This blog was written by a third party author.
The rapid rate of change in attack methods and techniques in today’s cybersecurity landscape has made the keeping of an environment secure increasingly more difficult, causing many to fall into a dangerous state of simply reacting to current threats. Organizations that are serious about the state of their cybersecurity readiness are seeking to proactively look for those vulnerable applications, operating systems, and platforms within the network environment that cybercriminals would otherwise exploit to gain access, elevate privilege, laterally move, establish persistence, and carry out actions to a malicious end.
One tenet of a comprehensive proactive security strategy is that of vulnerability management. Vulnerability management is commonly defined as “the practice of identifying, classifying, remediating and mitigating vulnerabilities.” Unlike patching based on security thresholds such as Common Vulnerability Scoring System (CVSS), vulnerability management is a continual process that seeks to intelligently prioritize the response to daily identified vulnerabilities before an attacker attempts to exploit them, keeping the organization as secure as possible.
What is a Vulnerability Management Program?
A Vulnerability Management Program is a risk-based, established continuous process within the organization designed to address the need to identify and remediate vulnerabilities. It leverages a team of members spanning across multiple departments including security, IT, AppSec, and DevOps; tools such as asset management, vulnerability scanning, and vulnerability assessment solutions, as well as a means to update the potentially wide range of disparate operating systems, applications, appliances, and devices involved.
The pillars of vulnerability management
A Vulnerability Management Program generally consists of just four basic pillars:
- Discovery – Having an understanding of every potential source of vulnerability including laptops, desktops, servers, firewalls, networking devices, printers, and more serves as the foundation for any solid Vulnerability Management Program.
- Identification – Using a vulnerability scanning solution, those systems and devices under management are scanned, looking for known vulnerabilities and correlating scan findings with said vulnerabilities.
- Reporting / prioritization – This step is a bit more complex than I’m going to cover here. Keeping in mind that you may have thousands of potential vulnerabilities (depending on the size and complexity of your environment), there will no doubt be varying factors that will determine which discovered vulnerabilities take priority over others. But in this step, those on the Vulnerability Management Program team will need to assess the identified vulnerabilities and determine priority.
- Response/remediation – It should be noted first that the remediation step isn’t always “patch it.” In some cases, there isn’t a patch and so the remediation actions utilize some kind of compensating control. Part of the process of remediating involves re-testing – whether via another vulnerability scan or penetration test.
A framework for building a program in-house
Providing you have ample staffing and internal expertise, it is possible to implement a Vulnerability Management Program in-house. As previously implied, it will take a team of folks who are responsible for the various parts of the organization that are impacted by both vulnerability scans and the resultant patching and/or remediation. Building a framework is also going to take some dedicated time to build, test, and adjust to meet your organization’s specific needs. A myriad of software solutions will be needed (whose list will be influenced by your industry/vertical’s individual security mandates). And lastly, an in-house program will also require some C-level buy-in, as you’re going to need budget, potentially dedicated headcount (as this is a continuous process), those software solutions etc.
An effective program will contain four key aspects to it, shown below:
- Asset management – you can’t protect what you don’t know about.
- Vulnerability management – you need a means to quickly assess whether your assets are vulnerable.
- Threat risk & prioritization – you need assistance in determining what risk a found vulnerability poses and an ability to triage response.
- Patch / configuration management - your program must have an ability to update operating systems and applications with settings and patches to remediate vulnerabilities
As you look to formulate a more comprehensive vulnerability management program, there are a number of great resources to get you started:
- SANS has a Vulnerability Management Maturity Model (focus on page 2 at this link) which provides you with five different levels of maturity and describes what your goals are for each step of the process at that maturity level.
- The Center for Internet Security (CIS) has a Critical Security Control dedicated to Continuous Vulnerability Management.
Should you consider vulnerability management as a service?
The idea of outsourcing this should be considered, despite any desire to handle this in-house – and for a few really good reasons. First, even though everyone will agree that vulnerability management needs be executed as a continual process of scanning, analysis, reporting, and response, when left to be done internally, it’s more likely to end up being done periodically (which defeats the purpose of having a vulnerability management program in the first place). A managed provider will bring the necessary continual process and platform to the table, ensuring 24/7 converage while freeing up internal IT to focus on other technology initiatives.
Second, internal staff may not have the expertise, experience, and exposure to the nuances of vulnerability management that an outside provider may have, along with advanced technologies that will have been tested across many organizations, geographies, and threats.
Lastly, most outsourced managed services – particularly in the cybersecurity space – are designed to be less costly than if you perform the same service in-house; they have the staff, process, and security tools necessary and traditionally offer them together in a cost-effective subscription pricing model.
At a minimum, consider using outside expertise to help build a vulnerability management program in-house – their expertise and experience can help your organization to more accurately and quickly get your program to a level of maturity and effectiveness that can help positively impact organizational security.