At the Forum in Atlanta, a participant from a Fortune 100 corporation approached me. He said, “Eric, I know that staying up on patching is critical, but I feel like I am in the water during a storm. Every time I get past a big wave, before I catch my breath, another wave hits. I feel like I'm slowly going under.”

There is no perfect solution. But automated vulnerability remediation (AVR) has the potential to eliminate some of the pain of patching.

Since operating system and application vendors do not produce secure code, we must accept the fact that at least for the near future, vulnerability discovery and the corresponding patch management are a necessary evil. As soon as a patch is released, every attacker finds out about it and tries to break into as many systems as possible. Manual patching methods mean an inherent time delay before corporate systems are protected. The longer the delay, the greater the risk to an organization. As one Forum member said, “I need a system that will fix the vulnerability and patch my system before anyone else knows about it.”

Effective AVR aims to do just that. It has built-in intelligence capable of learning and eventually proactively fixing vulnerabilities. Though still in its nascent stages, AVR is a technology that organizations should look closely at. People just can’t keep up with all the patching and vulnerabilities out there, with the complexity of network and systems architectures today. However, users must evaluate AVR solutions carefully; not all perform the functions they claim to.

What it is
True automated vulnerability remediation (AVR) has two key characteristics:
• the remediation is done automatically without a human in the loop;
• it will identify a vulnerability and fix it, ideally before a system has been compromised.

For AVR to be effective, it has to understand the systems it is protecting and have some “intelligence” about what it is doing to secure the target system. A lot of systems claim to do automated vulnerability remediation, but very few truly achieve it at a reliable level. Most perform automation but do not understand the systems they are protecting and blindly apply patches across all systems. This approach is dangerous because making random changes to a system can actually cause it to stop functioning or cause a system to be less secure. Thus, those evaluating AVR solutions need to ascertain exactly what the products can and cannot do. Acquiring a demo or trial version of a product in advance can help in this regard.

An effective AVR system has several benefits:

Quick Turnaround. An automated method applies fixes in a consistent fashion. What would take a human several weeks to perform can be done in several hours. This minimizes risk by reducing the time that systems are exposed once a vulnerability or patch has been made public.

Protection Against Unknown Vulnerabilities. An AVR must be able to understand the functioning of a system and identify potential areas of vulnerabilities. Being able to fix vulnerabilities in a proactive fashion is the main way to keep a system secure. Identifying unknown vulnerabilities requires “intelligence” -- proper training through which a system can learn what properties of a system make it secure and what properties make it vulnerable.

Single Point of Configuration Control. Organizations need a central system that monitors changes across all systems and validates whether these changes have been authorized. AVR is able to serve this purpose because it checks systems on a regular basis and knows whether systems have been modified. Thus, organizations without other methods of configuration change control can use AVR to maintain a healthy, secure network.

Before considering an AVR solution, an organization must clarify its goals. In most cases, these are reduced costs through automation and increased security. On the surface, both seem easy to measure, but there are hidden traps that must be avoided. One is setup and configuration time, which can be considerable and affect the total cost of ownership. From a security standpoint, the organization must make sure that an AVR solution does not crash systems or cause other security vulnerabilities. A trial period followed by an incremental rollout are key to assessing and minimizing these risks.

With the current size and complexity of many networks connected to the Internet, an automated vulnerability remediation system increasingly has a place in a security architecture. You may want to consider it.