As much as threat mitigation is to a degree a specialist task involving cybersecurity experts, the day to day of threat mitigation often still comes down to systems administrators. It’s not easy for these system administrators. In enterprise IT, sysadmins teams have a wide remit but limited resources.
It is difficult for system administrators to find the resources and time needed to combat a constantly evolving threat. We will discuss the challenges of enterprise threat mitigation and why purpose-built automated mitigation tools can be the best way to go.
Threat management is an overwhelming task
Although there are many specialists in threat management, the implementation of effective threat management strategies is often done by systems administrators. Sysadmins are often the ones who do the majority of the job, whether it is patch management, intrusion detection, or recovery from an attack.
It’s an impossible task, given the growing nature of the threat. In 2021 alone, 28,000 vulnerabilities were disclosed. It is such a large number that, in fact, a large proportion never got as far as being assigned a CVE. In an industry that is laser-focused to tracking CVEs and testing our systems for them, as well as deploying patches with specific CVE numbers, this becomes especially important. You can’t protect against what you don’t know you’re vulnerable to. If a given vulnerability does not have a CVE attached, and all your tools/mindset/processes are focused on CVEs, something will fail. The reasons for not assigning a CVE to a vulnerability are many and outside the scope of this article, but none of those will reduce the work that has to be done in security.
Even if an organization had a three-figure team of sysadmins it would be hard to keep track of this constantly growing list of vulnerabilities. This does not include interactions that may cause a security breach to a system that runs on your infrastructure.
Over time it just melts into a “background noise” of vulnerabilities. There’s an assumption that patching happens methodically, weekly or perhaps daily – but in reality, the relevant, detailed information within CVE announcements never reaches top-of-mind.
Overwhelmed Teams Take Risks
With security tasks, including patching, becoming such an overwhelming exercise, it’s no wonder that sysadmins will start taking some shortcuts. Perhaps a sysadmin misses that interaction between a new exploit and a secondary system, or neglects to properly test patches before deploying the latest fix – any of which can fail to prevent a network-wide meltdown.
Handled without care, security management tasks such as patching can have consequences. A small change will come back and haunt security teams a few days, weeks or months down the road by breaking something else that they were not expecting.
“Closing holes is just as problematic in this context. For example, take the Log4j vulnerability, where changing the Log4j default configuration could easily provide significant mitigation. It’s an obvious, sensible step but the real question is – does the sysadmin team have the resources to complete the task? It’s not that it’s difficult to perform per se – but it’s hard to track down every usage of log4j across a whole system fleet, plus the work needed is in addition to all the other regular activities.
And again, pointing to patching, the resources required to do it consistently often aren’t there. Patching is particularly tough given the fact that applying a patch implies restarting the underlying service. Restarts can be disruptive and time-consuming. It is also difficult to restart critical components.
The net result is that essential security tasks simply do not get done, leaving sysadmins with a nagging feeling that security just isn’t what it should be. It goes for security monitoring too, including penetration testing and vulnerability scanning. Yes, some organizations may have specialists to accomplish this task – even going so far as to have red teams and blue teams.
But, often security monitoring is another task that sysadmins will have to manage. They’ll eventually become overwhelmed and take on more.
And it’s only getting worse
One might think all that needs to happen is for sysadmins to get ahead of the burden – muscle down and just get it done. Sysadmins can manage their workload by tackling the backlog and maybe getting extra assistance.
But there’s a slight issue here. The number of vulnerabilities is growing rapidly – once the team has dealt with known problems, it’ll doubtlessly face even more. And the pace of vulnerabilities is accelerating, more and more are reported every year.
Trying to keep up would mean that teams are increased in size by, say, 30% year on year. A human team using manual methods will not win this battle. Clearly, alternatives are needed because a continuous battle of this nature simply won’t be won by increasing team sizes year on year in an almost exponential fashion.
Threat Management Automation is Key
The good thing about computing of course is that automation often provides a way out of sticky resource restrictions – and that’s the case with threat management too. Automating tasks related to vulnerability management is essential if you are going to make progress in the fight against growing threats. From monitoring for new vulnerabilities, to patching and reporting.
Some tools will help with specific aspects, others will help with all of those aspects, but the efficacy of tools tends to drop as the tool becomes more encompassing. More specialized tools tend to be better at their specific function than tools that claim to do everything in one go. It’s the Unix philosophy: Do one thing and do it well. Rather than trying to do all at once.
For example, patching can, and should, be automated. But patching is one of those security tasks that need a dedicated tool that can help sysadmins by patching consistently and with minimal disruption.
A half-hearted approach will not work, because patching would be hindered by acceptance of maintenance windows. That would remove from IT teams the flexibility to respond in nearly real time to new threats, without affecting the organization’s business operations. A perfect fit for these requirements is live patching through tools like TuxCare’s KernelCare Enterprise tool which delivers automatic, non-disruptive, live patching for Linux distributions.
It is not only patching that must be automated. As cybercriminals employ automation to search for weaknesses, tech teams should rely on continuous, automated vulnerability scanning and penetration testing. Within this sphere of automation should also come firewalls, advanced threat protection, endpoint protection, and so forth.
There’s nowhere safe to hide
Clearly, the threat problem is getting worse, and rapidly so – much faster than organizations could possibly hope to grow their security teams if indeed they wanted to tackle these problems manually. Sitting in a particular corner in terms of the solutions in use doesn’t provide any solace either, in part because solutions are now so integrated with code shared across so many platforms that a single vulnerability can have an almost universal impact.
Besides, as recent research found, the top ten list of the most vulnerable products excluded some notable products. For example, Microsoft Windows, previously seen as one of the most vulnerable operating systems, isn’t even in the top ten – which is instead dominated by Linux-based operating systems. Relying on what is thought to be safer alternatives isn’t a good idea.
This shows how security automation is the best way to ensure safety. From vulnerability scanning through to patching, automation is really the only route that can help overwhelmed sysadmins gain a degree of control over an exploding situation – in fact, it’s the only manageable solution.