Remediation Vs. Mitigation — Third-Party Vulnerability Management
Neglecting to address third-party vulnerabilities can cause widespread problems for your organization, the third-party, and possibly every one of the third-party’s customers, which is why it is imperative to remediate or mitigate the threat once it has been identified.
In this blog, we’ll look at steps to consider in order to handle security vulnerabilities in third-parties as effectively as possible.
Remediation / Mitigation Explained
Remediation occurs when the threat can be eradicated, mitigation involves minimizing the damage when the issue cannot be fully eliminated immediately. For example, the hijacking of a DNS server could lead to significant damage in a very short amount of time. If the issue cannot be fixed immediately, some form of temporary mitigation is better than doing nothing. Note that mitigation is not intended as a permanent solution as risks that cannot be fully eliminated are more costly to control. Over the long-term fixing a configuration vulnerability is better than blocking or limiting access to the asset that is misconfigured.
Remediation & Mitigation Approaches
Remediation is dependent on the type, category, and priority that the vulnerability falls into and how deep into your ecosystem the vulnerability lies. A case-by-case assessment should be applied to each issue, taking into account its seriousness and its scope. Enterprise security teams need to work with the third-party vendors they have contractual agreements with, but also use that leverage to force change further down in the digital supply chain.
In some cases, remediation and mitigation are two sides of the same coin where you first stop the problem (mitigate the threat) and wait until the third-party has solved their problems (remediate the threat). This is a classic example of Cyberpion’s Active Protection capability, which mitigates the initial threat automatically while providing the time needed for full remediation of the issue. The goal is resilience–to enable the restoration of any impacted services and return to business as normal in a more secure manner.
It might also be necessary to shut down connections to non-responsive third-parties if they have been compromised. An example of this would be to remove third-party code from a web property. This approach protects the enterprise from any legality that may arise from the theft of customer information such as credit card skimming.
Working With Third-Parties to Resolve the Issue
This part of the process is perhaps the most challenging one. It may feel at times like swimming against the current. As a CISO or security officer, you take on the responsibility to protect your organization but are ultimately dependent on different departments, teams and third-parties to do their part in fixing critical issues.
Once you have a direct line of communication it is important to provide relevant information to guide the person to not only introduce best practices but also to educate them on the potential impact of the misconfigurations/vulnerabilities that were found. The potential impact can include both technical implications as well as business ones.
After confirming the vulnerability has been closed CISOs and Security officers should create a strict policy and coherent escalation process. Here are some examples of mechanisms they can put in place to streamline the remediation process include:
- Escalating critical issues directly to the company’s SOC via:
- Integrate task and ticketing systems like ServiceNow or Jira
- Using Cyberpion Groups and Custom Notifications
Identifying Vulnerabilities Within Your Ecosystem
Discovering where vulnerabilities lie is the first step in resolving a problem. The Cyberpion platform will show users all the vulnerabilities related to their organization. Double-clicking on a vulnerability will provide the user with additional data including a summary, description of the vulnerability’s potential impact, technical details unique for this incident and suggested course of action. If a CVE exists, they will be listed in the vulnerability details.
Addressing all these issues at once can be an enormous challenge, which is why Cyberpion’s Ecosystem Security Platform will articulate and prioritize actionable items for the user to perform. These Action Items are based on both the level of risk but also urgency of the vulnerability. The list will indicate to which category the Action Items relate to help users better divide and distribute the workload within their organization and their vendor’s organization.
Protecting your organization from third-party vulnerability abuse is an ongoing task for even the most vigilant security team.