Wednesday, February 19, 2014

[infosecurity-magazine] Enterprise Vulnerability Management Not Keeping Pace with Cloud and Mobility

Despite an increased focus on zero-day exploits, traditional vulnerability management solutions are unnecessarily exposing most to security threats that could be mitigated through continuous monitoring (CM), according to a report from Forrester Consulting.

Commissioned by Tenable Network Security, the report found that consumerization, mobility and cloud computing are increasingly the hallmarks of the extended enterprise, and as a result, periodic snapshot vulnerability scanning cannot effectively address the dynamic nature of today’s extended enterprise environments. About 70% of those surveyed scan monthly or less – even though the access environment may be changing daily for endpoints.
That has catapulted vulnerability management to the top of concerns for organizations (86% of respondents rate it as their second-highest IT security priority for the next 12 months). Yet, respondents said that they remain concerned with effectively lowering their organization’s risk of compromise because of ineffective programs.
Nearly 74% of those surveyed experienced challenges with their overall vulnerability management program, and 79% claimed they were more likely to miss critical vulnerabilities due to insufficient data to narrow down appropriate endpoints for scanning.
“The survey shows that although organizations use periodic vulnerability scans, it’s simply not enough,” said Ron Gula, CEO and CTO of Tenable Network Security, in a statement. “In today’s environment of mobile, cloud and bring-your-own device (BYOD), the extended enterprise poses particular challenges, and organizations are finding it difficult to make traditional vulnerability management work for them. The need for security that covers 100% of assets all the time has never been more apparent than with the recent series of successful breaches.”

Maintaining a consistent and effective vulnerability management workflow emerged as a major problem, with 77% of respondents having concerns about accurate asset discovery. The explosion of transient endpoints compounds the difficulties of discovering all of an organization’s assets and greatly increases the likelihood of an effective breach if unknown assets are not identified and assessed properly. Furthermore, 66% stated they were not confident in conducting proper vulnerability remediation. Once scans returned the data, respondents did not feel they had a clear picture of the risks to accurately prioritize and take action.
“Periodic vulnerability scans have failed the modern-day CISO,” said Gula. “Breaches are still occurring at an alarming rate, and the threat landscape is ever-evolving. The goal for any CISO is to remain ahead of the threat curve, and the only way to do this is through adopting a continuous monitoring platform. This enables users to rapidly deploy patches to shut down these threats in hours not months, so that dangerous windows of opportunity get shut before business-critical data is compromised.”

No comments:

Post a Comment