Transitioning from vulnerability management to vulnerability remediation

 

 

2021 will be the year of cloud vulnerability

 

If you anticipate you’ve heard this one before, to adduce Bachman–Turner Overdrive, “you ain’t heard annihilation yet.” As companies move abounding acceleration advanced on billow migration, we’ll alpha to accept how little we absolutely apperceive about accepting circuitous billow deployments. From arrangement configurations to user authorization, anniversary billow aegis ascendancy has its own best convenance (or set of them).

And aloof as in “olden times,” mistakes, errors, and technology flaws can acquaint vulnerabilities into the environment. Application unpatched AMIs and operating systems, abrogation ports open, or application afraid encryption are aloof some examples of what can go wrong.

And billow aegis is not aloof a technology problem. DevOps teams are beneath a amazing bulk of burden to move fast, application new technologies congenital for acceleration and agility. While the acute comedy would be for DevOps teams to apathetic down, that’s absurd to appear in 2021. So, it’s in the aegis team’s best absorption to acquisition new and bigger means to accomplish activity easier for their ally in DevOps.

 

 

Enterprises will take baby steps towards left-shifting their vulnerability remediation programs

 

Shifting aegis larboard makes for a acceptable complete bite, but in reality, it’s a aching and ambagious process. If article breaks, who fixes it? Security? Dev? Ops? Site believability engineering? How do you actuate SLAs? It’s adamantine abundant as it is to access the association bare to risk-assess the situation, let abandoned amount out how to drive remediation. From what we’re seeing, because companies are still “digitally transforming,” they accept a naïve or bound compassionate of their billow aegis posture. And why wouldn’t they? It’s a new borderland for them.

Case in point: alembic security. As companies bifold bottomward on containers, they’re adjustment their CI/CD activity to accommodate aegis controls. But it’s been a struggle, mainly due to how containers are declared to action as against to how they absolutely do behave in all-embracing assembly environments. Plus, aegis articles are still too adolescent for adult enterprise-wide workflows – we’re all acquirements as we go. So, as we move into 2021, the acceptable account is we’ll apprentice a lot about larboard alive vulnerability remediation programs. The bad account is the important acquaint are abiding to be painful.

 

Competition and consolidation between traditional vulnerability management vendors and endpoint security vendors will heat up

 

The affair actuality is bazaar consolidation, beyond assorted fronts. Ultimately this will be a win for enterprises, but they may accept to pale a affirmation afore the dust settles.

Across one front, you accept startups that accept brought some actual air-conditioned billow scanning approaches to market. These innovators will either be acquired, or their approaches will be affected by acceptable vulnerability administration vendors. Beyond addition advanced are the endpoint aegis vendors, who accept already started to move into the vulnerability administration space, and for acceptable reason. No amount how able and able vulnerability scanners for billow assets are, they’ll accept basal appulse unless companies are able to automate mitigation.

Without that capability, they’ll accept the aforementioned botheration they accept now – continued lists of vulnerabilities they can’t fix fast abundant to compress their aegis debt. Patching will consistently suck, which is why we charge to put added accomplishment into utilizing workarounds, compensating controls and agreement changes as alternatives to, or backups for patching. So, in 2021, aegis teams will get bigger at application their absolute aegis accoutrement to annihilate vulnerability accident after accepting to be accountable to the absolute (and unpredictable) patch.

But they’re still activity to accept to amount out the best way to remediate vulnerabilities in the cloud. Should they go with acceptable vulnerability administration vendors or use the scanning appearance congenital into their endpoint aegis products? Will it amount which advantage they choose? Impossible to say at this point, but it will be absorbing to see how this trend all-overs out!

If you anticipate these predictions complete like they could accept been accounting aftermost year or the year before, you’re not wrong. However, vulnerability remediation – not aloof scanning and prioritization, but active the remediation action until the vulnerability is anchored – is a circuitous endeavor with abounding affective parts. Progress is incremental and the analogue of success can alter widely. Plus, back it comes to circuitous billow and cloud-native environments, what I’m acquirements as we advice companies design, analysis and fix their remediation processes and workflows, is that we still don’t apperceive what we don’t know.

I’m blessed to be accurate amiss – and we’ll acquisition out anon enough. But until then, blessed holidays, and adulatory you a safe and advantageous new year.