Once upon a time (just a handful of years ago), vulnerability management programs focused solely on servers, running quarterly scans that targeted only critical systems.
But that was then, and you can’t afford such a limited view in the now. Truth is, vulnerability exploitation now happens indiscriminately across the modern attack surface—from local and remote endpoints to on-prem and cloud infrastructure to web applications and containers. Security teams must start thinking about their organization’s risk more holistically, since their adversaries will take advantage of any available entryway into the network. In short—attackers aren’t siloed in their approach, so you shouldn’t be siloed in yours.
A logical first step? Expanding the way you think about vulnerability risk management to not just include traditional IT infrastructure, but also cloud-based or virtualized assets and applications. Let’s dive deeper into the VRM considerations for each layer.
Enhancing vulnerability management—on-prem and in the cloud
Today, your security team has more on its plate than ever before. You’re tasked with monitoring a vast attack surface, including systems and software in corporate data centers and on cloud platforms, running in physical, virtualized, and container environments.
Your vulnerability management solution should be able to keep pace with these ever-increasing demands for visibility. On top of protecting critical infrastructure that keeps the network in motion, it should also work with DHCP connections, VMware, AWS, Azure, and other virtual and cloud platforms. For many teams who are increasing their cloud adoption, a primary goal is to eliminate blind spots in your environment by integrating with cloud platforms, detecting when new devices are deployed, and automatically assessing them.
You can take another step in this direction by embedding agents in cloud and virtual images, so that every time a new component of a service is spun up you get instant visibility into the risk it introduces into your network.
Expanding your scope to the application layer
There’s a lot to be said for addressing a huge blind spot in traditional approaches to vulnerability management: web application security. Web applications are the most leveraged attack vector by malicious actors, according to the 2020 Verizon Data Breach Investigations Report. Securing them should be an integral component of every modern VRM program.
Legacy application scanners were designed for older web technologies like HTML, PHP, and Perl. They are often unable to test rich web applications built with newer technologies and protocols, and those that involve complex, multi-step workflows like shopping cart checkout sequences.
Your program should incorporate an application testing solution that’s as smart and sophisticated as today’s modern web apps. It should be able to automatically scan applications built with Single Page Application (SPA) frameworks like REACT.JS, REST APIs, as well as complex, multi-step workflows. This gives you a comprehensive picture of where and how exploitation can happen at the app level. Additionally, having monitoring and self-protection measures in place offers you visibility into real-time attacks trying to take advantage of potential vulnerabilities, and minimizes their ability to penetrate deeper into the network.
Prioritizing risk and remediating vulnerabilities across your modern environment
How can you reduce vulnerability risk and impact your security posture quickly? Make patching and remediation activities faster and more effective. Your tools should enable you to clearly and efficiently hand off vulnerability data and tasks to the ticketing systems employed by your IT and DevOps team. An automated handoff gives operations teams access to more data, faster, so they can patch systems and fix misconfigurations quickly and accurately. See how we do this in InsightVM.
The more you can integrate into the workflows already embroiled into the day-to-day activities of your IT operations and DevOps counterparts, the less friction you’ll experience working toward secure infrastructure and applications.
Next steps for building your VRM program
Now that we’ve outlined a scope of vulnerability risk management that will keep you well secured and positioned in the face of today’s threat landscape, it’s time to start building and developing your own in-house program.
Take the first step with a resource toolkit compiled by our VRM experts at Rapid7, including a checklist for getting started, talking points for building a business case, and some of our own customer proof points.