Vulnerability assessment and management is one of the essential functions of any enterprise security program. It is so critical that it can make or break the security of an organization. Before we explore the nuances of what constitutes an effective vulnerability management program, it is important to understand what we mean by vulnerability management.
The term vulnerability management itself represents a misguided vision of how vulnerabilities are handled in a security program. A vulnerability is nothing but a weakness on a system that can be exploited by malicious outsiders. These vulnerabilities need to be remediated, not simply managed. Plugging them would eradicate 90 percent of your security concerns. So then what is the problem?
Too Many Assets, Too Little Time
If you are remotely interested in enterprise security, you already know the problem: There are millions of assets to assess, report on and remediate. The process is time consuming, repetitive and uncertain to actually solve any problems. You might believe it is working until a breach rocks your boat.
Can we remediate all these vulnerabilities? Not just yet — you would never be able to get to all of them in time. This is when most people start managing vulnerabilities. Manage which assets need to be scanned first, determine if the discovered vulnerabilities are accurate, create reports, determine which ones need to be remediated first and continue the process. The problem with this is that it’s easy to lose sight of the end goal: security.
Risk and Vulnerability Management
If we step back, we’ll see that we are really trying to minimize the risk factor by eliminating vulnerabilities that could lead to potential exploits. But the mere existence of a vulnerability doesn’t constitute risk. Risk is the combination of a vulnerability, access to that vulnerability, the ability to exploit it and, most importantly, something of value that could be extracted.
Unfortunately, many vulnerability management efforts tend to revolve around scanning and patching, while risk assessment and management is ignored. Risk management puts the vulnerability in context within the IT environment and helps security professionals understand if a particular risk is really something they should prioritize over other issues. Often it can be mitigated through other means, such as updating relevant firewall rules, changing application configuration or patching network layer to block a vulnerability for a large set of assets.
It’s safe to say that risk management is a common need among enterprise security programs. To implement an effective risk management approach, IT teams must first have:
- An accurate and efficient vulnerability assessment tool;
- An understanding of which assets and information are most important to the organization;
- Knowledge of the network topology for visibility into how an attack would spread;
- Current asset information;
- Visibility into suspect behavior and activities;
- Updates on the latest vulnerability disclosures;
- Understanding of key stakeholders, such security officers, vulnerability engineers, asset owners and IT engineers;
- Buy-in and participation from executives; and
- Communication, communication and communication!
What Does It Take?
This is not an exhaustive list, but it should show you that it takes more than a scanning engine and a patch management solution to run an effective security program. You can’t buy it in a box: It takes tools, people, processes, expertise and investment to have a meaningful solution. It takes a program with active participation from people across security and IT operations. It also takes visibility and an understanding of known vulnerabilities in context with your environment.
World Wide Offering Manager, IBM