If you built a house without a solid foundation, the whole thing would come crumbling down. When it comes to cybersecurity, the same principle applies. To have any chance of building an organization with a strong cybersecurity culture and posture, the foundational aspects of a security program are critical.
In cybersecurity, that basic foundation should be an efficient application and infrastructure security program. But in most cases, this is an area where organizations are severely lacking.
Unpatched vulnerabilities in applications and infrastructure are a chronic and persistent problem. They’ve been exposed as the root cause for a number of the most high-profile and far-reaching data breaches in recent years, from the Marriott breach that exposed 500 million customer records, to a recent vulnerability exploit of UN servers last summer.
According to research from Ponemon Institute, more than 60% of all data breaches are the result of known – but unpatched – vulnerabilities. The reason this is happening can be traced back to an even more abysmal statistic: organizations are only capable of remediating about 10% of the vulnerabilities they know about.
Think about that. The majority of data breaches aren’t happening because of sophisticated attacks being masterminded by armies of hackers penetrating strong defenses. They’re the result of weak defenses. Organizations are essentially leaving the door cracked open. The worst part is, they know they’re doing it.
What’s stopping organizations from shutting and locking the proverbial door and strengthening their software security? Is it laziness or incompetence? Of course not. The sad reality is that most organizations simply can’t handle the volume of alerts their software scanning tools are creating. And the pervasiveness of digital transformation is only making matters worse.
As companies of all sizes and across industries rely on software as a competitive differentiator, they’re pushing development teams to work faster and faster. DevOps and continuous integration/continuous delivery place an increasing strain on the security teams tasked with finding and remediating vulnerabilities across every phase of the software development lifecycle (SDLC). There just aren’t enough people to manually sort and remediate the never-ending avalanche of alerts.
Unfortunately, working harder to solve this problem by dedicating more people and resources is not an option. For most organizations, the volume of vulnerabilities has become too great to make that a realistic solution at scale. And even if more manpower were a viable option, the global shortage of skilled IT and security professionals would make it impossible for organizations to find the people they’d require.
The only way to solve this challenge is to work smarter. With the right strategies and technologies, organizations can start regaining control of their vulnerability management programs. This includes taking stock of the scanning tools they’re using, orchestrating them in a way that correlates and deduplicates the vulnerabilities they identify, and applying a risk-based approach to remediation. Consolidating the flow of alerts into a single unit of work instead of asking developers to chase dozens of instances of the same underlying issue, and prioritizing the most critical issues first, will enable the software security team to keep pace with the development team. In the end, this will drastically improve an organization’s security posture.
In the cybersecurity world, detection and response tools and the security analysts and threat hunters that use them typically get all the glory. Naturally, it’s much more exciting to talk about uncovering and catching criminal activity than it is to stop crimes from ever happening in the first place. When you prevent crimes from ever occurring, there’s no exciting pursuit to talk about. But in this business, that needs to be the goal.