Jun 28, 2021

Stop Chasing Vulnerability Headlines

Organizations need to pay attention to the headline vulnerabilities and the gigantic risk beneath the iceberg's tip.

By Boyd White, Director of Technical Solutions Engineering, Tanium

Zerologon, EternalBlue, BlueKeep. These are words that can make a chief information security officer’s heart sink.

They’re all cyber vulnerabilities cataloged by MITRE Corp., the nonprofit organization that works to make the world a safer place. Although vulnerabilities like these have been around since the dawn of computing, MITRE began to identify, define and catalog them on its CVE List only in 2009. And the information security community began to regularly name them starting around 2014.

Since then, these named vulnerabilities have been easy to reference. A handful have even made news headlines.

Yet many more vulnerabilities appear each year, and quite a few could be just as harmful. While the big-name vulnerabilities make news for a few days, it’s the combination of all these vulnerabilities that could generate your organization’s biggest risk. What’s more, residual, unnamed vulnerabilities seldom make the headlines but linger for months, even years.

Let’s be honest: Are we really going to blame a company that gets hit with a vulnerability that was announced only a week ago? And what about a company that succumbs to a vulnerability that’s seven years old?

Stay safer with continuous compliance

So, am I saying you don’t need to check for headline vulnerabilities? No, not at all. Your directors and business executives are probably going to continue asking about named vulnerabilities, and you’ll need to answer them promptly. But it’s worth noting that many of these vulnerabilities existed for years before they were publicly discovered and announced.

Also, some named vulnerabilities are critical, and they should be addressed quickly. But what your organization really needs to prioritize is continuous compliance.

Continuous compliance helps to ensure that you’ll always have a comprehensive, up-to-date inventory of vulnerabilities. This way, if vulnerabilities come back into your organization at a later date, you’ll catch them. You’ll also catch the named vulnerabilities that matter as part of your normal processes.

This is true even if a named vulnerability is initially eradicated but comes back into the environment due to rollback, system restoration, or some other process such as business acquisition that brings the vulnerability back into the enterprise.

You should also prioritize the riskiest vulnerabilities, those that let remote code execute and have public exploits available.

Even riskier are those vulnerabilities linked to threat actors that target your specific industry. These should be continually assessed and prioritized to fix. A good example is the recent FireEye red team toolkit breach. Many of the vulnerabilities leveraged in that toolkit are years old and should have already been patched.

How can you prioritize your own organization’s vulnerabilities? Answering these six questions will help you get started:

  • Could the impact of the vulnerability be high?
  • Does the vulnerability exist on a large number of endpoints?
  • Is there a public exploit available?
  • Is this vulnerability known to be used by my adversaries?
  • Is this vulnerability public-facing?
  • Does this vulnerability exist on assets that support critical business functions?

The more times you answer “yes,” the higher you should rank the vulnerability’s priority.

Getting back to basics

Endpoint vulnerabilities are typically fixed by patching. If they aren’t fixed that way, they’re often fixed by configuration changes. These are the basic block-and-tackle processes that every organization should already be doing.

Yet somehow, even with this work done, residual risks persist.

We need to get back to the basics. That means giving attention to not only the headline vulnerabilities but also the gigantic risk that lies beneath the iceberg’s tip.

Fortunately, Tanium can help you. Tanium Comply continuously monitors compliance and vulnerabilities; it also helps keep constant tabs on your endpoints.

You can use the Tanium platform to discover in near real time why vulnerabilities linger on your endpoints. Are they low on disk space? Pending a reboot? Tanium can help find the answer.

You can also use Tanium to get your vulnerability team and ops team on the same page—er, um—screen.

If you’re struggling with patching operating systems or third-party applications, Tanium can help here, too. Tanium Patch speeds your ability to perform OS patching. Similarly, Tanium Deploy gives you the speed and agility to manage those pesky third-party applications, which are often the largest source of vulnerabilities.

Headline vulnerabilities are just the tip of the cyber iceberg. Make sure your organization is truly safe by prioritizing the cyber risks that matter to you, even those that don’t make the news.


Learn more in these Tanium Community articles:

 Managing vulnerabilities with Tanium: a manager’s overview

 Managing vulnerabilities with Tanium: rapidly applying emergency patches safely and efficiently (OS and third-party applications)