How critical is vulnerability management to your business?
Whatever your view is on vulnerability management (VM), it can’t be denied that it is important to your overall cybersecurity but equally difficult to successfully implement. In today’s world, data is fluid and distributed across complex and decentralized computing environments, resulting in greater exposure to your data being compromised. Nevertheless, with vulnerable assets creating target rich environments for cybercriminals and other attackers, you need to protect your data, and you need vulnerability management. To help you make the right decisions and be smart about your VM program, I have compiled 10 ways you can become a vulnerability management ninja and maximize your security investment.
1. The Who and the How
Designate a team or individual that will oversee the successful cradle to grave execution of all VM related processes. The designated team or individual should develop processes for discovery, reporting, prioritization, and response. The team should be effective communicators and work well with the business.
2. Select the Right Tool …or Reconfigure Your Existing Tool
If you haven’t already, you should read our blog post Too Many Tools. The last thing you want to do is add another useless brick to your cybersecurity wall. Vulnerability Assessment tools are categorized into two broad categories, Host-based, and Network-based. For purposes of brevity I will dive into network-based scanners. Network-based tools run on centralized scanner appliances, often operate anonymously (requiring no logins), and can scan a range of hosts for vulnerabilities. If reconfiguring or implementing a brand new vulnerability management tool, make sure that the tool scans for vulnerabilities on a wide range of applications and devices including Email servers, HTTP servers, FTP servers, and DNS servers.
3. Schedule, Schedule, Schedule!
An effective VM program relies heavily on a scheduled process. Scheduling should be isolated to specific windows in a given month, organized by asset types (e.g. desktop, servers, network devices, etc.). Scanning should also be integrated into the change management process. As changes occur regularly on many networks and systems, each change can potentially introduce new vulnerabilities or issues which could undermine security.
4. Discover and Identify your Assets
In order to secure something, it is important to first know that it exists, what it is and where it is located. Therefore one of the first types of vulnerabilities scans to be scheduled (see #3) should be a discovery scan. A crucial step in securing your data is to use the discovery scan to identify all the various assets on your network. These assets should include every element that makes up the computing environment such as routers, switches, servers, firewalls, printers operating systems, system software, and application software.
5. Determine Your Crown Jewels
Discovered assets should undergo an asset valuation process in order to determine the intrinsic value of an asset and identify the most critical assets to the business (a.k.a. the crown jewels). Asset valuation enables responsible protection prioritization whereas improper asset valuation can drive decision-makers to make the wrong decision. In order for an asset to introduce any potential for loss, it must introduce some level of value or liability.
6. Identify and Prioritize Your Vulnerabilities
When it comes to vulnerability management knowledge is power. Just knowing what vulnerabilities exist for each asset and the criticality of that vulnerability (see #5) is essential in determining how best to secure it. Vulnerabilities may exist on each device and asset due to missing patches, old software, weak passwords, or poor configurations. Identified vulnerabilities should then be rated by their level of difficulty to exploit, relevance to the environment, and the damage that could be caused by exploitation.
8. Effective Communication is Key
The scan results should be compiled and organized into an actionable report and delivered to the appropriate stakeholders. In the report, each vulnerability should have a pragmatic remediation option attached to it. More often than not, the vulnerability assessment tool will actually provide remediation actions and generate a report for delivery. If an identified vulnerability is severe enough then incident response procedures should be invoked to ensure rapid response times and proactive actions for potential incidents.
9. Don’t Forget to Remediate!
The vulnerability assessment tool should provide specific guidance for mitigation, which generally involves installing a patch, upgrading the software, or disabling/uninstalling a service. In organizations where resources are scarce, patch management teams and system administrators are tasked with updating the vulnerable host. This is why good reporting (see #8) provides a solid foundation to a good vulnerability management program. In the event that a viable mitigation strategy is not available for a given vulnerability, effective vulnerability management practitioners will identify alternative ways to manage the exposure, such as changing firewall rules, increasing log monitoring, or updating IDS attack signatures, until the vendor gives a fix.
10. Good Patch Management = Good Vulnerability Management
A central component of VM is patch management. Patch management ensures that software updates are applied to systems and assets on a regular basis. The patch management process should also be integrated with the change management process to ensure that software updates and releases are applied in a controlled manner. In addition, patch management should look beyond Microsoft patches and include third party applications. This is also a good time to bring up verification. Verification is important to ensure that the vulnerability management process was effective, the patches and mitigation strategies were applied properly and that the identified vulnerability has been dealt with. A solid vulnerability management program will see a trend in the reduction of vulnerability counts when collecting metrics.
Successful execution of these 10 practices will put you well on your way to becoming a vulnerability management ninja. But remember that at the core of a VM program – business to security communication and collaboration is everything. Without clear and concise communication, the symbiotic relationship cannot exist, and your investment in VM becomes shelf-ware.