Qualys CEO: CISOs Are Now More Engineering Oriented, Less About Compliance

Qualys CEO Sumedh Thakar says that cybersecurity is now about quantifying and managing risk, rather than regulatory compliance.

According to a research report by security vendor Qualys, on average, a software vulnerability in 2022 was “weaponized” with an exploit within 19.5 days of being publicly disclosed, while the mean time to remediate these vulnerabilities (MTTR) was 30.6 days - an 11-day gap.

The picture is nuanced in that the top 10 most prevalent vulnerabilities in 2022 occurred in just two products: Windows and Chrome (as a result their commanding market share). Nevertheless, while some were critical, the mean time to patch these 10 vulnerabilities was only 12.3 days, due to advanced publicity about them and their amenity to automated patching regimes.

More problematic are vulnerabilities found in the long tail where the speed of mitigation is much more variable, and indeed many (42.3%) are left unpatched.

An example given in the report, which was created using anonymized threat intelligence data from Qualys customers around the world, is CVE-2022-1040, a Sophos firewall authentication bug, for which a patch was only applied 70 days after disclosure on average; even then it was only successfully remediated in 35% of cases, according to the report. In response to this article, Sophos said it “immediately responded to the disclosure, issuing a patch within two days. In addition, the vast majority of systems were immediately updated automatically.”

Other glitches which “caused the most havoc” in 2022 include Follina in Microsoft Word (MTTR 28.1 days, patch efficacy 91.2%), an Atlassian Confluence RCE (28.5 days, but with a patch efficacy of only 58%), VMware Workspace (14.3 days/87%), and a Windows CFLS bug (20.6 days/90%).

Over the last five years, the overall number of vulnerabilities has doubled. With something like 192,000 known vulnerabilities out there, and with 25,000 of those added in 2022 alone, the question becomes how to find those bugs that present a danger and how to prioritize patching them before they are exploited.

The first thing is to attach a risk score to each vulnerability based on the threat intelligence plus the value of the asset, explained Qualys CEO Sumedh Thakar. Then prioritize patching to maximize the rate of reduction of overall risk to the organization, taking into account other factors such as the reliability of the patches.

It’s all part of what he says is a growing trend towards risk analysis and quantification in cybersecurity. With IT security very much a boardroom issue these days, evaluating risk and comparing it with the organization’s accepted risk tolerance is a strategy that’s gaining ground.

“Given the risk from digital systems, cyber risk is becoming extremely important to the business. And when that is happening, everybody’s being held accountable,” Thakar told Computing UK.

Rather than talking about projects, security leaders need to be talking about outcomes.

“CISOs are typically are going into board meetings and talking about the projects that like two-factor authentication. But the board’s job is oversight, and so they ask, ‘What does that mean? Am I 50% safer, 100% safer, or what?’ So the security organization needs to work out how to communicate that in a meaningful way.”

One way is to provide a risk score for each important asset, so the board can decide how much to spend to reduce it.

“So the risk was 900 and we spent £2 million now the risk is 600. That lets you have a conversation, should we spend another half a million pounds to take the risk down to 400?”

Risk Rather Than Compliance

As an approach, this represents a move way from simply ensuring the company is legally covered should breaches occur, he went on.

“The newer generation of CISOs are a lot more engineering and IP-oriented, more hands-on, and a lot more about discussing the actual technology risk, rather than taking that compliance-oriented approach towards security.”

The other part of the picture is rapid remediation, which given the scale of the issue and the way that almost every organization is existentially dependent on hundreds of applications mean automation. Manual patching is too slow.

“Unfortunately, many organizations have completely siloed teams and tools, one that is looking at asset management, one that is looking at availability, scanning, one that is looking at prioritization, and then a completely different one looking at patching and remediation,” said Thakar. “And time gets lost between these teams and creating tickets and stuff like that.”

Automated patching, the report suggests, significantly improves both the MTTR and the patch rate, with patches that can only be applied manually creating a barrier to rapid remediation.

The nature of the vulnerabilities is not really changing. The OWASP Top 10 is a slow moving list, and the vast majority of vulnerabilities are still misconfigurations, cryptography errors, access control or injection weaknesses, but the speed at which they are being exploited by threat actors on the lookout for bugs overlooked by organizations is increasing at a time when businesses are ever more reliant on digital infrastructure, and when budgets are tight.

“In today’s macroeconomic environment where the CFO and everybody’s watching the budget, there is a definite ask to have a quantifiable reduction in risk, whatever metric you use,” said Thakar.

This article originally appeared on CRN’s sister site, Computing.