John Noble, opening the Qualys Security Conference (QSC) in London, warned that much of what he would say would be ‘to use a British phrase, bleedin’ obvious “.
He was right. And that’s a problem.
“My colleagues at NCSC [say] remediation remains the most important activity an organization needs to focus on,” said Noble – now non-executive director of the NHS – adding: “Mismanagement of credentials continues to be a big challenge for organizations – it’s certainly in the NHS.
He noted, “We’ve had trade-offs based on poor credential management, where we’ve had people leaving the organization, [and their] password has been compromised – basic things like that. Reusing passwords, all these other aspects, not having multi-factor authentication deployed where it should be.
Legacy systems, poor due diligence during/after M&As, cloud misconfigurations, poor inventory and asset management – Noble’s list of the most commonly exploited issues will surprise no one. Yet organizations are still failing to secure the fundamentals of IT infrastructure.
See: Top 3 ransomware infection vectors remain disturbingly consistent
One way to solve this problem is to change who owns the risk – which was the approach of Sky Betting and Gaming. The firm uses the Spotify model, where the internal “tribes” are strongly vertically integrated; Glenn Pegden, head of security vulnerabilities at Sky Betting, said that when their CISO arrived, he handed over ownership of security risks to the tribes.
“The model we have is that the tribes own everything end-to-end. They’re responsible for availability, they’re responsible for design. They are now responsible for security risks. And it took us from blockers, the typical security cop who says no, you can’t do that, to enablers,” Pegden said at the conference.
“We didn’t make decisions about whether or not to upload things – basically tribes could upload whatever they wanted. We’ll advise on risk, we’d say we think there’s a risk you probably don’t want to take, but ultimately it’s your risk, not ours – yours.
He said it revolutionized the role of the security team: “The second we pushed the risk back to the tribe and stopped managing, taking that risk on them, it opened up a whole new stack of opportunities. »
Automate patches, improve risk management
For many organizations, such a drastic decision is certainly not practical.
And for these organizations, Sumedh Thakar, CEO and President of Qualys, believes that increasing the role of automation and shifting from vulnerability management to risk mitigation is the future.
He told QSC: “What we hear from many customers is to find ways to really focus on the risk – there’s no point looking at your five million vulnerabilities that are constantly reported.
“It’s about which of these are really causing a risk to the organization and how do we move from a model today where it’s very comprehensive coverage, ‘you have to fix everything which is level three and above,” more to a risk-based approach.”
(Qualys provides, among other tools, a Vulnerability Management, Detection, and Response (VMDR) module that allows users to discover, assess, and prioritize patches for critical vulnerabilities, automating patch management on Windows and Linux assets using a single patch management application to schedule run-once or recurring tasks
Qualys’ solution to this is automation, an area where Thakar suggests security has lagged behind mainstream IT in adoption – unlike bad actors.
“Attackers use a lot of automation, don’t they? Well, we had a hard time getting permission to run analysis from our team, whereas attackers don’t need to get this permission. They just do it when they want, that’s true. So it just doesn’t make sense. But that’s what we have to deal with,” Thakar said.
Paul Baird, UK Technology Security Director at Qualys, confirmed: “We are currently behind schedule. Attackers have taken over because they are automated. They have fun. You know, it’s an amazing business model for them. They can win $10 million and go back to bed.
Patch management is one area where automation could significantly reduce organizations’ attack surfaces, but for many it remains a decidedly manual process.
To some extent, this depends on the importance that IT has become for organizations, according to Thakar: “A company’s ability to grow today is directly proportional to the innovation that IT can bring. within the organization. And I think there is inherently some risk aversion, and so sometimes they don’t want to be in a situation where they’ve tried to do something and then it breaks,” he said. The battery at the QSC event, May 12.
“So the infrastructure explodes, the business grows, but your cybersecurity team, if they can’t keep up, then you really get to the point where the only way to do that is with a significant amount of ‘automating. “
For Thakar, the way to square that circle is to automate basic security hygiene tasks like a lot of patching.
Thakar said an important step is “overcoming the fears of knowing if something breaks has to be balanced with the fear of what happens when we are compromised, right?”
He gave an example of this in his opening speech, where an organization was not driven by fear of a breach, but by fear of losing business. After installing the Qualys Agent for Vulnerability Management, the organization had a debate about whether to use patch management, doing nothing – until the pandemic forced 300,000 employees to work at home: “It’s a service provider. So all of their customers actually require them to provide a monthly patch status report. And they haven’t been able to produce that. So the company is came and told them that if you weren’t able to produce this report in two weeks, we were going to lose $X million in revenue.
“Their CISO called me on Monday. On Wednesday we had it activated on all 300,000 laptops, patching immediately without VPN or anything. On Friday they sent the patch report. And there’s no no more conversation about whether the patches should be done together or not,” Thakar said.
Unfortunately, many companies are driven by cost allocation decisions that will always prioritize other things: “Sometimes we are challenged and I see that with the NHS – in healthcare, it’s is a particular problem; every penny you take for cybersecurity, you don’t spend on patient care. But the reality is this is a matter of patient care. Because if we lose access to those systems, we completely undermine people’s trust,” Noble said.