Flexera logo
Image: Trends in IT visibility and vulnerability

It’s no secret that information technology is in rapid flux. Software asset management (SAM) and configuration management databases (CMBD) are evolving toward a hybrid view of what IT truly encompasses.

While IT asset management (ITAM) and SAM teams continue to manage the complex on-premises processes of lifecycle and vulnerability management, their purview must expand to include SaaS and cloud inventory data. And don’t forget about application rationalization for sprawling assets, maintaining security from vulnerabilities and aligning to business services and business units in order to understand IT’s impact on the organization.

Sound like a lot? It is. But IT teams don’t have to figure it all out alone. The Flexera 2021 State of IT Visibility Report sheds light on what’s happening with information technology and the data that supports a wide array of business initiatives around the world. This inaugural report illuminates how IT professionals can do more with the data they have to facilitate solutions that drive business results.

ITFM, cloud often get left out

The Flexera State of IT Visibility Report gathers the thinking of more than 300 global technology decision-makers about IT infrastructure, asset management, IT vulnerability posture and industry trends. It combines this detailed respondent information with the industry expertise and data of Flexera’s Secunia Research and Technopedia teams to highlight pain points and areas of opportunity for IT visibility and vulnerability mitigation.

Nearly 80 percent of respondents reported moderate to over-communication between ITAM and security operations (SecOps) teams when it came to vulnerability and risk mitigation practices. Over 75 percent said they share data sources between ITAM and IT service management (ITSM).

That’s great for ITAM, SecOps and ITSM, but it’s important to expand that sharing of foundational data with other teams across the organization. The report showed that IT financial management (ITFM), enterprise architecture (EA) and cloud management teams weren’t receiving the same level of communication or data sharing. Contrary to popular belief, cloud should be integrated with traditional ITAM processes, as insight into the on-premises estate is especially helpful for cloud migration and resource management efforts.

A looming threat landscape requires collaboration

In a rapidly evolving IT landscape, keeping IT assets secure is a top priority. And with several high-profile breaches in 2020 and 2021, it’s no surprise that the top concern for IT assets is how vulnerabilities can be reduced in an IT environment. Software sprawl and lifecycle management round out respondents’ top three concerns.

These all tie together when thinking about how SAM, CMDB and other IT initiatives are becoming interdependent in an evolving hybrid IT estate. Knowing where you’re at risk—whether from a direct breach, software or hardware that’s become vulnerable due to obsolescence or an overabundance of application installations in your organization—helps you save time, money and other valuable resources that drive your business.

Don’t judge a book by its cover

A good place to start when creating an IT threat and vulnerability checklist is with assets that are at end of life (EOL) or end of support (EOS). It’s correctly assumed that many of these are vulnerable, but some carry more risk than others.

For example, the Flexera State of IT Visibility Report found that Micro Focus and VMware were among the top five vendors for most EOL/EOS software assets in 2021—but neither make the top ten when connecting unique vulnerabilities to EOL/EOS. These unique vulnerabilities are those associated with a minor version software release. What’s the useful insight? Not all IT assets reaching EOL/EOS are created equal—and each manufacturer presents varying degrees of vulnerability that shouldn’t be assumed by the volume of products reaching EOL/EOS.

So where should you start?

Every IT environment is unique. Microsoft and IBM rank most vulnerable when it comes to EOL/EOS, but your organization may have a higher investment in other vendors. With this in mind, it’s important to understand not only which vendors are prevalent in each environment, but also which categories are most vulnerable and critical for your organization.

For example, the report ranks operating systems as the most vulnerable and second-most critical category of EOL/EOS software. Secunia Research has determined that an overwhelming number of operating system vulnerabilities are rated as low-level threat severity.

When most people hear something is a “low-level threat” they typically put it out of sight, out of mind—it’s automatically deemed a lower priority. Low-level threat severity, however, doesn’t mean that an attacker won’t breach your organization—there are 1,038 unique vulnerabilities through which they can gain access—but it does tell us that there is a lower likelihood of any one of these vulnerabilities being exploited.

This doesn’t mean that you’re out of the woods just yet. Because an overwhelming majority of EOL/EOS operating systems have this threat level, it’s still essential to focus on this area. Focusing only on high and very critical threat severity means you’ll miss out on the mass of vulnerabilities in need of remediation by overlooking these low-level threats—and don’t forget that they’re still actively being exploited in the wild. You can then dive further into which operating systems specifically carry the most vulnerabilities at that level and prioritize your remediation efforts by locating where those systems are installed within your organization.

For many more insights and complete survey results, download the Flexera 2021 State of IT Visibility Report.