What is Vulnerability Management and does my business need it?
Software updates are something that we all have to deal with. Taking time out of your day to restart an app or restart your device entirely is just part of living in the world of technology.
Those periodic updates you get from Windows or the apps you use can help patch up exploitable security weaknesses in your software, but those patches alone may not be enough to protect you. Here’s why you might need a vulnerability management solution.
What is a Vulnerability?
Before we get into explaining vulnerability management, let’s first define what a vulnerability is.
A vulnerability is a flaw or weakness in a computer system that could allow an attacker to gain unauthorized access or control of an application or operating system.
What is Vulnerability Management?
Vulnerability management is a solution that protects your network and its endpoints by proactively evaluating software and configurations of all devices to identify, evaluate and remediate exploitable vulnerabilities and security weaknesses.
Innovative does offer vulnerability management, so we understand there might be some bias here. The fact of the matter is that some companies could really benefit from this solution and its security capabilities, whether they’re a client with us or not.
Who Can Benefit from Vulnerability Management?
While more layers of cybersecurity will keep you better protected, vulnerability management won’t necessarily be for everyone.
We’d recommend this for clients who already have a solid cybersecurity structure in place. Solutions like endpoint detection and response or managed detection and response, as well as multi-factor authentication, should probably be in place before adding a vulnerability management solution.
There are levels to all of this, and you should probably start with more of the basics before adding extra layers, especially if your cybersecurity budget is limited.
Innovative’s Vulnerability Management Solution
For the purposes of this article, we’ll be using our own process as an example. Keep in mind that while solutions like vulnerability management have been around for a while, the push for small to medium-sized businesses to utilize these tools is more recent, which means there isn’t much standardization across the board.
What you get from one might be different from the next. For this article, we’ll be using Innovative’s vulnerability management offering as an example, but if you’re working with a different vendor, make sure you ask about each of the elements included in their specific offering. It could be different than what we’re presenting in this article.
Our process involves the intelligence we receive from our security partner, Solutions Granted, as well as our patch deployment method through monitoring agent Datto RMM.
The process starts with Managed Security Services Provider (MSSP) Solutions Granted. We partnered with them when the basic security requirements of our client base became more advanced than what we could deliver as a managed service provider.
As an MSP, we can manage your overall IT infrastructure, but we aren’t necessarily specialists in every category. By partnering with a company whose focus is cybersecurity, it allows us to offer you the necessary support.
Solutions Granted provides us with a 24/7/365 U.S.-based SOC (Security Operations Center), as well as other services like endpoint and cloud security, vulnerability management and incident response.
“Every heart surgeon is a doctor, but not every doctor is a heart surgeon,” Solutions Granted CEO Michael Crean said. “MSPs are the general practitioners… we are the heart surgeons. We do a very, very specific job.”
Our partnership with Solutions Granted is much like your partnership with your MSP; it’s mutually beneficial. Think of it like one big IT machine; If you remove one piece of it, none of it would work.
The Vulnerability Management Process
The SOC we receive support from through Solutions Granted uses vulnerability management software tools to continuously scan endpoints to check for known vulnerabilities. That software helps us understand what the problems are and how to go about fixing them.
This weekly process starts with the vulnerability management software performing scans on the endpoints where it is currently deployed. Every installed application on the endpoints is run against CVE (Common Vulnerability and Exposure) databases to see if any current versions have documented vulnerabilities present.
This is not an intrusive scan looking for any issues an application might have. It is only looking for vulnerabilities that publishers and third parties have officially identified.
Once that scan is complete, our NOC (Network Operations Center) receives a report listing found vulnerabilities. From that report, tickets are opened and the vulnerabilities are remediated by priority level.
Examples of remediation include patching an application or reconfiguring its settings, purchasing the latest version of a product or installing the latest firmware patch for a piece of equipment.
Windows Updates Might Not Catch Everything
There may be some of you wondering why these weekly patches are needed when you’re already periodically restarting your computer to update Windows. Even some of the applications you regularly use install updates that take up a minute or two of your already busy day. We understand why you might be hesitant to have even more patches installed.
The difference between a vulnerability management patch being deployed and waiting for a Windows update is strategy and urgency. A vulnerability management patch is purposefully taking steps to protect you from known threats.
While Windows updates will occasionally close up vulnerabilities, it is not their sole purpose. They also exist to prevent other issues and improve the functionality of your operating system. They’re useful, necessary updates, but they may lack the timeliness or precision that comes from a vulnerability management patch.
Vulnerability management patches are specifically designed to protect you from known threats. Systems have inherent vulnerabilities that can change at any time. Waiting for a regular Windows update will not immediately protect you from a zero-day attack or exploit.
What is a Zero-Day Attack?
A zero-day attack is an attack on a security vulnerability for which a patch hasn’t been released or developers haven’t addressed. These threats are often unexpected because the vulnerability is not known in advance.
The SOC can help resolve these threats through the Managed Detection and Response (MDR) solution. These remediations are done in real time rather than through a weekly vulnerability management update.
Real-Life Scenario: 2021 Hafnium Data Breach
Back in 2021, a group of cyber attackers called Hafnium hacked hundreds of thousands of on-premise Microsoft Exchange servers worldwide. They did so in part by exploiting vulnerabilities they found.
Due to the speed and broad scope of this attack, it was critical for companies to patch their Microsoft Exchange servers as soon as possible. Sounds urgent, right? Well, not everyone was so convinced.
Michael Crean told us of a company that was reluctant to patch their server, despite getting a call from Solutions Granted alerting them to the issue and its urgency. That company decided to push off the critical patch (something you should never do). Later that week, they were infected with ransomware.
Now, this story isn’t meant to scare you. In fact, if you properly leverage a solution like this, and listen to the experts, you have little reason to be scared.
Most cyber attacks are preventable with the proper security solutions in place. Let’s talk a little about what that looks like.
Vulnerability Management Best Practices
As is the case with other cybersecurity solutions, you’ll only get something out of it with proper strategy and implementation. This is where having a good partnership with your MSP or IT team is crucial.
This isn’t just something you can sign a quote for and be on your way. You need to buy into the idea of leveraging these solutions to their fullest extent.
To get the most out of a vulnerability management solution, you need to be taking the advice of your partners, and patch when they recommend it. If you’re an Innovative client, we will handle that for you. But we do sometimes need your input to make sure our remediation steps don’t negatively impact your ability to conduct business.
Patches are assigned different priority levels: low, medium, high and critical. Low and medium will generally be fixed in normal patching cycles, while high and critical levels require a different level of attention. Critical patches are like a 911 call.
Some people may prefer to implement patches monthly or quarterly instead of weekly. This isn’t the best way to use the service or protect yourself. Following the guidance of a weekly patch report is the way to go.
You should be proactive when it comes to cybersecurity, not reactive. It’s no different from going to the doctor for a checkup. The more regularly you go, the more likely you’ll find that something might be wrong, then you’re able to get out in front of it
Why You Should Have Vulnerability Management
As mentioned earlier, vulnerability patches are a more strategic and proactive method of protecting your system than waiting for updates or trying to remedy an active cyber-attack.
Human Error
Another reason it’s so important is the human element of technology. While we might think of software as being free of human error. The fact is that the software was made by humans.
“All of this software is built by people,” Michael said. “We make mistakes; therefore, the software comes with flaws and mistakes.”
While the software we use every day is great and can seemingly work miracles to make our lives easier, none of it is perfect.
If you only rely on the people who created the software to fix its flaws, it quite possible that you miss something. It’s like having your work proofread by another set of eyes. They can catch things that you might have missed (kind of like we do with these articles).
This isn’t a knock on the software developers of the world. They do amazing work that make the modern workplace possible. The simple fact is that we’re humans and we make mistakes. It doesn’t hurt to give something a second check.
Cyber Insurance Policies
Vulnerability management is another one of those solutions that some insurance companies are requiring in their cyber insurance policies. As is the case with other cybersecurity solutions, checking the box on that insurance form is no good if you fail to implement it correctly.
Just because you’re paying your MSP for vulnerability management doesn’t mean you’re in the clear. Are you following through and patching regularly and when you’re recommended to?
A Functioning MSP Partnership
When you partner with an MSP like Innovative, it means we’ve determined you are a good fit for us, and that what we offer is a good fit for you. With a solution like vulnerability management, the MSP’s reach may only go so far.
There will be situations where you’ll be needed in the patching and decision-making process. Timely and open communication is necessary for a good MSP-client partnership and to allow a solution like this to function as intended.