“Enterprises cannot get in front of their risk and patch effectively when they are always behind in getting their critical and most at-risk assets hardened against threats,” says Sanjay Raja, VP of Strategy and Technical Marketing, Digital Defenses, in an exclusive interview ITSecurityWire.
ITSW Bureau: What are the challenges enterprises encounter when eliminating network vulnerabilities?
Sanjay Raja: The fundamental enemy of vulnerability and patch teams is the lag between vulnerability scanning and patching. While many enterprises support a vulnerability management program, it ends up being a compliance checkbox versus adding any true value in preventing a breach.
This is due to the nature of legacy vulnerability management platforms that are obtrusive to the network, cripple resources on a host during scans, poorly correlate and de-duplicate dynamic assets and fail to provide meaningful prioritization.
Most companies scan their assets piecemeal anywhere from monthly, which is rare, to every three to six months during maintenance windows, to not impact performance. Once the scanning is completed- with lack of prioritization based on active threat risk or a business context- patch teams are handed huge lists of assets with multiple patches that become quickly out of date as new vulnerabilities and attacks arise.
Worse yet, despite vendor claims, a huge number of false positives are also added to the list as a host is often scanned for vulnerabilities for operating systems and applications that are not even supported.
Enterprises cannot get in front of their risk and patch effectively when they are always behind in getting their critical and most at-risk assets hardened against threats.
ITSW Bureau: How can enterprises protect and organize their ever-growing data while streamlining their vulnerability and threat management?
Sanjay Raja: Discovering, fingerprinting and tracking critical assets is an important first step in optimizing your vulnerability and threat management program. As the risk and threat posture is determined based on the assessment of these assets, CISOs can then apply that contextual knowledge to other parts of an enterprise’s security program, including detection and remediation of threats.
In addition, while many legacy solutions have been re-purposed to appear to support the cloud, a true 100% cloud-native solution is critical to help customers transition their data and networks into more public cloud infrastructure, like AWS or Microsoft Azure, while still maintaining security. This is especially critical as more end users are working remotely with access to corporate resources through the cloud also increasing.
ITSW Bureau: What steps can enterprises take to secure their web applications?
Sanjay Raja: During the evaluation and/or development process, depending on whether it is purchased or developed in-house, it is critical to test applications for web application vulnerabilities. While a lot of solutions or services charge per scan, this can be costly when developers are making frequent changes.
If enterprises can adopt more of an unlimited or subscription model for these services and offerings, it can help them scan frequently and determine their risk posture when it comes to web applications that are frequently targeted by malicious attackers.
ITSW Bureau: In today’s environment, where malware is becoming sophisticated every hour, how can enterprises protect their endpoint technologies?
Sanjay Raja: In addition to the ability to increase the frequency of vulnerability scanning to more efficient patch systems, enterprises need to incorporate threat intelligence sources that can contextualize the information to be useful versus just flood security analysts with inconsumable threat data.
An understanding of the most active threats or newly weaponized vulnerabilities, customized to the assets in the environment, can help security teams prioritize remediation efforts. This also enables endpoint security solutions and security teams to be more effective in looking for new or current threats that are actively targeting other organizations.