A group of industry stalwarts is banding together to help enterprises, services providers and telcos fight cyber foes.
The Network Resilience Coalition includes ATT, Broadcom, BT Group, Cisco Systems, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon and VMware. Its aim is to deliver open and collaborative techniques to help improve the security of network hardware and software across the industry.
The coalition was brought together under the Center for Cybersecurity Policy Law, a nonprofit organisation dedicated to improving the security of networks, devices and critical infrastructure.
The Center has a broad security mission, but at least for now, it wants the Resilience group to focus on routers, switches and firewalls that are older, may have reached end-of-life vendor support, or have been overlooked for security patching or replacement.
Right now, it’s way too easy for malicious cyber actors – including nation states and criminal groups – to find open vulnerabilities, to run remote code execution, and to find end-of-life products that are no longer being maintained, said Eric Goldstein, the executive assistant director for cybersecurity for the Cybersecurity and Infrastructure Security Agency (CISA).
These can provide “easy entry into the critical networks upon which you seek to achieve your objectives – you have a veritable buffet of options,” Goldstein said.
“We want to figure out a way to make it easier, frictionless, [and] scalable to upgrade to supported versions and minimise the prevalence of these sorts of vulnerabilities that we know our adversaries are exploiting at scale,” Goldstein said.
The Network Resilience Coalition will spend the next few months researching and detailing the core problems its members are seeing across the industry, and then by yearend, it will report its focus areas, the group said.
The chief goals will be to come up with better cross-industry ways to address the challenges organisations face in updating software and hardware and patching regularly, while also encouraging organisations to improve visibility into their networks to better mitigate cyber risks, the group stated.
One of the goals of the coalition is to come together and talk through nuanced use cases to understand what sorts of things the vendors can change, said Brad Arkin, senior vice president and chief security and trust officer with Cisco Security.
“We put a lot of effort into mitigating problems, but it's not delivering the outcomes that we need,” Arkin said. “We're still seeing real-world attacks successfully go after vulnerabilities [for which] patches are available but not being used, or where things are misconfigured. Sometimes there are customers who aren't able to patch in a timely manner for reasons that make sense in the context of where they're operating.”
“Sometimes it's not as easy to manage these devices – a problem doesn't end when we tell you about a patch, it ends when the device either gets patched or the end-of-life device gets removed from a network,” said Derrick Scholl, director of security incident response at Juniper. “I'm looking forward to the opportunity to increase education and knowledge on this issue.”
Vulnerability management is an ongoing challenge for large enterprises. A recent report on the state of vulnerability management in DevSecOps found that more than half of 634 IT and IT security practitioners have backlogs that consist of more than 100,000 vulnerabilities. In addition, 54% said they were able to patch fewer than 50% of the vulnerabilities in the backlog, with most respondents (78%) stating that high-risk vulnerabilities in their environment take longer than three weeks to patch.
Expensive and time-consuming efforts are spent trying to wrangle massive backlogs on both the production and development side of software applications. According to the survey conducted by Ponemon Institute and sponsored by Rezilion, 77% of respondents say it takes longer than 21 minutes to detect, prioritise, and remediate just one vulnerability in production.
Chief among the reasons for not fixing a problem included the inability to prioritise what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%), the report noted.
And when there is a breach, the cost to businesses is climbing. The global average cost of a data breach reached $4.45 million in 2023 – an increase of 15% over the last three years, according to IBM Security’s annual Cost of a Data Breach report.
Detection and escalation costs jumped 42% over this same time period, representing the highest portion of breach costs and indicating a shift towards more complex breach investigations, IBM stated.