In this final blog of The Vulnerability and Exposure Management Survival Guide series, we discuss how to improve the mitigation and remediation of the vulnerabilities we have previously identified as being most likely to be exploited.

• Strategies for Improving Governance & Compliance 
• Strategies for Improving Detection
• Strategies for Improving Assessment & Prioritization
• Strategies for Improving Communication
• Strategies for Improving Mitigation & Remediation (YOU ARE HERE)

Mitigation and remediation is the primary objective of Vulnerability Management and Continuous Threat Exposure Management processes. Mitigation is the control implemented or the action taken to reduce the impact or likelihood of a vulnerability or exposure being exploited before a fix is available or applied. Remediation is the resolution of the vulnerability or exposure which is completed typically through applying patches, updates, or correcting misconfigurations.

Don't Wait, Mitigate

Think of security's role as one of enforcement and enablement. I'm going to provide stakeholders with everything they need to be successful, but I'm also going to hold them accountable. Let's face it, many times as security practitioners, we feel powerless over patching and remediation, but we don't have to be. What if I told you that you could be an active participant in risk reduction activities, not just identification and communication? Let's talk about mitigation. M

itigations are an often-overlooked tool within security's toolbelt. While we have all the capabilities to deploy these mitigations regularly in response to threats and exposures, most organizations don't. Web Application Firewalls, Intrusion Prevention Systems and Endpoint Detection and Response capabilities are just a few of the commonly deployed technologies that can be used to implement mitigations in your environment. However, most of the time, these controls are deployed on an ad hoc or "as needed" basis because mapping your defenses to your controls can be a very time-consuming and manual process.

Key Insight:

‍

When are you deploying WAF rules? Is it only when an application security review calls for them or are you doing it proactively? How about your IPS rules? Are you regularly deploying and evaluating your controls against known attack vectors? Well if you are, you are ahead of the curve. Most of the time these controls are deployed on an as-needed basis and sometimes not at all. These are just a few of the tools at the disposal of most security organizations, but we are often not leveraging their full capability.

Deploying these proactive mitigations not only helps to reduce risk in your organization, but also improves your ability to adhere to compliance requirements like SLAs. If you can defuse a vulnerability and lower its potential impact on your environment, it should be done without delay, even if you are waiting for a full patch or remediation. The sooner you deploy mitigations, the faster you will reduce the risk exposure, and in many cases, this allows you to extend the timeline required for remediation.

In case I haven't made my point - don't wait for a patch to be deployed before addressing risks. Use the tools at your disposal to mitigate threats immediately, while continuing to work towards remediation. You will not only reduce the risk to your environment, but also demonstrate your organization's commitment to proactive security and risk management.

“Average time-to-exploit (TTE) in 2023 was only 5 days”

Mandiant

‍

Highlight Your Remediation Rockstars

The ultimate goal of any vulnerability or exposure management team is the remediation of detected vulnerabilities and exposures; however we know this is not always easy to do. It takes time to thoroughly test patches or changes to configuration settings and IT teams are already overloaded with other tasks. Additionally, some organizations do not have the necessary resources, tooling or repeatable processes to ensure that patches are deployed in a timely manner. That is why incorporating mitigation is so important (See Above!), but as I stated above, that is not the ultimate goal - remediation is. So how can we help our stakeholders in IT get motivated to improve remediation timeliness?

Governance mechanisms play a key role in encouraging these expected behaviors. Things like documented policies and controls, a security exception or risk acceptance process and leadership reporting are all things that help to emphasize the importance of timely patching.

In addition to governance mechanisms there are some other strategies that I have seen work extremely well when put into practice. Things like creating security champions within each business unit or segment. These champions should be people who regularly work with Cybersecurity and do a good job of upholding their responsibilities for maintaining secure assets and applications. These are people that others will look to better understand Cybersecurity policies as well as the practices they've put in place to adhere to those policies. These people sometimes have a special email banner or something visible on their desk that others can see and recognize that they are a security champion or ambassador. At one company they put a stuffed animal squirrel on the desks of security champions and called it the 'Secret Squirrel'. That's a little nutty, but you get the gist.

The tactic that I have seen work best to motivate asset and application owners to remediate in a timely manner is through gamification and recognition. Stratify leadership reporting by business unit, leader, applications and owners. The leaders and application owners who have the best metrics will feel a sense of pride and will be committed to maintaining their status as a top performer. Those at the bottom will likely not want to be portrayed to other leaders and app owners as subpar performers and will work to improve their metrics. An additional benefit to this strategy is that you will be able to more easily identify those organizations, leaders and app owners you should focus on to drive improvement.

Key Insights:

‍

Make sure to recognize your top performers. This will create a culture where you are rewarding good behavior and inspiring improvement in others. Wouldn't you want to be portrayed as a top performer to your peers or leaders? Would you want to be seen as not upholding your responsibilities or inadequate in the performance of your duties? Probably not.

Most people are competitive whether they would openly admit it or not. If you won lawn of the year in your neighborhood, you probably wouldn't want to let your lawn turn brown by the next month. You will work to uphold your status as lawnmaster extraordinaire. If you are identified by your Homeowner's Association as not keeping your lawn up to standards you will probably be embarrassed and want to improve. I know I would. People's competitive nature translates to the workplace also, so why not give it a shot and see if you too can inspire improvement in your organization.

Conclusion

By taking smaller, faster mitigation steps to minimize the impact or probability of exploitation, cybersecurity teams reduce risk now, buying their company, stakeholders, and fix owners the time needed to actually remediate the root cause of the vulnerability. Considering that the average time to exploit a vulnerability is now only 5 days, mitigation is more important than ever to cybersecurity executives looking to help their business achieve its goals.

To discuss your vuln and threat management program, and how Zafran can help you not only sharpen the focus on the vulnerabilities most likely to be exploited, but also quickly implement mitigation action to defuse risk now, click Get A Demo to connect with an expert.

‍Who is Nate Rollings?

Nate is an accomplished cybersecurity leader with more than 15 years of experience at Fortune 500 companies. He is a subject matter expert well versed in building high-functioning vulnerability and exposure management programs. Nate is a respected voice in the cybersecurity community, and currently serves as Zafran’s Field CISO.