Light Dark
August 9, 2017 By Brian Evans 4 min read
Risk Management
Intelligence & Analytics
CISO

Companies need to do more than just scan for known problems and provide huge vulnerability reports to system and network administrators for remediation. According to Gartner, known vulnerabilities still comprise 99 percent of all known exploit traffic. Furthermore, malware, ransomware and exploit kits target vulnerabilities that are six months or older on average.

For many companies, vulnerability management amounts to a game of whack-a-mole. Vulnerability research, assessment and testing are conducted manually and with technological approaches that have not matured over the course of a decade. This inadequacy results in inefficient strategies and security assessments that lack the breadth of scope to reliably simulate what attackers are likely to do when targeting an organization. Even companies that have mature vulnerability assessment programs may struggle when it comes to analyzing the potential risk and impact and managing remediation.

The Scope of the Challenge

Unfortunately, companies face a variety of other challenges when pursuing vulnerability management, including decentralized or inexperienced resources supporting the process, lack of an accurate IT asset inventory, and failure to determine and document whether a fix was applied or an exception was granted.

Another challenge is that the scope of the problem typically exceeds the span of control for the information security team. For comprehensive vulnerability mitigation and ongoing maintenance to occur, security teams depend almost completely on the cooperation of other teams — such as server support, systems administration and network operations — to make the necessary remediation changes. These groups know that each change can be time-consuming and possibly require reboots or scheduled downtime. Consequently, they usually have different timelines and sets of priorities compared to the security team, which wants to address the identified vulnerabilities as quickly as possible.

Any change to your environment could introduce a new vulnerability, and new threats are constantly emerging. Network equipment, server and workstation operating systems, printers and software are all rife with vulnerabilities. So are mobile, virtual and cloud environments. With growing concerns about data breaches and regulatory compliance, the need for mature vulnerability management capabilities is obvious.

What Is Vulnerability Management?

Vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline to discover, prioritize and mitigate exposures. Effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets.

There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration standards based on industry-recognized practices provide implementation details for hardening and specify the recommendations of organizations such as the Center for Internet Security (CIS), the SANS Institute and product vendors themselves. Companies that implement these standards also demonstrate due diligence during audits and regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames.

When starting to build a vulnerability management program, companies should take the following steps:

  • Assess and document the current state of the environment to prioritize areas of improvement.
  • Maintain an accurate IT asset inventory.
  • Document the security infrastructure, as well as external access to systems and processes.
  • Establish a security configuration baseline or desired state for each component of the infrastructure based on industry-recognized standards and practices.
  • Conduct internal vulnerability scanning across the entire network at least biannually.
  • Conduct external network perimeter scanning at least quarterly.
  • Identify the patch and configuration issues responsible for the most numerous and serious vulnerabilities.
  • Create a vulnerability remediation plan of action.
  • Prioritize remediation actions based on potential business impacts and the probability that a vulnerability will be exploited.

Sensitive assets with critical vulnerabilities should be assigned the highest mitigation priority. This requires some risk quantification and analysis. Major network, server and database assets should be classified in terms of the applications they support. This way, vulnerabilities can be related to the business processes that are at risk. Key assets should also be rated in terms of availability, data sensitivity and integrity requirements. Companies that have performed a business impact analysis as a component of their continuity planning have a good starting point.

Remediating Vulnerabilities

Vulnerability management requires an automated or manual workflow. Assessment reports should be provided to IT asset administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your company can correct known vulnerability exposures.

It is essential to recognize that resolving the vulnerability for good depends on the IT asset and its role. The following can be considered remediation measures:

  • Patching the vulnerability;
  • Disabling vulnerable functionality;
  • Uninstalling vulnerable components;
  • Changing the system configuration; and
  • Upgrading the platform or service.

Companies should document all decisions not to remediate to prevent them from multiplying and becoming unmanageable. Failure to address a vulnerability is a decision to accept the risk. This decision should never be made by the IT or information security team, but by the business owner of the vulnerable asset. Exceptions should show up on the vulnerability assessment reports and the use of exceptions logged and tracked.

A Layered Approach

The need to find and fix vulnerabilities will persist for the foreseeable future. Companies should implement a vulnerability management program that begins with a security configuration baseline and references industry-recognized best practices. Strong leadership can promote top-to-bottom commitment to the process.

A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to secure any environment from threats. Vulnerability management must be a foundational element to every information security program.

Discover What IBM QRadar Vulnerability Manager can do for your business

 |  |  |  |  |  |  |  | 
Brian Evans
Virtual Private Cloud Security and Compliance Focal, IBM Cloud

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature