From the SolarWinds Orion hack to the Kaseya ransomware attack, recent incidents have proven that a single vulnerability in a company’s product or supply chain can have a massive business and brand impact—potentially even posing a national security threat. Security leaders are under more pressure than ever to improve the speed, efficiency, and effectiveness of their incident response.
To help investigate how security leaders on the front lines are handling the challenge, Synack sat down with Justin Anderson, Head of Vulnerability Management at LinkedIn, for a talk entitled, “Best Practices for Fast & Effective Vulnerability Management” on Dec. 8, 2021. Justin has years of technical experience in a wide range of contexts from the U.S. Air Force to LinkedIn, giving him a unique perspective that’s valuable for any executive or security leader dealing with vulnerability management issues. He spoke alongside Synack Product Analyst, Charlie Waterhouse. Charlie has years of experience conceptualizing security test methodologies that address vulnerability management concerns.
In fact, many of the problems that Justin has addressed in his role are similar to those Synack is looking to solve with its Campaigns product offering. Read on to learn more!
No. 1: Use Human Talent and Time Wisely
As security leaders build out their teams, the cyber talent gap continues to be a significant hurdle. The Biden administration has recognized a need to fill 600,000 cybersecurity jobs. Additionally, engineering talent, especially in Silicon Valley, is expensive and in incredibly high demand.
As a security leader, it does not make sense to hire specialized, in-house security talent. Synack supplies researchers with a variety of skill sets combined with a catalog of on-demand security products that can reduce a team’s workload from months to hours or days. Synack’s researchers’ expertise spans cloud environments such as AWS, Azure and GCP to APIs and mobile applications. Whether security teams are testing for compliance, M&A or a new product launch, Synack’s “App Store”-like experience provides a flexible array of on-demand testing and tasks, with many serving established security frameworks like OWASP Top 10 and NIST 800-53.
No. 2: Balance User Needs and Security
In the words of Charlie Waterhouse, Security Analyst at Synack, “There is some internal tension between security and user experience.” Security is increasingly part of the development process, but when does it start to hinder instead of help growth? Justin from LinkedIn added, “We live in a world where we don’t have fantastic metrics on risk reduction. We also lack metrics on user experience. Security can be a greater threat than any attacker could be. An opaque and lengthy process can slow down an entire business.”
Synack has taken this into account by providing Synack Campaigns such as those based on the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS). The three levels of ASVS Campaigns provide flexibility, so security teams can decide the level of security they need based on whether or not the application provides access to sensitive data.
No. 3: Prioritize Across a Growing List of Vulnerabilities and Risks—Don’t Panic
Security teams face a rapidly growing attack surface. The key to managing it is maintaining a balance between addressing tech debt and responding to new threats.
The first priority is often taking an inventory of the assets and cleaning up “tech debt.” Regularly updating software has never been more important. To go a step further and try to prioritize, Justin recommends compliance scoring. “A higher critical vulnerability should be the priority. We don’t go into the nuance of how this particular vulnerability may have an exploit. An exploit is likely to develop soon, but we try to get in the habit of regular cycle updates.”
Another priority may come from rapid response to news events such as the recent Apache Log4j vulnerability. This can distract security and IT teams—leading to panic. As Justin stated, “Sometimes, news cycles drive patching for things that are not that risky. As a security professional, it’s your job to explain why it’s not necessarily that risky and keep people from overreacting to something that’s not impactful. The other side of that is some vulnerabilities that have not been exploited, yet it seems like someone is going to find an exploit soon. The goal is to prevent any third-party attackers from getting access to the data.”
Synack offers checks for specific CVEs via Synack Campaigns. After researchers revealed the Log4j vulnerability, Synack responded immediately and provided an in-product check for the vulnerability in the form of a CVE Campaign. Within hours, Synack Researchers executed the Campaign, checking for the CVE, collaborating on the most efficient methods for detecting log4j, and providing customers with a risk assessment. Synack presents the information in a digestible, actionable way in order to save teams time and answer important questions via a report generated by running the Campaign.
No. 4: Effectively Communicate Vulnerability Risks To Leadership Teams
The leadership in some organizations may be more tech-savvy than in others. That being said, one principle that holds true across all these interactions is that the best way to convey a message as a security leader is to become an expert on that specific vulnerability or security risk and its implications for your organization.
Synack provides a reporting feature for Campaigns that compiles all the information necessary for leadership, legal, ops, or IT teams. The reports contain information like the severity of vulnerabilities found, whether certain task list items are “pass” or “fail,” evidence, and steps to reproduce findings. These reports are invaluable tools to communicate technical information to a non-technical audience, as well as for showing proof of work.
We hope that this information is useful for your organization as you consider different options. The cyber talent gap is only increasing. Security teams need on-demand solutions, automation, and specialized skills to address the growing workload. Vulnerability management leaders need products that improve security but not at the expense of user experience. There is a growing need to prioritize as vulnerabilities increase every year and attackers become more efficient. Lastly, security leaders need to fully immerse themselves in the nuance of new vulnerabilities and understand their potential impact. When security leaders communicate with executives, they should know the organization’s asset inventory, the extent of the vulnerability’s impact, and actions taken (or not taken) to mitigate its impact. All of these problems are front and center today for vulnerability management leaders, which is why we have developed a new product targeted at these pain points.