The Last Mile of Endpoint / Server Vulnerability Remediation: Why it’s Broken and How to Fix it

by Derek Abdine

In the last two decades, much attention has been given to the identification and prioritization of vulnerabilities. However, the crucial final step, remediation, is still very painful and a significant part of the burden of any vulnerability management program. Automation, classic ML and recent advancements that have led to generative AI can significantly reduce the effort and tedium.

The Remediation Backlog is Growing

The statistics are alarming. According to a recent industry report, 9 out of 10 security and IT professionals claim remediation is ineffective [1]. This is demonstrated by the overwhelming size of the remediation backlog, with the mean time to remediate (MTTR) ranging from 30-60 days [2]. In fact, a staggering 85% of vulnerabilities remain unremediated after 30 days [2].

Why is Remediation So Difficult?

The complexity and time-consuming nature of remediation are the primary culprits. The process involves multiple tools and teams, manual coordination, and a lack of clear ownership. IT teams are burdened with the task of patching vulnerabilities, but they lack the necessary tools and information to do so efficiently.

Existing tools in the market only address the problem partially: Patch management and MDM tools specifically cover managed software, and configuration and control management tools only target changes that can be API or code driven. This leaves significant gaps on endpoints and servers, which end up becoming the long tail of remediation that causes stagnation in the vulnerability backlog.

As an example, consider a user who installs software they downloaded from the web and runs it from their desktop. That software won’t be visible to most patch management tools as those tools are designed to look at specific install locations. However, they are often discovered by vulnerability management tools. As a result, IT teams must determine how to coordinate with their end-user remediators to address these vulnerabilities. They must closely monitor and guide the end-user; a daunting task. The end-user in this scenario also must spend the time to contextualize the findings conveyed by the security team and determine whether the software can be removed, can be patched, or needs an exception (so it can continue to be used unpatched in the event there is no suitable patch that exists).

An extreme solution would be to lock down end-user devices so that every piece of software is installed through a channel supported by the patch management / MDM tool. However, these tools don’t support every piece of software that exists, and require customization in the event they do not. Tool customization requires skills specific to the patch management / MDM tool that are–for most organizations–in short supply. A separate scenario may be to just deny the use of specific software if it cannot be managed at scale by a patch management / MDM tool. This approach can significantly grind down productivity by requiring technology users to find alternative approaches that fit within the organizational policy. Organizations must carefully choose a policy that balances security and productivity.

The image below illustrates the complexity of the remediation process, from vulnerability identification and work organization through to remediation:

The Consequences of Ineffective Remediation

Failure to effectively remediate vulnerabilities leaves organizations exposed to significant risk. Unpatched vulnerabilities can be exploited by attackers, leading to data breaches, system outages, and other costly consequences. Mitigations can be an effective way to reduce risk, but may be prone to breakages that expose previously mitigated risks, or contain blindness to new attack vectors. Robust cybersecurity programs combine mitigation with active remediation to reduce the impact of–and eliminate–risks. 

How Do We Fix the Last Mile Problem?

The good news is that there are steps organizations can take to improve their remediation efforts. Here are a few key strategies:

  • Automation: Automating repetitive tasks can help to streamline the remediation process and reduce the burden on IT teams.
  • Prioritization: Focusing on the most critical vulnerabilities that have the lowest likelihood of impacting operations can help reduce risk faster and improve efficiency.
  • Collaboration: Improving communication and collaboration between security, IT and remediators can help to ensure that vulnerabilities are remediated quickly and effectively.
  • Generative AI and Machine Learning: Using machine learning and AI approaches to organize work, provide context, and guide remediators can save significant time that would otherwise be spent performing those actions manually.

The Future of Remediation

The future of remediation lies in AI-powered solutions that can automate and optimize the entire process. Automation can address the manual, repetitive processes, while generative AI can assist in providing rich contextual information that enables remediators to spend less time triaging and researching how to approach a fix.

Conclusion

Vulnerability management teams and remediators struggle with balancing the prioritization, organization, and effective remediation of vulnerabilities due to the sheer number of vulnerabilities and deep complexity of each fix. Existing tools on the market only solve these problems partially, leaving teams with the burden of falling back to manual labor to address the remaining bulk of issues in the remediation backlog. Automation–coupled with significant advances in AI–can multiply team productivity for the remaining remediation backlog.

Where Do I Go From Here?

Email us at beta@furl.ai to learn how furl solves these problems.

References

[1] “The State of Vulnerability Management”, Tenable and BigFix, https://static.tenable.com/marketing/whitepapers/Whitepaper-The_State_of_Vulnerability_Management.pdf, March 30, 2023. 

[2] “2024 Data Breach Investigations Report,” Verizon, https://www.verizon.com/business/resources/Tabd/reports/2024-dbir-data-breach-investigations-report.pdf, May 16, 2024.