Remediation vs. mitigation — Digital supply chain vulnerability management

Neglecting to address digital supply chain vulnerabilities can cause widespread problems for your organization, the third party, and possibly every one of the third party’s customers, which is why it is imperative to remediate or mitigate the threat once it has been identified.

In this blog, we’ll look at steps to consider in order to handle security vulnerabilities with third parties as effectively as possible.

Remediation and Mitigation Explained

Remediation occurs when the threat can be eradicated. Mitigation is more like damage control; the issue cannot be eliminated immediately but it can be minimized. For example, the hijacking of a DNS server could lead to significant damage in a very short amount of time. If the issue cannot be fixed immediately, mitigation is far better than doing nothing. Of course, mitigation is not a permanent solution as vulnerabilities that cannot be fully eliminated carry greater risk and are more costly to control. Over the long-term, fixing a configuration vulnerability is better than blocking or limiting access to the asset that is misconfigured.

Approaches to Remediation and Mitigation

Remediation is dependent on the type, category, and priority of the vulnerability and how deep into your external attack surface the vulnerability lies. A case-by-case assessment should be applied to each issue, taking into account its seriousness and its scope. Enterprise security teams need to work with their contracted third-party vendors, but also use that leverage to force change further down in the digital supply chain.

In some cases, remediation and mitigation are two sides of the same coin where you first control or isolate the problem (mitigate the threat) while the third party solves the problem (remediate the threat). This common scenario is why IONIX’s Active Protection capability exists, to automatically neutralize critical threats before your organization is impacted. For example, a dangling DNS record is pointing to incorrect, inactive, or non-existent assets, such as an IP, domain, or mail server. IONIX’s attack surface assessment platform continually inspects the assets connected to your organization via DNS records, as well as a variety of other connections, and assesses if that asset could be abused. Active Protection can “freeze” that asset until the issue is remediated.

It is sometimes necessary to shutdown connections to non-responsive third parties if they have been compromised. An example of this would be to remove third-party code from a web property. This approach protects the enterprise from any legality that may arise from the theft of customer information such as credit card skimming.

Working with Third Parties to Resolve the Issue

This part of the process is perhaps the most challenging one. It may feel at times like swimming against the current. You and your team bear the responsibility of protecting your organization but are ultimately dependent on your third parties to do their part in preventing or fixing critical issues.

Once you have a direct line of communication with their team, be specific about adherence to best practices and ensure they understand the potential impact of the misconfigurations or vulnerabilities that were found. From there, you can work together to formulate a mitigation and remediation plan should anything come up in the future.

Once the vulnerability has been remediated, it’s a good idea to establish a policy with the third party for escalation and remediation of issues going forward. Many organizations are baking these policies into their vendor agreements. Here are some examples of mechanisms you can put in place to streamline the remediation process:

• Escalate critical issues directly to the company’s SOC via direct API or SIEM solutions like QRadar or Splunk
• Integrate task and ticketing systems like ServiceNow or Jira
• Utilize IONIX’s Groups and Custom Notifications feature to alert their team directly

Identifying Vulnerabilities Within Your Attack Surface

The obvious first step in identifying vulnerabilities is discovery. Of course, discovery is impossible without complete visibility into every connected asset, whether you own it or not. IONIX’s platform continually performs attack surface discovery and assessment of every connection, link, code embed, DNS reference, and so on for your PKI, TLS, Cloud, DNS, and web connections. Findings are presented as actionable data in an encrypted, web-based dashboard or the data can be pushed to your preferred platform via API. In the dashboard, double-clicking on a vulnerability will provide you with a summary, description of the vulnerability’s potential impact, technical details unique to this incident, and a suggested course of action. If a CVE exists, it will be listed in the vulnerability details.

Of course, such deep external attack surface visibility is likely to create a lengthy list of vulnerabilities with varying degrees of criticality. For most teams, they don’t have the resources to dedicate to eliminating every vulnerability so they need a simple way to prioritize what gets tackled first. IONIX’s attack surface management platform goes beyond CVE, applying a multi-layered scoring system to determine both the level of risk and the urgency of the vulnerability. The resulting list of action items is also categorized to help your team better divide and distribute the workload.

In modern business, it is inevitable that you must rely on services and technologies outside of your business. With the right tools, you can proactively reduce your risk and protect your organization without taxing your team.