New technologies like the Internet of Things (IoT) and artificial intelligence (AI) offer intriguing new markets for channel partners. However, as companies rely more on data and vastly increase complexity and devices, cybersecurity vulnerabilities also rise.
A strong vulnerability management program is a must in these environments – and for companies undergoing digital transformation in general. Increasingly, managed service providers (MSPs) are expected by clients to offer some cybersecurity help when a crisis arises.
Channel Insider spoke with Max Pruger, General Manager for Compliance Manager & VulScan at Kaseya, about how MSPs can create a vulnerability management program. His insights reveal why these programs are so important and how managed services can implement them.
Also read: Top 15 Managed Security Service Providers
What is Vulnerability Management?
A vulnerability management program aims to identify unpatched weak points in a system before hackers do. While some businesses may worry most about zero-day (previously unknown) exploits, only 25% of cyber attacks in 2020 used vulnerabilities that were two years old or newer. Organizations often don’t understand their existing, fixable weaknesses, and vulnerability management aims to change that.
Pruger says, “a vulnerability management program includes the regular detection, assessment, and mitigation of security vulnerabilities of systems and software – and the key factor is detection, as weaknesses can’t be remedied until they are discovered.”
Looking for weak points in your defenses is thus the first step to improving protection.
Recent studies show that just 56% of organizations test for vulnerabilities throughout the entire application lifecycle, and 20% don’t test at all.
Given all the known vulnerabilities there are out there, that creates a lot of opportunity for hackers. That needs to change, especially as cybercrime rises and businesses implement more potentially vulnerable endpoints.
Also read: Best Incident Response Tools for MSPs and MSSPs
Creating a Strong Vulnerability Management Program
Understanding the need for a strong vulnerability management program is only the first step. MSPs must also learn how to create a reliable program that offers strong protection, as any oversights here will create weaknesses later. Here are some considerations for designing a vulnerability management program.
Simplify the Scanning Process
“Oftentimes, MSPs won’t conduct vulnerability scans because they consider them too complicated and time-consuming,” Pruger notes.
While experts recommend that companies spend 4-6% of their revenue on IT, most struggle to implement improvements they know they need. The solution lies in simplification and streamlining.
Vulnerability management must be easy to understand and use for businesses to implement it effectively. If the scanning process is too long or complicated, teams likely won’t use it much and attacks may capitalize on vulnerabilities before MSPs notice them.
Look for scanning solutions that emphasize ease of use through automation and simplicity. The less teams have to do to set up and use the system, the faster they can start capitalizing on it. This simplification will lead to quicker returns on investment, too.
Similarly, MSPs need to aim for agility in their vulnerability management program. That applies to both the setup speed and how fast teams can discover and respond to vulnerabilities. On average, it takes organizations 200 days to patch a vulnerability, according to NTT’s most recent data, and severe vulnerabilities take 256 days to fix.
That’s more than enough time for a threat actor to capitalize on the weak point. In fact, hackers begin probing for vulnerabilities as soon as new ones are revealed, so rapid patching is critically important.
Pruger emphasizes the importance of automatic alerts in this goal. When the discovery and alert process is automated, IT leaders learn of vulnerabilities faster, shortening the time it takes to resolve them.
Prioritization and accuracy are critical parts of enabling this agility. Pruger says that false positives and other noise “impede the discovery of legitimate vulnerabilities.” Similarly, vulnerability management programs must weigh and prioritize vulnerabilities to resolve the most critical risks first, making the most of IT teams’ time.
Strong vulnerability management also requires consistent, efficient communication. If teams can’t inform others about newly discovered vulnerabilities quickly, the situation may worsen or take longer to resolve. In contrast, regular, clear communication enables faster and more coordinated responses.
Kaseya embodied this strategy amid the recent Log4j vulnerability, one of the most critical security holes in recent years.
As Pruger notes, Kaseya promptly “conducted a thorough review of its products, code, and production environments” and published the systems that were not affected. Alongside that information, it also listed remaining risks and recommended actions.
Resolving a vulnerability often takes cooperation from multiple teams and departments. Consequently, vulnerability management programs need quick and informative communication tools and strategies to enable efficient fixes. Process simplification and automation will also help achieve this goal.
And keeping an eye on your own vulnerabilities is every bit as important, as software supply chain attacks on the likes of Kaseya and SolarWinds have shown just how vulnerable MSPs’ tools can be. Effective vulnerability management and patching is a critically important responsibility for everyone.
Also read: Top Vendor Risk Management (VRM) Software & Tools
Vulnerability Management is Critical for MSPs
Cybercrime is rising, and the attacks are aimed at the digital systems that are critical to business success. In light of these trends, vulnerability management is essential for channel partners.
As MSPs design their vulnerability management programs, they should keep them streamlined, agile, and transparent. If they can do this, they can find and resolve weaknesses faster and more effectively, bolstering their cybersecurity.