In December 2021, we covered the Log4Shell/Log4J security vulnerability which was described as “the single biggest, most critical vulnerability of the last decade” – and how ITAM plays a role in helping organisations prevent and remediate cyber security threats.
In this article, Ben Lipcynski – Head of Global Security Services at Origina – talks about how security and ITAM can work together and also how a change in approach may yield better results for everyone.
If the recent Log4Shell (CVE 2021-44228) exploit has taught us anything, it is that we perhaps do not know our environments as well as we should. Finding and mitigating the risk posed by this vulnerability proved a substantial challenge for many organisations – indicative perhaps of less-than-optimal inventory and discovery processes.
However, by understanding your business’s potential operational risks from a technological and operational context, you are able to evolve and mature to a position where you can determine what is an acceptable level of risk. This “Environment Knowledge” approach will inform all mitigating options beyond that of simply patch-fixing, providing you with the ability to identify options and break free from expensive vender support. Your right to defence – your right to repair. A number of third-party support solutions can enable you to achieve this in a safe and secure manner and often with immediate savings.
“Knowing your environment to a high degree enables the identification, formulation and implementation of mitigating actions beyond that of patch-fix, creating a path to an overall more mature organisation”.
Your Environment Knowledge should include:
This information will support your understanding of a potential impact should an identified vulnerability be exploited. It should also include information about the environment external to your business and the overall threat environment (including potential threat actors, their motives and capabilities (or Cyber Threat Intelligence / CTI). This information, plus your posture i.e. defensive measures in place, will aid in understanding the likelihood of a vulnerability being exploited. From this, a Risk Score can be calculated, in order to prioritise where and when to allocate resources.
This knowledge will also enable you to adopt a more mature approach to risk beyond ‘patch + fix’ as this is just one approach to the identification and deployment of mitigating actions.
Having only ‘patch + fix’ in your ‘toolbox’ can be incredibly constraining as you are dependent on vendors to develop and deploy patches in a timely manner – which they are not obliged to do. If this is the only tool in your arsenal, vulnerability risk management can end up costing more, and taking longer.
Why maintain expensive support with software vendors just to retain access to the patch, especially considering they have no obligation to provide patches once a product has gone End of Life? Also consider that, due to numerous business constraints, provided patches are written for the masses. They are developed for a product as it would appear ‘out of the box’ and do not account for any customisaton performed by individual organisations – customisation necessary to achieve desired operational functionality which may leave you at risk even after a manufacturer provided patch is applied.
A patch-fix dependency can also discourage deep (code base and operation) knowledge of your systems. Log4j is a great example. How many IT owners knew how Log4j was employed within their environment, if they had a dependency on this once little know file, and the potential impacts to operations if the Log4j file was amended or removed while looking to mitigate the Log4Shell vulnerability and others?
Context is key – “Know thyself – Know thy enemy”
Understanding your environment at an enhanced level will help you to identify a broader set of mitigation options to vulnerabilities, while also minimising unintended consequences. This can be achieved through the formation of effective relationships between ITAM and Security teams and, where applicable, third parties too.
Establishing a relationship with your security and risk teams is key – you need clear and open communication to understand each other’s challenges, objectives, and metrics. Getting this right will enable structured engagement between all parties. This will also aid in directing and prioritising spend and effort for effective defensive actions; not just at the product level but across the environment with due consideration of the challenges faced by all involved.
This partnership approach will enable you to populate your Knowledge Environment, including your Bill of Materials (i.e. what you have) which will inform on the overall attack surface area and identify all dependencies in the delivery of your organisation’s critical business functions. The what, where and how much you need to protect will form part of the risk impact assessment – the process of assessing the probabilities and consequences of risk events if they are realized. The results of this assessment are then used to appropriately prioritize cyber risks to inform on impetus to act.
This, along with version information combined with threat intelligence, can be used to inform on potential vulnerabilities and help organisations to allocate the appropriate amount of time, money and other resource to mitigating the perceived risk.
Product life introduces time, i.e. how long do you need to hold the risk in its “as-is” state? This information will enhance your knowledge on the likelihood of a vulnerability being successfully exploited.
This information can be further enhanced by product roadmaps, thus providing greater certainty on potential mitigation actions or the need to change (remembering change = risk).
Licenses can also increase your insight to operations and add context to operational requirements.
Data collected and collated by ITAM teams can also aid security teams in determining how best to monitor the environment for malicious activity – finding the signal in the noise- what is normal and what is not.
When selecting and developing relationships with third parties for the provision of managed services, the implementation of effective contractual engagements or metrics should be undertaken. This will ensure that your third parties are incentivised/measured to work with your best interests in mind. Failure to do so could prevent the consideration of alternative options which may offer additional benefits outside of the risk being addressed. This effort up front will also support in the identification of financial efficiencies.
Points of discussion can include the utilisation of KPIs reflective of reducing held security risks or enhancing your security posture, not just patch-fix, and the implementation of processes which enable multiple forms of risk management/ risk mitigation. Appropriate and effective testing should also be considered. Also consider how outsourcing could degrade your knowledge base and capability of internal resources which may subsequently increase your dependency on third party providers.
Finally, know thy enemy. Consider investment into effective Cyber Threat Intelligence (CTI). Good CTI should prevent you from being ‘patient zero’ of a malicious campaign and help inform on the likelihood of a successful attack or a known vulnerability being successfully exploited by a threat actor. Additionally, CTI can inform you if someone is actively looking to attack your environment and what their capabilities might be. This intelligence can support you in taking a proactive, precise, and cost-effective defensive actions.
Risk can never be zero, but effective internal and external relationships encouraging close collaboration and information sharing can inform on your next actions in a concise manner to save time, money and prevention of a cyber-attack.