Software vulnerability management remains a major pain point for most businesses, even as the number of breaches and exploits is on the rise. Companies struggle with maintaining the proper tools to tackle vulnerability management as well as with company-wide coordination and agreement on security priorities.
A recent webinar from Flexera Software, a company that specializes in software licensing and vulnerability management, discusses some of the challenges companies face when attempting to set up best practices for vulnerability and patch management. The company also offers some valuable suggestions about comprehensive approaches to security that ensure software vulnerabilities are properly addressed.
According to Gartner’s (News - Alert) report, “Threat and Vulnerability Management Primer for 2017,” businesses find the coordination and orchestration of vulnerability remediation efforts to be a point of operational failure, an alarming prospect. In order for vulnerability management to succeed, organizations need coordination between IT security and IT operations teams for processes like patch management and configuration hardening.
Patch management is another weak point for many companies, creating significant risks. Failure to stay on top of patches occurs mainly because businesses simply don’t have the resources to patch all their applications and many don’t prioritize patches. In many instances, performance metrics for patch management don’t include security measures like risk reduction, and many companies don’t maintain the proper tools to support the prioritization of security patches.
Flexera recommends a three-tiered approach to security, with the foundation layer consisting of privilege control, segregation of duties, security training, patch management and vulnerability assessment. The hardening layer includes penetration testing, configuration hardening and SIEM, while an advanced layer can include network forensics, network behavior analysis and advanced threat detection.
“The increasing volume (of patches and upgrades) is a main driver for organizations automating their vulnerability management through the use of security intelligence and management platforms that help manage the volume of system and software inventory, vulnerability and threat management,” wrote Cisco Systems (News - Alert) in the company’s 2016 Annual Security Report.
The bottom line is that business need to take a comprehensive, company-wide approach to security with executives and managers educated and on board with security strategies and priorities. With the proper planning and tools, companies can stay on top of threat and patch management and mitigate the damage and losses that can result from software vulnerabilities.
Edited by Maurice Nagle