Vulnerability Management Has Its “Concorde Moment”
Vulnerability Management Has Its “Concorde Moment”
When the Wright brothers first got an airplane off the ground in 1903, the aircraft in question did not have a cockpit, let alone a control panel or dashboard. This changed quickly as aircraft designers realized that pilots needed more protection and information to safely fly these machines than just what they could see, hear, and “feel”.
Thus, by 1916 when the first Jenny JN-4 flew it did so with a handful dials indicating direction, altitude, air speed, fuel supply, etc. Over the course of the next 60 years aircraft manufacturers continued to build ever faster, safer, more maneuverable, and more complicated airplanes. With each new sub-system (retractable landing gear, pressurized cabins, radios, etc.) new instrumentation was added to inform the flight crew of the system’s status.
The trend of adding more purpose specific instrumentation to aircraft cockpits peaked around the time that the supersonic Concorde was launched in 1973 with more than 100 instruments and controls. As there was then a movement to standardize cockpit design, most other commercial aircraft cockpits were equally complex.
The net effect of all of this “input” was to overwhelm pilots with data causing high levels of stress, increased pilot fatigue, and pilot errors. By the mid-1980s there was general recognition that cockpit designers needed to accommodate the very human limitations of even skilled pilots. This led to a focus on human factors in cockpit design and a significant reduction in the number of instruments pilots needed to monitor.
Fortunately, this was just about the time when LCD displays became practical for aviation applications. By the early 1990s, manufacturers were delivering much simpler cockpits with multi-function displays capable of presenting the most relevant flight data at each stage of a flight. At least as importantly, designers had learned how to best present detailed information below the top level “dashboard” to make it available as needed with a minimal number of pilot actions or touches.
An interesting side effect of having to process and present all of this data is that aircraft designers also discovered they could teach the planes to pretty much fly themselves. Thus was born a robust and now very sophisticated auto-pilot functionality that performs much of the routine and stressful activities involved in flying to allow pilots to focus on issues that matter the most in completing a safe flight.What does all of this have to do with vulnerability management? I’m glad you asked. I would contend that vulnerability management is on a very similar journey but at internet speed. When Philippe Langlois and Gilles Samoun got Qualys “off the ground” in late 2000 there were only about 2,600 known vulnerabilities to track and remediate. At the time the only semi-automated part of the process was vulnerability identification, as verification and patch management were completely manual processes.
By the time the National Vulnerability Database (NVD) launched in 2005, there were roughly 15,000 known vulnerabilities. Industry analysts were starting to worry about the emerging shortage of trained cybersecurity engineers required to interpret and manage the growing amounts of data being generated by the Threat Vulnerability Management (TVM) products then in use. While the creation of the NVD and its associated CVSS severity were a huge boon to security practitioners, security experts now believe they create as many issues for security teams as they solve. Current generation TVM products leveraging this approach create overwhelming amounts of alerts with no effective way for security teams to determine which of the “critical” vulnerabilities to address first.Tools such as the one at left generate lots of good data to be sure, but also cause the same kind of stress and fatigue for security teams that the Concorde cockpit imposed on pilots in the 1970s. These products are also a leading cause of the burnout and turnover now so common in enterprise Security and IT teams. In addition, the dependence on the aging CVSS severity also forces practitioners to basically guess which vulnerabilities pose the most danger on any given day. Vulnerability management is clearly having its Concorde moment.
The challenge security teams now face is finding a way to prioritize their vulnerability remediation activities to establish and maintain their desired risk posture. Rather than just blindly pursuing vulnerabilities based on their CVSS severity, a method of determining which vulnerabilities actually matter is required.
The RiskSense RBVM solution, like a modern airliner cockpit, is designed around the human limitations of today’s security teams. First, it maps known vulnerabilities to weaponized and trending threats to highlight those threats with the potential to do serious damage and prioritize those vulnerabilities that enable them. It is this mapping that “changes the game” in much the same way the introduction of LCD panels changed aircraft cockpit design. This approach can dramatically reduce the probability of a successful data breach or a ransomware attack aimed at “popular” vulnerabilities.Second, the RiskSense platform provides a carefully crafted mix of simple, easy to understand dashboards that present the enterprise’s current risk profile based on departmental and aggregate RiskSense Security Score (RS3).The executive dashboard also illuminates group details and vulnerability trends allowing senior security staff to know quickly whether or not the vulnerability management program is performing as expected. For the vulnerability management team (the crew actually flying this aircraft), there is a prioritization dashboard that allows the team to easily quantify and characterize the most dangerous findings and at the same time observe the patch management process. Findings are categorized according to workflow stages of “Open” and “Closed” and broken down further by threat associations, focusing down from broad to specific. In the example above, the team can ignore most of the 12,600 known open vulnerabilities and focus on the 140 that have been identified as weaponized and trending in the wild.
There are times, however, when the vulnerability management team requires even more information to allow them to prioritize and then remediate vulnerabilities that present a clear danger to the enterprise. This is particularly true in the case of a vulnerability that would enable a ransomware threat.
For these situations the RiskSense RBVM solution provides the Host Finding Detail pane which contains details about each scanned host (or IP), the nature of the vulnerability and associated threats AND guidance on best practice solutions and patches. It is this detail that allows security teams to quickly remediate the most pressing vulnerabilities and know they are doing so in the most effective way possible.
The entire RiskSense solution was designed, like a modern aircraft cockpit to focus its users on the issues that matter most while reducing the kind of “pilot fatigue” and burnout so commonly experienced by modern cybersecurity teams.
Finally, all of the work necessary to collect, normalize, correlate, and present this vulnerability data has a side effect much like development of the aircraft autopilot in the 1970s. Because the RiskSense platform maintains a comprehensive view of an enterprise’s vulnerability profile and is tightly integrated with the leading workflow and ticketing systems, it enables the kind of orchestration and automation of routine remediation tasks that make the job of vulnerability management so challenging. By allowing the cybersecurity plane to “fly itself” (with supervision) when appropriate, scarce and expensive security experts can focus on the higher-value activities that result in an improved security posture.
 The seminal work in this field is Human Factors in Aviation (1988) by Earl Wiener and David Nagel.