I do not write this from a place of 100% comfort or a place of relaxation, as that is not a realistic state for a modern cybersecurity professional. I write this from a place of brief, illuminated and motivated clarity experienced after thwarting an immediate threat, only to realize there is still so much to do and there are still so many ways to improve the efficiency and effectiveness of the response effort that was mounted.
There are, without a doubt, other vulnerabilities that should be mentioned in the same breath, and that likely posed an even greater risk to some organizations, but Log4j is the third vulnerability, in the last year, that we treated as a true existential threat. At this point, all of us, and our organizations, should be experts at responding to these issues…Right?
Unfortunately, I think many security leaders are in a similar position. We spend so much time discussing, preparing and practicing for the network-wide ransomware attack or the discovery of a nation-state actor, that we just presume our vulnerability management programs are locking all the doors, shutting all the windows, plugging all the holes. We also presume that these programs are prepared to respond with a sense of efficiency and urgency when there is an issue.
We are getting measurably better at vulnerability response practices, but vulnerabilities can no longer be treated as rarities and handled in a reactive, ad-hoc manner. If the past year has shown us anything, it has illustrated (with real-world scenarios) that we must begin to proactively identify, mitigate and remediate vulnerabilities like Log4j.
“Vulnerabilities can no longer be treated as rarities and handled in a reactive, ad-hoc manner”
It was nice to have a chance to spend some time with friends and family over the holidays, but now is definitely the time to start focusing 2022 planning efforts on maturing and bolstering our vulnerability response by tackling the items below:
- Execute a tabletop exercise focused on the response to a critical vulnerability to practice as a technical response team and raise awareness and interest at the management and executive levels
- Revisit and improve KPIs and KRIs for the vulnerability program to identify ways to ensure we are doing the right things, with the right priority and the right support
- Update asset inventory, ensuring correct asset owners, contacts and business impact categorizations
- Update critical vendors list to enable quick and accurate third-party risk identification
- Update vulnerability response vendor questionnaire to ask fewer, but more critical questions
Written by: Christopher Smedberg | H2B Cybersecurity Advisor