Protecting Against An Avalanche of Vulnerabilities

Any security expert will tell you that internal attacks are the most troubling sort. They are harder to defend against, and insiders know what to go after. The average loss that companies in the CSI/FBI survey experienced due to financial fraud or theft of proprietary data was over $160,000. However, The CSI/FBI survey numbers fall on the conservative side, since they rely on voluntary reporting.

Other surveys point to much higher losses due to insider exploits.

According to the U.S. Commerce Department, intellectual property theft alone costs U.S. businesses approximately $250 billion each year. IBM reports that cybercrime is now more of a problem for U.S. businesses than traditional physical crimes, while also saying that more than 70% of businesses they’ve studied believe that insider attacks are a more significant threat than those from hackers.

Insiders have a better sense of which systems are vulnerable, and they can often intentionally introduce misconfigurations that they can then later exploit. This again points to the necessity for aggressive vulnerability monitoring. However, aggressive monitoring creates its own headaches.

“A common enterprise report may find 30,000 vulnerabilities,” said Alan Paller, director of research for the SANS Institute. “In fact, a number that high is by no means uncommon.”

Understanding the too-much information curse, most vulnerability management vendors classify vulnerabilities by risk. “Vulnerabilities that have known exploits in the wild are rated much higher than those for which no known attack exists.”

Managing Risk

The key is to focus on the most significant risks , and vendors like CoreSecurity, eEye, and nCircle, Qualys understand this. After all, the slew of false positives and alarms set of by minor problems bedeviled the intrusion detection space for years, and those in the vulnerability management space learned from those mistakes.

The space has also learned that point products often have short life spans so they’ve rolled vulnerability assessment in with other value-added security services. “Traditional vulnerability assessment simply tells you where you are vulnerable,” said Ross Brown of eEye. “Vulnerability management, on the other hand, not only tells you where you are vulnerable, but also what to do about it.”

After surveying the market, Mercy Hospital in Miami chose eEye’s vulnerability management suite partly because of its remediation abilities. Since eEye ties into BigFix’s patch and configuration management platform, Mercy can streamline its remediation process.

Mercy was also drawn to eEye’s extensive vulnerability database and their research team, which has uncovered such serious flaws as the Microsoft DCOM RPC Memory Leak and the remote code execution flaw in McAfee’s ePolicy Orchestrator.

A final consideration for Mercy was the importance of protecting legacy applications. “As much as you’d like to be running a homogenous network with one operating system and current applications, what happens in a hospital is that you have many homegrown applications that fill niche needs. Hospitals are almost forced to run very obscure applications,” Hernandez said.

As a result, the final piece of the vulnerability puzzle is linking with related security offering that protect against no-signature and zero-day attacks, as well as providing protection for legacy products for which no patches exist. After all, what good is a system that points out a flaw but then tells you that there is nothing you can do about it?