In the blink of an eye, you can miss a new business disrupting security incident. We all recognize that cybersecurity breaches are increasing in volume and sophistication. How we respond to them is critical.  

Security vulnerabilities force organizations to go outside of their daily activities to execute out-of-band responses. We face numerous challenges in managing security risk. These include mapping vulnerabilities to software updates, patch lag, fragmented processes, diverse technology stacks and disjointed teams. All of these factors converge to become security mediation barriers, rather than facilitators. Automating vulnerability life-cycle management and utilizing team swarming can significantly reduce the impact of cybersecurity threats.

Proactive and automated security practices

A mature risk-based prioritization practice requires well-defined processes to handle out-of-band security situations. Most organizations have scheduled monthly maintenance cycles. These typically start the day after Microsoft’s Patch Tuesday, with multiple groups divided into different windows covering each day over 3-4 weeks of maintenance. However, right in the middle of this, a new zero day vulnerability can interrupt the process. Now, they must begin all over again, in a rushed, and less well-organized fashion.

Automated vulnerability management is a key to proactively addressing out-of-band security events. It’s a process of importing a vulnerability into a system that maps it to a device view, opens a security incident, and triggers a vulnerability workflow. A patch assessment is triggered to determine required changes. Patch assessment data is imported into the security incident to open child change tickets to assign tasks for approvals. Finally, patch remediation schedules the patch rollout and execution.

Team swarming accelerates out-of-band incident resolution

Organizations are trending toward team swarming to expedite out-of-band responses to security events. We see many examples of swarming in nature. Animals and insects often move within large and well-organized groups, to achieve a common goal. Swarming can be applied to a risk prioritization practice. Team members, with a defined lead and support group working together on the same top priority item, can reach resolution faster and with less confusion.

Within a normal maintenance cycle, we must have processes that manage an unforeseen event in an organized, efficient and effective manner. This entails the right people, specific process management, and defined communication channels that mitigate new problems, without crippling business operations.

Out-of-band incidents can happen at any time. The Zerologon vulnerability allowed unauthenticated bad actors to gain network access to domain controllers to establish Netlogon sessions. Once control was established, they accessed domain admin privileges, and caused disruption and damage.

Microsoft released an update for Zerologon on Patch Tuesday August 2020, with a phased rollout over several months. However, not a month later, threat actors exploited the vulnerability. Security and IT operations teams abruptly found out on a Friday that their weekend was going to be spent working on the problem that needed to be fixed by Monday.

The Solarwinds incident, and the recent exploited Microsoft Exchange vulnerabilities, have caused the same need for an immediate and organized response. How do we get past these painful out-of-band challenges?  

Mature risk management implements process and integrated teams

Since we never know when, or how, these emergencies will manifest, we need more controlled responses. Our response procedures must be planned, approaches rehearsed, and implemented with repeatable processes. A planned response program is something we can more confidently follow and execute. However, vulnerability management is often a fragmented process that operates in silos between security and IT operations teams. A key piece to the security vulnerability puzzle is maturing our processes to achieve more effective, less chaotic remediation.

Less mature organizations have silos for security, operations, network architecture, etc. Each team may spend more time proving they were not at fault, rather than focusing on the problem and reaching a resolution. The swarm model takes the key person who knows the vulnerable application or platform best, and gathers the necessary supporting staff from each area to help resolve the issue.

Shifting from loosely planned out-of-band responses, to a team swarming approach requires a mindset change. Utilize support tiers and escalation processes, with people who are best suited to solve the problems. Surround them with appropriate personnel to execute the tasks. All team members share the mandate of resolving the security vulnerabilities, and ensuring that no compromise has occurred.