Companies need to do more than just scan for known problems and provide huge vulnerability reports to system and network administrators for remediation. According to Gartner, known vulnerabilities still comprise 99 percent of all known exploit traffic. Furthermore, malware, ransomware and exploit kits target vulnerabilities that are six months or older on average.
For many companies, vulnerability management amounts to a game of whack-a-mole. Vulnerability research, assessment and testing are conducted manually and with technological approaches that have not matured over the course of a decade. This inadequacy results in inefficient strategies and security assessments that lack the breadth of scope to reliably simulate what attackers are likely to do when targeting an organization. Even companies that have mature vulnerability assessment programs may struggle when it comes to analyzing the potential risk and impact and managing remediation.
The Scope of the Challenge
Unfortunately, companies face a variety of other challenges when pursuing vulnerability management, including decentralized or inexperienced resources supporting the process, lack of an accurate IT asset inventory, and failure to determine and document whether a fix was applied or an exception was granted.
Another challenge is that the scope of the problem typically exceeds the span of control for the information security team. For comprehensive vulnerability mitigation and ongoing maintenance to occur, security teams depend almost completely on the cooperation of other teams — such as server support, systems administration and network operations — to make the necessary remediation changes. These groups know that each change can be time-consuming and possibly require reboots or scheduled downtime. Consequently, they usually have different timelines and sets of priorities compared to the security team, which wants to address the identified vulnerabilities as quickly as possible.
Any change to your environment could introduce a new vulnerability, and new threats are constantly emerging. Network equipment, server and workstation operating systems, printers and software are all rife with vulnerabilities. So are mobile, virtual and cloud environments. With growing concerns about data breaches and regulatory compliance, the need for mature vulnerability management capabilities is obvious.
What Is Vulnerability Management?
Vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline to discover, prioritize and mitigate exposures. Effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets.
There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration standards based on industry-recognized practices provide implementation details for hardening and specify the recommendations of organizations such as the Center for Internet Security (CIS), the SANS Institute and product vendors themselves. Companies that implement these standards also demonstrate due diligence during audits and regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames.
When starting to build a vulnerability management program, companies should take the following steps:
- Assess and document the current state of the environment to prioritize areas of improvement.
- Maintain an accurate IT asset inventory.
- Document the security infrastructure, as well as external access to systems and processes.
- Establish a security configuration baseline or desired state for each component of the infrastructure based on industry-recognized standards and practices.
- Conduct internal vulnerability scanning across the entire network at least biannually.
- Conduct external network perimeter scanning at least quarterly.
- Identify the patch and configuration issues responsible for the most numerous and serious vulnerabilities.
- Create a vulnerability remediation plan of action.
- Prioritize remediation actions based on potential business impacts and the probability that a vulnerability will be exploited.
Sensitive assets with critical vulnerabilities should be assigned the highest mitigation priority. This requires some risk quantification and analysis. Major network, server and database assets should be classified in terms of the applications they support. This way, vulnerabilities can be related to the business processes that are at risk. Key assets should also be rated in terms of availability, data sensitivity and integrity requirements. Companies that have performed a business impact analysis as a component of their continuity planning have a good starting point.
Vulnerability management requires an automated or manual workflow. Assessment reports should be provided to IT asset administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your company can correct known vulnerability exposures.
It is essential to recognize that resolving the vulnerability for good depends on the IT asset and its role. The following can be considered remediation measures:
- Patching the vulnerability;
- Disabling vulnerable functionality;
- Uninstalling vulnerable components;
- Changing the system configuration; and
- Upgrading the platform or service.
Companies should document all decisions not to remediate to prevent them from multiplying and becoming unmanageable. Failure to address a vulnerability is a decision to accept the risk. This decision should never be made by the IT or information security team, but by the business owner of the vulnerable asset. Exceptions should show up on the vulnerability assessment reports and the use of exceptions logged and tracked.
A Layered Approach
The need to find and fix vulnerabilities will persist for the foreseeable future. Companies should implement a vulnerability management program that begins with a security configuration baseline and references industry-recognized best practices. Strong leadership can promote top-to-bottom commitment to the process.
A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to secure any environment from threats. Vulnerability management must be a foundational element to every information security program.