How Middle East security chiefs can bolster their remediation workflows in the face of an escalating threat landscape. Explore expert insights from Hadi Jaafarawi, Managing Director for the Middle East at Qualys. Discover actionable steps to fortify your security measures and safeguard against cyber threats.
Numbers tell stories better than words. Exhibit A: IBM’s 2023 Cost of a Data Breach report, which puts the Middle East average at $7.97 million. The financial industry is the threat actor’s unsurprising favourite target (average breach cost: US$9.4 million), followed by the energy sector ($9 million) and healthcare ($8.7 million). The story being told is of a looming spectre that aims to slow, or even reverse, economic progress.
With this in mind, let us imagine what our defenders — CISOs and their SOCs staffed with analysts, strategists, and threat hunters — go through in the age of perimeterless IT. We have long ago dispensed with the naivety of “It can’t happen here.” Nowadays, even the most tech-illiterate executive understands that the only thing between their organisation and a cyber breach is the tick-tick-tick of time. The zero-trust epoch is upon us all. Prevention has become an afterthought as we turn our attention to remediation. After all, what else could your top priority be when you have accepted that you have already been invaded?
Despite the epiphany, however, legacy issues continue to populate top-N lists such as the Qualys annual Top 20 Security Vulnerabilities study. Our top five included a 2017 remote code execution (RCE) vuln in WordPad and a similar 2012 issue in Microsoft Windows Common Controls. It is understandable. Sometimes, patches impact core functionality or call for unacceptable downtime for their deployment. Some fixes are composed of multiple patches and reconfigurations. Patch management is challenging. But with the high stakes of drained finances and tarnished reputations, it’s clear that when it comes to remediation, we must find a way to improve. Here are five steps to help you do just that.
1. Overhaul system images
System images and templates simplify IT management by streamlining the deployment of endpoints, cloud servers, and container applications. But if images are exploited by rogue code, those vulnerabilities will ripple through every deployment. Review all your preconfigured golden images and software container libraries and update them where appropriate. Otherwise, admin and development teams will blindly replicate exploitable holes across their outputs.
2. Use automation for triage
Prioritising remediation in a limited-resource environment is a challenge. Analysts look at factors like “ease of exploitation”, “potential damage”, “age of vulnerability”, and “ease of remediation” to determine what should be patched and when. And factors have subfactors. “Potential damage”, for example, can be operational damage, balance-sheet damage, or brand damage. Technical teams are always under pressure to effectively rank the issues by weighing risk against reward, even when precise measurement may be a further challenge. Is this not an ideal job for AI? Why not automate the weighing of these factors within the scope of predetermined business rules? The SOC will be delighted to relinquish such burdensome tasks while at the same time being empowered by greater accuracy in triage.
3. Keep track of Every. Single. Thing.
The security team’s work can all be for nought if a reliable record is not kept of every action. The negative consequences of not doing so can be seen in the real world among efficient security teams doing all the right things for remediation, day by day, only to see no benefits. They could not see vulnerability lists shrinking because nobody had taken the time to update them. Morale suffered needlessly. And since low morale is a top reason for underperformance and resignation, security leaders should take note — especially those that operate a SOC in a region with skills gaps.
Poor record-keeping can be caused by virtualised desktop environments that reboot on every new session and may not retain updates. Or perhaps decommissioned assets are still counted in the vulnerability column. Account for these scenarios to ensure an accurate progress tally. Progress leads to more progress, but the opposite is also true. In the absence of encouraging news, shoulders will slump.
4. Review your applications
While screening for vulnerabilities in images and templates, remember application software that has lapsed into irrelevance. Threat actors rub their hands in glee at the sight of a tool that is no longer used. Its obsolescence means it probably does not make the triage cut and may be full of vulnerabilities. Uninstall these apps. It is a quick fix to a glaring risk. In the wild, I have seen companies run multiple out-of-date versions of apps that were no longer used. Removing them eliminated the intrinsic risks and maintenance headaches associated with legacy tools. Risk metrics can be reduced by as much as half through app review and strategic removal.
5. Refine your narrative
Updates are routine and are often planned by vendors in a way that will have minimal impact on users. Patching is often different because vendors sometimes have to unmake a product and remake it to fix a vulnerability. Deployment calls for reboots, reconfigurations, and offline periods. The security function must battle it out with other business functions, telling their own Figures Fables to win support before being granted leave to do what is necessary. Many non-tech executives have at least read the headlines of cyber breaches worldwide. If they think a patch will keep their brand from being featured in a disaster movie headline, they will likely be more favourable towards it. CISOs should, therefore, present patching downtime as a known quantity that can be planned for, compared with the unknowable hours and days of downtime associated with some breaches.
Risks and rewards
The main objective of remediation is to reduce risk. Patching, when planned and supported by automation, can be just what the doctor ordered and reward security teams and risk managers with many more hours of sleep while avoiding the dreaded disaster event that may otherwise occur.