The best time to initiate a comprehensive program for dealing with security vulnerabilities in your organization was yesterday. Systems are more complex than ever, threats are more prevalent, attacks are more sophisticated, and the sheer number of system vulnerabilities is exceeding the remediation capabilities of many organizations.
As we consider how to develop a vulnerability management program, it’s helpful to define vulnerabilities. Security vulnerabilities are flaws exposing an organization’s assets and environment that can be exploited by attackers to perform unauthorized and potentially harmful actions.
A good vulnerability management program aims to reduce the chances of this occurring through a three-step process:
- Identify vulnerabilities in your systems.
- Prioritize vulnerabilities according to their risk level.
- Remediate vulnerabilities with a fast and manageable approach.
These steps can make a profound difference in efficiency, compliance and the protection of your organization’s infrastructure. Let’s explore each step in greater detail.
Identify Security Vulnerabilities Based on Risk
The first step in a management program, identifying vulnerabilities, requires a scan of your systems, applications, networks and devices. Scanning can help uncover security vulnerabilities that stem from various sources, from third-party vendors to overhauled infrastructure. The good news is that this process is sure to detect security vulnerabilities. The bad news is that you may discover millions. One investment firm uncovered more than 6 million vulnerabilities after just one scan, according to IBM X-Force Red.
It’s no surprise that organizations sometimes lack the resources to scan a system, analyze the results and respond effectively. By the time the security team wades through the data, it may be outdated, and given that business continuity generally takes precedent over identifying and fixing security vulnerabilities, patches may not be implemented, which could leave the business exposed.
False positives also create dead ends that force teams to spend time pursuing vulnerabilities that don’t actually pose a risk. According to the Ponemon Institute and Exabeam, security teams waste an average of 25 percent of their time trying to track down false positives. This is where a multi-stage vulnerability management program and automation can play a major role, cutting down on false positives and allowing remediators to focus on only the vulnerabilities that pose the highest risk of a compromise.
Prioritize the Most Critical Vulnerabilities
Most scans produce results that are referred to by their Common Vulnerabilities and Exposures (CVE) designation. This system provides a standardized name for cataloging and managing publicly known security vulnerabilities. The Common Vulnerability Scoring System (CVSS), a worldwide standard, is used to rate the severity of CVEs. The CVSS generates a numerical criticality score from 1 to 10 (with 10 being the most critical) based on factors such as the type of attack, level of access required and overall complexity.
You may be tempted to rely only on the CVSS to rank and prioritize vulnerabilities, but the scoring system doesn’t account for which exposed assets matter most to your business or if the vulnerabilities exposing them are being weaponized by attackers. In other words, the CVSS treats all assets equally, even though there would be a far greater impact to your business even though compromising some would create far more impact to your business and the vulnerabilities exposing them are actively being exploited by attackers. Without considering those two additional factors – asset value and weaponization – you might prioritize patching vulnerabilities that aren’t likely to be exploited and leave others that could expose even more sensitive assets if left unpatched. Your job is to identify each asset in terms of their risk and critical value.
According to Gartner, “A vulnerability is only as bad as the threat exploiting it and the impact on the organization.” If an attacker exploits just one vulnerability that has public exploit information associated with it, the damage could be significant. Fortunately, the percentage of vulnerabilities that are weaponized is typically low. By correlating and prioritizing weaponized vulnerabilities that could result in the greatest damage, your remediation program should become more manageable and effective.
Follow a Manageable Remediation Process
After prioritizing based on weaponization and asset value, you can address security vulnerabilities in manageable workloads and remediate the most critical ones first. It’s also crucial to eliminate false positives so you can focus on remediating only true vulnerabilities. Each vulnerability on the priority list should include a title, ranking, category, associated threat, proposed solution and remediation schedule. With that in hand, you should be able to remediate the most critical vulnerabilities in a manageable, consistent and efficient manner.
Vulnerability Management Is an Ongoing Process
Given that many organizations potentially have millions of vulnerabilities — many of which could expose highly sensitive assets — the immediate need for efficient identification, prioritization and remediation is obvious. But vulnerability management must be a continual process, not a one-off. To that end, creating a regular schedule for assessing vulnerabilities based on risk to the business is key to developing an effective and efficient vulnerability management program.