Why Are We Still Worrying About Vulnerabilities?
May 13, 2020
Over the past week, multiple Linkedin posts have caught my attention, albeit for different reasons. The first was a short demonstration video of an image recognition and temperature scanning technology designed to screen entrants to a facility in the age of Covid-19. Those wishing to enter the facility paused for a few seconds, and an automated system confirmed they were wearing a mask and they weren’t feverish. When those two criteria were satisfied, they were granted entry. No human with a hand-held thermometer in a hazmat suit was required. The system was a perfect example of how technology - including machine learning - can be deployed to address contemporary challenges to minimize cost and health risk.
The insightful post just described contrasted starkly with at least 5 posts that read like they were written a decade ago, posts that laboriously detailed the nuances of newly-introduced software vulnerabilities. One post advertised an upcoming webinar that would shed light on Microsoft’s Patch Tuesday’s list of new vulnerabilities. Another linked to a blog where a large vulnerability management vendor discussed a recent collection of Cisco appliance patches. Yet another fanned the hype flame for a just-discovered critical vulnerability that the manufacturer implored users to patch “as soon as possible.” More than 20,000 new vulnerabilities were disclosed in 2019. 20,000 new vulnerabilities..on top of the hundreds of thousands published in years prior and still largely unpatched on countless networks. Does anyone believe it’s a good use of time to attempt to understand the nuances of even a fraction of 2019’s 20,000 vulnerabilities?
When you hire an electrician to wire your house, you don’t study wiring codes. When you visit a restaurant, you don’t learn the preparation details of the dish you’re ordering. If you had to invest that kind of time, why would you ever hire the electrician or the chef in the first place? Shouldn’t vulnerability management product companies add at least as much value as your electrician or your favorite restaurant?
When it comes to vulnerability management products, shouldn’t the gory details of every new vulnerability be at least somewhat irrelevant to the user? A user needs to know what vulnerabilities on their network require attention, and in which order. That’s it. Vulnerability A on Asset B is #1, Vulnerability C on Asset D is #2, and so on. When a new vulnerability is introduced, the vulnerability management product should automatically determine if that new vulnerability should be considered a priority for the user, and if so, where in the remediation priority list it should reside. It might present an extraordinary risk to the user, or it might be utterly innocuous on a given network. Either way, the VM product user shouldn’t have to attend a webinar, read a blog post, or subscribe to vulnerability alerts to know if they need to worry about it or not.
Some tasks should be automated, while others have to be. When dealing with an ever-growing mountain of enterprise vulnerabilities, automation is not negotiable. With 20,000 new vulnerabilities published in 2019 and the typical enterprise network housing hundreds of thousands at any given time, the VM challenge begs for intelligent automation that culminates in prescriptive output.
At Delve, we don’t write blog posts about specific vulnerabilities. We don’t host webinars that promise “Everything you need to know…” about the latest catastrophic security hole, and we don’t encourage or contribute to vulnerability hype. All of that kind of knowledge and insight is built into our product, a product that intelligently automates vulnerability management operations, and delivers a list of your enterprise vulnerabilities prioritized from 1 to n based on your network’s specific context. When a new vulnerability is discovered, our product will let you know if it’s a priority for you or not. That’s our job.
In short, let us worry about what you need to worry about. If your vulnerability management vendor can’t do that, you might want to ask, what did you hire them for in the first place?