By Kevin Jones, VP Public Sector, Virsec
The Cybersecurity and Infrastructure Security Agency (CISA) issued a directive recently that ordered all US federal and executive departments to patch a series of known exploited vulnerabilities as cataloged in its public website.
The new directive evolved the CISA’s strategy of vulnerability management for federal agencies. Instead of only focusing on vulnerabilities that carry a specific CVSS score, CISA is targeting vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors.
The directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to federal enterprise and establishes requirements for agencies to remediate any vulnerabilities included in the catalog.
Approximately 200 vulnerabilities from 2017 to 2020 and 90 from 2021 make up the initial catalog. CISA will regularly update the catalog with new known exploited vulnerabilities that meet specified thresholds.
Will the directive work?
There were 18,358 new cybersecurity vulnerabilities, or Common Vulnerabilities and Exposures (CVEs) identified in 2020; 10,342 of them were classified as “critical” or “high severity”. That’s about 28 critical vulnerabilities every day of the year.
In a recent interview about the new directive, CISA Director Jen Easterly remarked, “We have to do things differently. In many ways, the status quo [of security] is unacceptable.”
Closing the gaps in protection is always a good idea, however, there remains a major area of concern: adversaries appear to have maneuvered around and, in some cases, within the patching paradigm. This risk was evidenced with the devastating SolarWinds hack, which actually started with a poisoned patch.
Some questions to ask…
1. Are we any safer by patching 200 critical vulnerabilities?
2. Is patching going to end the current cyber crisis in which we find ourselves?
And then there’s the technical debt most agencies face. That is, old commercial or government software applications that are no longer supported with security updates.
As hard as it might be to admit, the attack landscape across government remains ripe with opportunity. Beyond the old unidentified and un-patchable applications in question, there are a host of other breach methods including fileless attacks, remote code execution (RCE) and zero-days that exploit vulnerabilities without going through traditional malware routes.
Deterministic protection
In order to fully protect applications – with bugs and outdated versions included – it’s important to fully understand them from the inside out. Traditional methods of ‘kernel-hooks’ and monitoring system calls are clearly not enough as this method attempts to wrap the outside of the software but still lacks the ability to absolutely interdict any threat from the inside of the application.
For example, the best-of-breed EDR/EPP vendors boast a “dwell time” (that is, the amount of time the adversary is in your network before you figure out that they are there) of 36 minutes.
But the average ransomware attack takes roughly three seconds to execute. SolarWinds was a two-step process and therefore took nearly three times longer: eight seconds.
A deterministic approach to protection safeguards the application from the inside regardless of the source or type of threat – and it can be administered in milliseconds. A viable and effective protection mechanism needs to be rolled out in enough time to fully interdict any cyber threat in an automated fashion with no performance hit, no heuristics, AI or machine learning modeling, signatures, indicators of compromise or attack. This means zero dwell time.
Pivoting from today’s probabilistic countermeasures to complete, deterministic protection might seem like an aspirational goal, but it’s real. Full, automated application protection is needed across government—and it is now possible today.