What is a vulnerability management program?
Rapid changes in attack methods and techniques in today’s cybersecurity landscape have made maintaining a secure environment increasingly challenging. Organizations are taking cybersecurity readiness seriously and are proactively looking for vulnerable applications, operating systems and platforms within the network environment that cybercriminals would exploit to gain access, gain privileges, establish persistence and perform actions with a malicious intent.
A comprehensive proactive security strategy is that of vulnerability management. Vulnerability management is commonly defined as “the practice of identifying, classifying, remediating and mitigating vulnerabilities”. Unlike patching based on security thresholds such as Common Vulnerability Scoring System (CVSS), vulnerability management is an ongoing process that seeks to intelligently prioritize the response to identified vulnerabilities on a daily basis before an attacker attempts to exploit them, keeping the organization as secure as possible.
What is a vulnerability management program?
A vulnerability management program is an established, ongoing, risk-based process within the organization designed to address the need to identify and remediate vulnerabilities. It leverages a team of members spanning multiple departments, including security, IT, AppSec and DevOps; tools such as asset management, vulnerability scanning and vulnerability assessment solutions; and a means to update the wide range of operating systems, applications, devices and appliances involved.
The pillars of vulnerability management
A vulnerability management program generally consists of only four basic pillars:
- The discovery pillar: understanding all potential sources of vulnerability, including laptops, desktops, servers, firewalls, network devices, printers and more, serves as the foundation for any robust vulnerability management program.
- The identification pillar: using a vulnerability scanning solution, systems and devices under management are scanned, looking for known vulnerabilities and correlating the scan findings with those vulnerabilities.
- The reporting / prioritization pillar: this step is a bit more complex. Given that you may have thousands of potential vulnerabilities (depending on the size and complexity of your environment), there will undoubtedly be a number of factors that will determine which discovered vulnerabilities take priority over others. But in this step, the vulnerability management program team members will need to evaluate the identified vulnerabilities and determine priority.
- The response / correction pillar: it should first be noted that the correction step is not always “patch it”. In some cases, there is no patch, so remediation actions use some sort of compensating control. Part of the remediation process involves retesting, either through another vulnerability scan or a penetration test.
A framework for building an internal program
Provided there is ample in-house staff and expertise, it is possible to implement a vulnerability management program internally. It will require a team of people who are responsible for the various parts of the organization that are affected by both vulnerability scans and the resulting patches and/or fixes. Creating a framework will also take some time to build, test and adjust to meet the specific needs of the organization. A large number of software solutions will be required. And finally, an internal program will also require some C-level buy-in, as it will need budget, potentially dedicated staff (as this is an ongoing process), those software solutions, etc.
An effective program will contain four key aspects, shown below:
– Asset management: you can’t protect what you don’t know about.
– Vulnerability management: you need a means to quickly assess whether assets are vulnerable.
– Threat risk and prioritization: you need help in determining what risk a found vulnerability represents and the ability to rank the response.
– Patch/configuration management: the program must have the ability to update operating systems and applications with configurations and patches to remediate vulnerabilities.
To formulate a more comprehensive vulnerability management program, there are a number of excellent resources to get you started:
– SANS has a Vulnerability Management Maturity Model (focus on page 2 at this link) that provides five different levels of maturity and describes what the objectives are for each step of the process at that maturity level.
– The Center for Internet Security (CIS) has a Critical Security Control dedicated to Continuous Vulnerability Management.
Should vulnerability management be considered as a service?
The idea of outsourcing this should be considered, despite any desire to handle this in-house, and for some very good reasons. First, even if everyone agrees that vulnerability management should be run as a continuous process of scanning, analysis, reporting and response, when left to be done internally, it is more likely to end up being done periodically (which defeats the purpose of having a vulnerability management program in the first place). The managed provider will bring the process continuous ensuring 24/7 coverage, while freeing up internal IT to focus on other technology initiatives.
Second, internal staff may not have the knowledge, experience and exposure to the nuances of vulnerability management that an external vendor may have, along with advanced technologies that will have been tested across many organizations, geographies and threats.
Finally, most outsourced managed services, especially in the cybersecurity arena, are designed to be less expensive than if you perform the same service in-house; they have the necessary staff, processes and security tools and traditionally offer them together in a cost-effective subscription pricing model.
At a minimum, consider using outside expertise to help create a vulnerability management program internally; the experience and expertise can help the organization more accurately and quickly bring the program to a level of maturity and effectiveness that can help positively impact the organization’s security.