Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
Introduction: Vulnerability management is key for organizations
In early February, Tesla paid $10,000 for a vulnerability in Microsoft SQL Server Reporting Services (SSRS) that was identified in its systems by a German bug hunter. This bug hunter also indicated that an attack could have had a critical impact, since the full infrastructure could be compromised. The issue had been recognized and a patch was issued just four days before and Tesla was able to quickly take the vulnerable SQL reporting service offline, sparing itself a possible attack that could have had much more expensive consequences.
Fixing the vulnerability by following instructions in the CVE-2020-0618, Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability would have been easy. However, by the time a company runs a patch for a critical issue, it is often too late.
In August 2020, the Ponemon Institute released its State of Vulnerability Management in the Cloud and On-Premises report, sponsored by IBM X-Force Red, a group of security professionals and ethical hackers. The report highlights the challenges organizations face across their on-premises and cloud-based vulnerability management programs.
The global survey was conducted in April 2020 and surveyed 1,848 IT security professionals in North America, Europe, the Middle East, Africa, the Asia-Pacific region and Latin America across a variety of industries. This survey reveals the various difficulties linked to deployment and management of cloud and on-premises infrastructures in hope of organizations knowing which vulnerabilities pose the highest risk to their businesses, so they can employ best practices to defend digital assets more effectively.
The main takeaway in the report, which presents an analysis of the key findings, was that a significant percent of respondents recognized their organizations have difficulty identifying, prioritizing and patching vulnerabilities in cloud environments or on-premises — thus making it easier for cybercriminals to carry out their agenda. The consequences could be dire if patching is not applied in a timely manner, as seen in the case of Tesla’s Microsoft SQL Server Reporting Services issue.
Key findings from the Ponemon Institute global survey
Specific survey findings from the report include the following:
Patching is too little, too late
Only 21 percent of respondents say their organizations are highly effective in patching vulnerabilities in a timely manner and presents a list of reasons why major delays occur in the vulnerability patching process: from not having enough resources to keep up with the volume of patches (55 percent) to not having the IT security team who has the necessary patching skills and training to fix vulnerabilities (only 41 percent reported having it) or having things being overlooked by using emails and spreadsheets to manage the process (38 percent). A major problem is also the wasting of time chasing false positives (60 percent). And of the 53 percent of respondents that reported having data breaches in the past two years, a staggering 42 percent reported that the breach occurred because a patch available for a known vulnerability was not applied and therefore was fully preventable.
Problems with current remediation management practices
“According to the research, it can take almost a month (28 days) to patch once a critical or high-risk vulnerability is detected on-premises and 19 days if it is detected in the cloud.” That isn’t good news.
Even more worrisome is the fact that a number of respondents indicate that their biggest vulnerability management challenge is prioritizing fixes and timely patching. In fact, 57% of organizations are unable to recognize which threats pose the higher risk. According to IBM’s X-Force Red team, “It is not enough to only identify vulnerabilities. Security teams need to tie in prioritization and remediation;” both are critical to an effective vulnerability management program and organizations should strive to make this type of assessment a priority.
In the context of this research, 42 percent of respondents say their organizations are very effective in prioritizing vulnerabilities that pose the greatest risk of a compromise. Only 38 percent of respondents use the Common Vulnerability Scoring System (CVSS) while 37 percent of respondents prioritizes by identifying which vulnerabilities are being exploited by attackers. Only 25 percent of respondents say they prioritize based on which exposed assets are the most important to the business.
Per X-Force Red, “If organizations deploy an ongoing vulnerability management program for their cloud environment which includes scanning, prioritization, and a repeatable remediation process, they will continuously understand the security posture of their applications and minimize the risk of a compromise.” Automating vulnerability response processes becomes an absolute necessity to take the human effort out of the remediation management practice; other procedures like patching and prioritizing might be manual, thus slowing down the process. Fifty per cent of respondents identify a problem is in the use of manual processes in their organization.
The surveyed organizations reported an average vulnerability backlog of 57,555 and 28% of the total vulnerabilities found with scanning (average of 779,935) unmitigated. However, 32% reported not scanning for vulnerabilities at all. Only 32% of the organizations performs vulnerability scanning on IoT devices and only 31% performs pre-certification of the devices prior to deploying them.
Vulnerability management in the cloud versus on-premises
With more on-premises applications now moving to the cloud, the Ponemon survey shows that 38 percent of respondents say identifying vulnerabilities in cloud environments is more difficult and complex than identifying vulnerabilities on-premises. 35 percent of respondents say patching in the cloud is more difficult and complex than on-premises.
As for vulnerability management practices in the cloud (solutions hosted on the vendor’s servers and accessed via the internet) versus on-premises (solutions hosted on one’s own servers), the findings in this report reveals that “46 percent of respondents say their on-premises vulnerability management programs are managed in-house. In contrast, if vulnerabilities are managed in the cloud, only one-third (33 percent) of respondents say their vulnerability management programs are managed in-house. Slightly more organizations that manage vulnerabilities in the cloud say they outsource the management to a security provider (37 percent of respondents vs. 31 percent of respondents).”
Container security challenges
The Ponemon Institute survey found that organizations face challenges when storing business-critical applications in containers in the cloud. Containers have been around for years and they are an alternative to the use of a virtual machine. VMs use a hypervisor to provide virtual hardware and a guest OS is included to run the application. Containers, instead, virtualize the operating system: it contains only the application to be run and its libraries.
Compared to virtual machines, containers are smaller and more portable. Their security, obviously, poses different security challenges compared to virtual machines as “ the improved speed of building, sharing and deploying applications in containers can lead to vulnerabilities being introduced from obsolete vulnerable code or production host environments that have not been hardened.” In fact, 57 percent of respondents admitted to not knowing whether the applications in the containers were designed securely and 56 percent were uncertain about whether the applications were tested for vulnerabilities. A good 59 percent of respondents say their organizations use a scanning tool to identify which applications are business-critical and what kind of data resides in them, and 53 percent of respondents say their organizations use a scanning tool to assess the overall security of the container environment on a quarterly basis. However, 30 percent do not take any steps to strengthen container security.
Conclusion: The X-Force Red point of view
A number of responses caught the eyes of the X-Force Red team. First of all, only 27 percent of respondents declared having visibility into the vulnerability management life cycle, with obvious consequences on their understanding of the prioritization of patching in the organization. 60 percent of respondents believe important assets in their company are exposed as IT security teams chase false positives and minor vulnerabilities. X-Force Red believes the issue might be due to the fact that teams are often evaluated on the sheer number of issues they solve and on how clean the vulnerability report is, not on how critical those issues are. Prioritizing while scrolling millions of vulnerabilities in a spreadsheet is also very difficult and does not ensure a timely resolution of issues.
The growing use of clouds and the quick deploying of applications in that environment is also burdening security teams, who often end up dealing with applications that haven’t been properly and extensively tested for problems. Therefore, organizations need programmatic testing and an ongoing vulnerability management program even more so if operating in a hybrid environment, as per the X-Force Red point of view.
SQL Vulnerability Assessment, Microsoft