Building an Effective Vulnerability Management Program
Managing vulnerabilities in assets is a priority for any organization to ensure that they are secure. The Vulnerability Management program oversees the aspects of identification of bugs, analysis, tracking, and patching. The traditional Vulnerability Management approach has always been an old ‘scan and patch’ method, in which an automated tool runs the scan, and the support team works on patching those findings. However, this method needs a cycle of improvement with the vulnerabilities and their types, as well as the risks associated with them, having changed drastically.
The traditional method of scoring a vulnerability is insufficient when we want to prioritize its mitigation. These vulnerabilities are weighed on the scoring system of Common Vulnerability Scoring System (CVSS), the latest version of which is - CVSSv3. When a single score is given, it does not essentially cover all the risks related to the assets.
The existing scoring system is generic and follows a limited set of parameters. If a team follows the traditional method and focuses on fixing the high-score vulnerabilities, the ones with a mid-level score may go unnoticed despite the fact that the vulnerabilities are serious. But when different parameters are considered, these vulnerabilities may pose a higher risk. It is smart to analyze each of the open items and prioritize them based on some intelligent criteria. Risk based Vulnerability Management (RBVM) weighs each finding on the basis of the risk it carries and prioritizes it for remediation as per the associated algorithms and threat feeds.
Knowing Your Digital Assets #
The first step in improving your security posture is to know your environment. The better you know your environment, the greater are your chances of securing it. When a vulnerability occurs, you will know what to secure and where to secure it. You may also decide whether it is really a priority to fix it or it can wait.
- Identify the types of assets present in your environment (Workstations, Cloud, Servers, and Appliances).
- Identify the purpose of each asset and application.
- Know the users and their behavior for each application and device (e.g., Remote workers use VPN, Contractors use X Antivirus, CEO never accesses these applications, or only HR logs in to internal Payroll systems).
- List down the Internet facing systems like public facing websites and firewalls, and internal systems like HR portals, and self-service apps.
- Identify the asset owners and the stakeholders who will take and approve any action.
Assessment methods #
You must choose your vulnerability management tool carefully when you have a diverse environment with different types of assets in various geographical locations. Some tools may be more suited for assessing the cloud workloads, while some may have a strong hold on infrastructure assets. You must find the correct mix of features and functionalities as per your requirements.
Once you have finalized the tool, the next step is to define an action plan for assessing the assets and prioritizing the vulnerabilities. You may need to scan some assets which are dynamic every six hours, while other assets may be scanned every week. Once you discover a vulnerability in a group of assets, you need to calculate its risk. For example, a browser-based vulnerability needs to be fixed on priority in workstations, unlike servers that are not mainly used for browsing. The likelihood of an occurrence carries more weight, so does the ease of exploitation and the availability of exploits.
Integration #
A combination of your vulnerabilities, network data, and your business (services) provides a good visualization of your security posture. You can take quick preventive measures when you have a โcontextโ of something. If a good Vulnerability Management program is your top-most priority, you should integrate your business-critical systems and processes into it. When everything within the organization is tied and aligned, working on fixing the vulnerabilities is faster and easier.
Automation #
Automation is the key to efficiency, speed, and convenience. Imagine a scenario when an advisory is issued with 25 different vulnerabilities and your team has to create 25 separate tickets. The support team has to manually go through each ticket and prioritize their efforts. With automation, your support team gets a better sense of where to focus first and can start working toward that instead of wasting their time on those tickets.
- Automate your ticketing system for a better Mean time to Repair (MTTR) โ your teams will not have to log everything manually.
- Automate the program for your usersโ convenience โ if the support team is wasting their time in just logging everything and visiting different portals, you are doing it wrong! As a user when I get everything served on my plate, I feel more obliged and will immediately start working toward my goal.
- Automate it for efficient results โ there are no chances of missing any alert or vulnerability when you have automated accurately. This is far better than a manual approach when you are handling a large environment.
Agility #
Security has become a domain where agility, scalability, and resilience are of utmost importance. The count of IT assets in any environment is variable now, without any threshold. Also, the time between the discovery of a vulnerability and its exploitation has reduced, which demands a faster remediation approach. When there are thousands of assets to patch in a limited time frame, the number of vulnerabilities continues to rise, and it gets challenging to effectively manage the program.
Remediation Workflow #
The remediation is straight-forward when the vulnerability is a simple patch upgrade, and you are not disrupting your ongoing business. But when your business team cannot afford downtime or if the patching is complex that requires research and extensive testing, you must have some safeguards in place. Also, choose the best response when dealing with a critical or new vulnerability.
The response also depends upon the nature of your vulnerability, the environment it affects, and the exploitation conditions. Before making a move, properly weigh the response strategy, as this may significantly impact the overall security environment.
Threat Intelligence #
Multiple security vendors like IBM, Mandiant, Qualys, Palo Alto, and Proofpoint are providing feeds on the latest security vulnerabilities, exploits, and security breaches. It is always recommended that you subscribe to a vendor that understands your business and fetches feeds from open-source vendors like AlienVault, RiskIQ, and Team Cymru.
Whenever a new vulnerability is discovered and is not scanned or updated by your scanner, you can look into your assets and identify if it has affected any of them. While you prioritize the vulnerabilities, threat intel majorly helps in providing various parameters related to a particular vulnerability such as what is the exact risk, are there any exploits available, are there any malware or ransomware associated with it, or is any specific group targeting a particular kind of companies.
Visualizations #
By visualizing your data, you can better identify the outliers and spikes which can be dangerous for your vulnerability management. Visualizations assist you in comprehending the data trends, which you can define for each asset group. When anything deviates from that trend, you must analyze the situation and seek support.
- When the number of vulnerabilities in your assets suddenly increases, you must identify those assets and check for the newly introduced vulnerabilities.
- Similarly, a sudden drop in the number of hosts reporting to your scanner may indicate a network issue or something malicious with your hosts.
- When there is a shift from the trend of fixing x number of tickets every week to fixing only x/5 tickets per week, verify the reason for this.
- You should investigate any outlier asset in your trending graph.