If there’s one thing the security sector loves, it’s a buzzword. And vulnerability management (VM) is one of those ubiquitous terms: Everybody has it and everybody recognises that VM is an essential component of creating a solid security foundation.
In fact, 88 per cent of security professionals stated that their organisation has a VM system in place. But if that is the case, then why are 27 per cent of respondents also admitting that their organisation was breached due to an unpatched vulnerability?
The answer is that having a VM system in place is not the same as having a successful vulnerability management program. Fortunately, there are some principles that—if followed—can improve the quality of organisations’ VM program and thus reduce the risk that an unpatched vulnerability is exploited.
1. Make executive buy-in a major priority
I’ve seen VM programs fail solely due to a lack of executive buy-in. If you don’t know how your program impacts execs, you probably don’t have full buy-in from them. One of the best ways to secure executive buy-in is to make sure you have a way to effectively illustrate the payoff of your VM efforts. Does your VM tool show prioritised risk scoring with remediation guidance, and can it generate a report to give execs an at-a-glance view of the ways your program is mitigating risk across the organisation? The more concrete your reporting data, the easier it is to prove your VM program’s effectiveness and secure true executive buy-in.
2. Prioritise comprehensive asset visibility
When you say your VM program conducts asset discovery, how comprehensive are you being with the term “asset?” Are you scanning dynamic endpoints and BYOD devices? What about cloud assets? Are you doing agentless scanning, agent-based scanning, or both? And are your scans being conducted often enough to catch new vulnerabilities in time? If your program doesn’t cover all assets and all business areas within your organisation, it isn’t operating at peak effectiveness. It’s impossible to mitigate risks you don’t know exist.
3. Align your scan and remediation cadence
Ideally, your vulnerability scans will be set to a similar rhythm as your remediation activities. For example, if you conduct scans once a day but only remediate once a week, scanning more frequently will not in itself lower your vulnerability risk. One way to optimise the relationship between vulnerability scanning and other components of your security program is to set scans to trigger as soon as suspicious changes occur on your system. The two key objectives of your scanning process should be to prompt remediation activity and to identify new risks as they emerge.
4. Bring business context into your risk assessments
Not all vulnerabilities pose equal business risk. When you’re performing a vulnerability assessment, can you quickly and easily identify which assets are most important to the business? If your VM program is giving equal weight to assets that are mission-critical and those that aren’t, you’re missing a major piece of the risk management puzzle. This step is all about levelling up from assessment of vulnerabilities to strategic management of vulnerabilities.
5. Work to minimise exceptions
What devices in your environment can’t be scanned and why? If you don’t have a quick answer here, you likely have areas of unknown risk that aren’t being properly included in the scope of your VM program. Think of this as missing surface area in your attack surface map. Many organisations deploy vulnerability scanning globally, but then create so many exceptions that they’re leaving a lot of surface area uncovered. Whatever your exceptions are, make sure to minimise them and set goals for how to reduce those exceptions.
6. Focus on the right metrics
Metrics play a make-or-break role in the success of your VM program. For example, if you’re only keeping track of how many vulnerabilities you’re finding—but don’t have granular prioritisation showing you which vulnerabilities are the most dangerous and why—you have major room to improve. Identify a set of metrics that make sense for your particular organisation and stick to them. Shift your thinking from quantity to quality when it comes to where your remediation efforts go.
7. Connect assessment and remediation workflows
Let’s revisit the difference between vulnerability assessment and management. If you are scanning for vulnerabilities and reporting on how many and what types you’re coming across, nothing is being done to actually fix those vulnerabilities until your remediation workflow kicks into gear. Once your assessments lead directly to remediation via a clear process, you’re now successfully managing your vulnerabilities in addition to simply assessing them. Every organisation will have a different workflow that best fits the internal processes already in place—just make sure that there is clear communication, rather than a simple hand-off, between the assessment and remediation portions of your VM program.
How you assess your environment for vulnerabilities is important if you want to effectively reduce your risk. Even if you have a relatively mature VM program in place, it’s never a bad time to revisit your strategy and make sure that you’re doing all you can to manage risk effectively by incorporating business context, gathering the right metrics, and giving your stakeholders a clear picture of the entire organisation’s risk posture.
Tim Erlin, VP of Product Management and Strategy, Tripwire