Zero risk never existed and will never exist. This is definitely true for many things in our day-to-day lives but is even more relevant when it comes to ICT. We live with the threats, the vulnerabilities and the shortcomings that are inherent in our technologies and business users.
But more importantly, with the results of an inappropriate management of both. How do we solve these issues when it comes to “managed services” provided to outsourcing customers?
The characteristics of vulnerabilities
Vulnerabilities are here to stay, to reproduce and get cleverer. This is a fact! Every day the various components of your ICT infrastructures represent a risk for your IT management. If these risks were mainly coming from the “Virus” domain in the past, now they can be found in all the elements of our infrastructures: down to the very core of our processors, up in the firmware of our networking equipment or higher in the application landscape. They have various names (some well known have names that sound like James Bond movies: “Spectre Meltdown” for example) and various forms as they help hackers find the right surface attack to your most valuable content today … your data.
But what is the anatomy of a vulnerability? As Wikipedia says, “a vulnerability is a weakness which can be exploited by a Threat Actor, such as an attacker, to perform unauthorized actions within a computer system”. In today’s understanding, vulnerabilities have three major characteristics:
- A CVSS rating (Common Vulnerability Scoring System) that provides a generic and common assessment of the risks level that the vulnerability represents. The ranking goes from 0 to 10… the higher, the more risky.
- The Exploitability of the vulnerability is how “easy” it is to use the documentation that is available to exploit the hack. Is it a well-known piece of code (or even ready to use applications) that anybody can use or is it something that remains “undercover” and which requires precise capabilities to exploit? Sometimes, the exploitability can even remain at the level of countries where the cost of exploiting the vulnerability is so high that the exploitability remains very low.
- The exposure of the vulnerable systems and applications is the last characteristic. Though not directly related to the vulnerability it helps understanding to which extend the systems and applications are exposed to the vulnerability both internally and externally. You can think of a web server being more exposed than a backend database server and even more exposed than a totally locked down and “disconnected” server.
Connect the dots between these three characteristics and you start understanding how fun it will be managing it all !
The IT Operation side of things
From the IT operation perspective, if we go back no further than 15 to 20 years ago, we can see how life was easier then: there were major updates during big and complex migration projects but very little day-to-day patching and updates. The motto then was “never touch a running system”.
These days are long gone and we are now challenged to do regular patching. Whether the frequency is every year, twice a year or every month, regular patching is now part of your operations and we are convinced that this is where most companies are today. Patching then becomes the time when, by applying the vendor’s patches and security fixes, you reduce your risk exposure to vulnerabilities for all your systems and applications in a simple and straightforward way.
Is it enough ? Unfortunately no ! Indeed, as experienced by all of us in the real life, the number, complexity and threats are even increasing. This pushes the IT operation and Security teams to strengthen their activities to counter the attacks. And then comes the Vulnerability assessment and management. In this scenario, you will have to deal with new dimensions that correlate with one another :
- The high frequency : when patching is done on a quarterly or on a yearly basis most of the time, the vulnerability management should (or must) be done on a daily basis. Identify the risk (from CVSS, exploitability and exposure) and define a remediation plan. No matter the action, you must remediate. This means that remediation is achieved via hotfix application firewall rule definition and implementation, micro-segmentation… or even sometimes system shutdown.
- The control : applying remediation after an assessment surely is the right approach but controlling the actual removal of the vulnerability is the key. That reminds me of an issue we have had when a patch was applied but the vulnerability was still there… Careful assessment showed that not only a patch was required but also system configuration (in this case additional registry keys) was required to fully apply the remediation. This leads us to the third point :
- The re-assessment : high frequency and regular control show that you need a proper tooling to re-assess, on a daily basis ideally, your overall risk exposure to vulnerabilities. Such a tool will list all vulnerabilities that exist out there, as well as your particular situation and combine all that together to help you identify your risks and action plan for the next days and weeks.
Connect the dots between these IT operation challenges and you will understand that managing this all as a MSP (Managed Service Provider) will be funny …or… nightmarish.
The Managed Service Provider view
As highlighted in the previous chapters, the Managed Service Provider has specific challenges to solve for and with its customers.
First and foremost emphasize that zero risk does not exist, that every day the risk level is slightly higher than the day before and all patching cycles and vulnerability assessment and remediation are only there to keep this risk level and exposure under control. Two risk levels combine with one another as in the following diagram where the red line is your patching cycle and the green ones are your vulnerability assessment and remediation.
Next, ensure that your customer understands the need for increasing the frequency and has business processes in line with that both at technical IT management and operation level but as well as at risk and business management levels. This must also be in-line with the customer’s budget where both the regular assessment and remediation can have huge costs impacts.
Finally, make sure you can establish more than a customer- provider relationship as part of your contract execution but rather a partnership where the vulnerability assessment and cost assumption fully align with both the risk management processes of your customer as well as its overall IT Outsourcing and security budget.
So, if you think you have achieved the best service quality and levels for your existing MSP contracts (both as a customer or provider), revise your plans and start thinking about vulnerability assessment and management to keep you busy in the future.