IT leadership builds and manages strong, diverse teams to ensure secure and stable operations. However, sometimes departments overlap resulting in confusion and miscommunication. Such is the case with networking and security departments when it comes to CVE management. It is important to address responsibility early on. Who should be held accountable for any unpatched known vulnerabilities generated by networking tools?
The Nature of Why CVEs Go Unpatched
Organizations spend an incredible amount of time and money to secure their digital landscape. Even the strongest offensive strategy cannot fully protect an organization against publicly known vulnerabilities. Unpatched CVEs leave well-known entrance points into an otherwise secured environment. Unmitigated vulnerabilities lead to havoc-wreaking breaches that cost millions of dollars in damage.
The most obvious response is to quickly patch the known vulnerabilities before it is used as an entrance point. The challenge is that patching CVEs can be very time-consuming and expensive while also requiring scheduled downtime. Keeping up with patches can be an impossible task when there are many vulnerabilities or confusion on which department holds responsibility.
Who is Responsible for Networking CVEs?
CVEs produced by networking tools can be considered the responsibility of either the networking team or security team: the networking team because they are the owner of the toolset and the security team because of the vulnerability to the organization. This often results in a dispute over which department is responsible for the tracking and patching of critical CVEs. Departments may shuffle them back and forth or sweep them under the rug completely. This is often the case when there is an exorbitant number of CVEs.
One team ideally takes ownership of the often-daunting task to ensure CVEs are properly handled. The good news is that there is a way to significantly reduce the number of vulnerabilities making CVE management easier for either team.
Arista Cloud Networking – The Solution to Fewer CVEs
Ease the pain of CVE mitigation by selecting a networking solution that has a low annual number of CVEs. In 2021, there were over 600 created CVEs just for Cisco products alone. That same year a data-driven cloud networking technology provider named Arista had only 12 CVEs. Having 50x fewer CVEs translates to far fewer being swept under the rug and an increased security posture.
Arista dedicates resources to extensive development and testing. The end result is a significantly more stable product, a manageable number of CVEs and minimized security risk.
In Conclusion
CVE detection is only half the battle. Mitigation is the other half. A CVE vulnerability can turn into a threat if left unmitigated. Even worse, it could turn into an actual cyberattack. Luckily the epic battle between CVE detection and remediation can be eased by selecting a new generation of networking solutions like Arista. Extensive testing prior to release and low annual CVE counts allows either networking or security teams to have a chance at full repair.