Reduce Security Risk with SAM and Vulnerability Management

By Greg Holmes

What Compliancy risks does your organization face, for its use of Software?

How secure is the software you are running? How do you know all of the software your business uses? Is all of the software you are running properly licensed to the vendors who supply it?

When it comes to risk, once it is identified, most leading companies try to reduce, eliminate or hedge against it. Assessing risk is a challenging discipline. High risk with high impact, should be prioritized over low risk with high impact and this should probably be prioritized over high risk with low impact. But understanding risk and impact depends on a deep understanding of assets, their value and their security status.

With a large number of competing risks, a quality organization will seek to ensure that the impact they have on the business is minimized and that no deliberate action of a whistle-blower, attacker or supplier, will have the result of that risk impacting on the business.

Today, I will discuss how software risks fall both on the side of risk of not enough licenses being procured for the consumption being used, and also on the side of causing unnecessary security risks of loss of data, or risk to the good name of the business as a whole.

When it comes to the security aspect, there are some basic capabilities that are the most important when it comes to sophisticated attacks. So when looking at the risk, most of it is associated with the different software titles you might be running, and how well you are keeping up with patches. Vendors tend to issue patches very quickly, when they are informed that there are security issues with their products. For them, this is one of the biggest risks to running their business smoothly, because insecure software will be dropped by customers who don’t want to handle the risk.

The most important risks, are software vulnerabilities which are accessible to remote attackers – people who are attacking externally from the device via the network.

Secunia Research, a Flexera Software team, researches the risk associated with software vulnerabilities and provides information about how many serious vulnerabilities exist, and how they are related to commonly used software titles.

In 2015, we found 16,081 new vulnerabilities across 2,484 products. In fact, in June 2016 alone, 433 new vulnerability advisories were written by our vulnerability research team. The products we track at come from major vendors and are used across many organizations. Advisories are ranked in terms of criticality, and generally the more critical the rating, the more likely it can be attacked remotely from the organization and the impact of the attack would be more severe. Source: “Flexera Software Vulnerability Review 2016.”

However, with all of these new vulnerabilities, why aren’t we getting attacked more? Well we are. PwC in their Global State of Information Security 2016 points that in 2015 they saw 385 more incidents detected. The same study points that the theft of intellectual property increased 56% in 2015. Most vulnerabilities that were exploited, according to the Verizon’s Data Breach Investigation Report 2015, were compromised more than a year after the CVE was published! This highlights the importance of knowing about vulnerabilities that affect the software you run, and taking remediation action to fix or protect from these vulnerabilities. It used to be that a business could protect itself from remote attacks by using better firewalls, and isolating systems. Today, because of mobile devices, roaming users, and the ability to bring external devices into the enterprise, security becomes more of a matter of toughening up the entire business and reducing the vulnerability of your internal environment.

To know what vulnerabilities exist, and to protect against them, first we need to understand the scope of assets under management. This is where Security meets SAM! In many ways, these two disciplines can be at odds. License teams need accurate inventory data to know what is being consumed, while security teams want to reduce the number of agents and tighten the controls of machines. Now, this is an area where both sides can be successful.

By running a successful SAM programme, organizations need to discover their hardware assets, locate devices that aren’t currently under proper management, and work out the assets which may have license risks associated with them. At the same time, we can collect and prioritize the assets by security risk. Assets containing valuable data, or important business systems would have a higher security priority and as such it becomes even more critical to identify and mitigate security risks on them. The information coming from the SAM programme can help the security team accurately assess and detect software with security risks.

Bringing together Flexera Software’s knowledge about Software from a security vulnerability standpoint with our considerable knowledge on Applications from a licensing point of view, gave us some interesting findings.

One finding that we at Flexera Software were surprised by initially was that we found a correlation between Malware, and Unlicensed software. This finding is in an IDC 2015 report . Here we defined “Unlicensed software” as software without its licensing being managed by a designated central or regional authority within the organization. Software managers will find that some of their goals will align well with the goals of the Security team. Let’s see: better visibility of the devices and applications enables to identify unlicensed and unmanaged software. The less unlicensed and unmanaged software, the better the visibility for security over the assets to manage for vulnerabilities and the less likelihood of a vulnerability going unnoticed and non-mitigated, leading to malware infection and breaches. Running a rationalization project will allow both SAM managers and Security teams to reduce the number of threats on both sides. Flexera Software’s customer find the capability to bring together knowledge on Software License Optimization and Software Vulnerability Management allows the two working together to be stronger than they are apart.

About the Author

Greg Holmes is the Solution Engineering Manager for Flexera Software.