Security news that informs and inspires

The Problem With Vulnerability Management: ‘We Can’t Just Patch All the Things’

By

During an investigation into recent threat actor activity, researchers with Datadog Security Labs found that the attackers were leveraging the Log4j flaw in an attempt to compromise systems and mine for cryptocurrency.

The vulnerability made headlines in 2021, but despite two years of patches being available, and reports of widespread exploitation by heavy hitters like APT41 and Conti, attackers are still finding success in exploiting vulnerable instances. Log4j’s continued prevalence illustrates how many organizations still struggle with managing vulnerabilities across their environments.

According to a Joint Cybersecurity Advisory last year by the U.S. Cybersecurity and Infrastructure Security Agency, the NSA, and several other government agencies globally, Log4j was a top exploited vulnerability in 2022. But Log4j wasn’t the oldest flaw on CISA’s list, which also included a four-year-old vulnerability (CVE-2018-13379) in Fortinet SSL VPNs. Additionally, many of the flaws that were being routinely exploited had been disclosed, with patches available, for several years, including one in Microsoft Exchange Server (CVE-2017-11882), Ivanti Pulse Secure (CVE-2019-11510) and Citrix ADC and Gateway (CVE-2019-19781). Part of the issue here - particularly with Log4j, but also with other flaws - is that organizations have trouble identifying the slew of applications, services and products in their environments in the first place.

“Digital footprints are exploding, there’s more and more vulnerabilities that are occurring out there and I don’t think it’s realistic to patch all the things,” said Rick Holland, CISO with ReliaQuest. “One of the bigger pieces that’s still a problem, and it’s been a problem for 20 years, is the asset context. We have to get to the point where we’re focusing on the most important things, because we can’t just patch all the things.”

Erik Nost, senior analyst with Forrester, said that with the adoption of cloud and SaaS tools, businesses are facing increasingly complex and decentralized environments that’s making visibility even more difficult.

“Within visibility, I believe the biggest challenge is making sense of it all,” said Nost. “We see that IT technology is more decentralized these days, where businesses own these decisions and they’re deploying cloud applications and using low-code types of systems to help make their own customer-facing applications. So the technology through the business is spread out.”

Another hurdle is the ability to keep up with the sheer number of vulnerabilities across different products, and figure out which of these flaws should be prioritized, whether due to active exploitation, severity, or how the product is used in the organization.

The National Vulnerability Database (NVD) has reported that the overall number of disclosed flaws has grown from 25,081 in 2022 to 28,831 in 2023, and the number of bugs added to CISA’s Known Exploited Vulnerability catalog also grew from 91 assigned in 2022 to 121 assigned in 2023. These numbers don’t neccesarily give a full picture - for example, they don’t break down flaws considered “high-severity” versus “low-severity,” and they don’t show if exploited flaws are widely exploited versus targeted. However, they do show the number of vulnerabilities, both those disclosed and those exploited, trending upwards.

Vulnerability management issues are exacerbated by a convoluted third-party risk environment. Threat actors are targeting vulnerabilities in external-facing services or remote access tools with long-tail impacts to downstream customers, partners and other third-party organizations, as made painfully obvious by the MOVEit Transfer vulnerability last year.

“How prevalent a piece of software is, that also plays a big part,” said Ben Nahorney, threat intelligence analyst with Cisco, in a recent video interview. “Think of something like Log4j. It’s a bit of code that all sorts of different products use, so that’s one of the reasons we see so much activity around that, and ultimately, yes, if it’s in everything, attackers will spend more time trying to figure out how to exploit something like that.”

The Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS), Stakeholder-Specific Vulnerability Categorization (SSVC) system and CISA’s Known Exploited Vulnerability catalog (KEV) represent different tools that can help security teams determine vulnerability severity or how lucrative it may be for attackers looking to launch attacks in the wild.

But even with these tools, CISOs contending with vulnerability management struggle with securing budget, support and resources. Remediation is not easy, and certain businesses might face issues with downtime or critical infrastructure that throw a wrench into how they apply patches. Sometimes companies may even be under the impression that a flaw is fixed, but developers might use an old code repository or aspect in open source that reintroduces the issue.

“There’s the crown jewels component, there’s the low-hanging fruit external component, and then just having the context around the assets so then you can then prioritize what assets you’ll apply your limited resources to - but I think this space is a big challenge for folks, still,” said Holland.

Nost said that vulnerability management is a "data management problem at the end of the day," and organizations can start to tackle prioritization by first “getting your arms around the data.”

Organizations can “start with the data… that you have in the environment, and [understanding] the data that’s giving us visibility into our environment, our assets, what our assets do, what their purpose is, what their value is,” said Nost. “We need to know the control environment that these assets have, and we need visibility into the weaknesses.”