Risk exposure is changing at a faster rate than most companies can cope with. To counter the risks associated, Dallas Silcock says a tailored vulnerability management solution that can be deployed quickly and provide rapid time-to-value is required.

Processes of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads, and systems need to be streamlined for sophisticated networks.

UNDERSTANDING EXISTING APPROACHES

Silcock says that approaches to managing vulnerabilities can vary by how opposed organisations are to risk.

“The more risk-averse organisations take a very proactive approach with to vulnerability management. They’re doing a lot of activities frequently,” he says, contrasting this camp with operators of less internet-facing networks choosing to scan at intervals due to the luxury of limited exposure.

However, regardless of identification-activity frequency, Silcock says methodologies are similar: to secure a network, first scan to identify vulnerabilities, then evaluate their risks to your organisation. Remediate as needed, review the fixes, and rescan. This intrinsically repetitive cycle – scan, remediate and review – is essential for maintaining network integrity.

Most vulnerability management variety is instead found in how vendors’ tools function. Silcock says to consider a vendor offering software that deploys across devices and monitors vulnerabilities in real-time, since “this strategy enables a two-phase approach with immediate data from devices and periodic scans for those without the agent”.

Utilising such a tool enhances the mobility and efficiency of vulnerability management by shifting focus from constant scanning to a more dynamic, concurrent approach.

OVERCOMING VULNERABILITY CHALLENGES

Organisations often manage vulnerabilities ineffectively, due in large part to human error, misconceptions and poor organisational structures. To Silcock, server engineers need to be aware that vulnerabilities are going to consistently impact the systems for which they are responsible.

“What you can find is that you patch and that can introduce an additional or higher level vulnerability, because you’ve tried to address that original one,” he says. He points to Internet Explorer as an example of a prominent vulnerability, since it is architecturally outdated and unable to meet modern security standards, and for a hypothetical organisation it might be out of date on 190 devices.

But Silcock reassures: “Internet Explorer may be vulnerable, but we have a lot of controls in place to prevent threat actors from getting to our workstations and from making changes to our workstations. Therefore, it’s not a critical vulnerability.”

Having effective tools to correctly manage such risks is the solution, but poor leadership can also facilitate a culture that hinders exposure handling. “What it comes down to is good leadership from your Chief Security Officer. To make the security team mobile, in terms of allowing them to take required measures to keep the organisation secure.”

A CYBER-AWARE CULTURE

Silcock believes establishing a cyber- aware culture is the prime remedy for poor vulnerability management, but requires buy-in from every party involved with an organisation: “It’s essentially an awareness component that underpins everything that organisations, users and customers do.”

“Communication is the first part,” he says, outlining a checklist for users. “Ask, why do we do it? What’s the importance of it? And what can I do as an everyday user to contribute towards a hygienic organisation?”

A cyber-aware culture requires users to be vigilant and knowledgeable, able to identify and report threats. Educating users on the latest cybersecurity threats, like phishing, is crucial. This can involve webinars and hands-on sessions that align with the company’s security protocols.

Ensuring users adhere to this training is vital, as neglect can lead to preventable cyber incidents, and regular testing, like simulated phishing campaigns, assesses user awareness and identifies training needs. Effective culture integrates user education, compliance, and technology for organisational safety.

HOW WE CAN HELP

Organisations that don’t have a vulnerability assessment platform or have no internal capability to run an effective vulnerability management program, or those that have existing vulnerability assessment tools but are not seeing desired results and would like to improve management and assessments of risks and reporting, should all reach out to AC3. Afterwards, they will better understand the risks of a modern environment and gain clarity into what it requires that cannot be delivered in-house.

AC3’s Vulnerability Assessment and Management service allows customers to rest easy knowing that these are being continuously assessed against the latest vulnerabilities available.

The service can monitor the full range of components typically found inside customer environments from low-level infrastructure, such as storage arrays, through to web applications presented to the internet.