If there has been anything constant about cybersecurity, then, it is its ever-changing nature. It has been in a continuous state of flux since its inception. With cyber breaches happening by the second, users/stakeholders have come close to being insensitive to the compromise of their personal information. Well, that insensitivity comes from two reasons – increase in the frequency of data breaches and the availability of robust vulnerability management programs. To understand this, let’s define vulnerability management first!
What is Vulnerability Management?
A vulnerability is a potential weakness which can be exploited by an attacker. So, Vulnerability Management can be defined as a cyclical practice of spotting/identifying, categorizing/aggregating, prioritizing, remediating and mitigating vulnerabilities.
There isn’t a single business that isn’t conducting business online or even just connected to the internet. Most of them are susceptible to a network-based attack from a vulnerability within a connected system. Hence, executing vulnerability management is a must as the web is full of hidden traps!
Why Vulnerability Management?
The cyclic vulnerability management process of discovery, prioritization, and remediation of vulnerabilities needs to be updated. Currently, cybersecurity teams work in silos, which results in causing long delays from detecting vulnerabilities until remediation.
SecOps teams analyze cyber breach incidents and remediate attacks.
SecAdmin teams identify and prioritize risks to ensure the enterprise meets various compliance requirements.
IT Admin team remediates the risk with updates and patches.
What if all these teams could work together on a single platform that provides vulnerability management from automation, aggregation, prioritization, to visibility? Also, it would be great if this vulnerability management platform could provide all the necessary integrations with open-source and popular scanners for smooth business operations. One such platform is – Strobes, our flagship product that is a risk-based vulnerability management platform for enterprises.
How can Vulnerability Management be Effective?
Having a vulnerability management process in place won’t suffice your cybersecurity needs. It needs to be effective. Vulnerability Management is much more than just a vulnerability scanning/assessment. It involves the above-mentioned cyclical process with the remediation of scanned vulnerabilities on an annual/periodical basis. The program should include multiple scans per year, detailed tracking, reporting and remediation with the vulnerability and root-cause analysis.
How Often Should Vulnerability Scanning be Done?
Well, it entirely depends on the company’s risk profile and regulatory policies. As the propensity of a cyber breach happening is becoming higher, we suggest that vulnerability scanning should happen more frequently than ever (quarterly/half-yearly). It’s better to schedule your scans too. But if the company chooses to scan just once a year to satisfy regulatory requirements, the attackers have enough time to compromise a network. Also, these companies might end up with the same vulnerabilities year after year. Hence, vulnerability scanning should happen frequently.
Which Security KPIs are Important?
After the discovery or identification of vulnerabilities, one should (probably an in-house analyst or a cybersecurity vendor) lookout for the following (Key Performance Indicators) KPIs – vulnerabilities based on the operating system, port number and the host. These metrics help enterprises allocate appropriate resources and gauge their strengths and weaknesses.
What to do with the Discovered Vulnerabilities?
Once the vulnerabilities have been discovered/identified and assessed, they must immediately be managed or remediated. If it isn’t done, then, things will blow out of proportion on an exponential scale. It’s synonymous to the adage – “a stitch in time saves nine.”
No vulnerability is small and shouldn’t be overlooked in any case. It is imperative to track all vulnerability management efforts by following organizational change management policies to ensure the smooth flow of managing cyber risk.
Reassess the network after the completion of the remediation efforts. It helps ensure all discovered vulnerabilities get resolved, and there isn’t any scope for new vulnerabilities to creep in.
Measuring, Rating and Evaluating A Security Vendor
It’s always better to seek a third-party opinion or to collaborate with one such cybersecurity vendor who is open to deploy their resources or train your enterprise on vulnerability management using their software. Irrespective of the size of a vulnerability management program, it is a given that it requires resources. Thus, while looking out for an external cybersecurity resource/vendor, it is better to follow these simple rules –
Choose resources who are –
Experienced in implementing vulnerability management programs in your industry.
Ready to customize their approach to meet your enterprise needs based on company size, complexity and risk appetite.
Youthful exuberance matters too!
If the vendor is new to the scene, don’t discard them right away. A new resource/vendor also means they don’t have any baggage or preconceived notions about managing your cyber risk needs. They provide their top talent, work quality, and focus on getting the job done! Also, they can come at an economical price.
It is easy to gauge their approach to vulnerability management – their assessment reports should contain technical information such as vulnerability list and asset listing. Also, this helps you identify patterns, data trends through an exhaustive vulnerability analysis. Furthermore, you could ask for a formal report that summarizes and thoroughly documents the methodology utilized to meet CxO and product owners vision.
Vulnerability Management & Information Management
What is the world made up of? Information. Lots and lots of information. In the case of an enterprise, information management plays a significant role in shaping its future. Ideally, proper information management helps achieve true vulnerability management. During a cyber breach/incident, it is up to the CSRIT (Computer Security Incident Response Team) to convey critical information to all the stakeholders. As the CSRIT is aware of the existing security policies, it can closely work with the vulnerability management team to avoid any further information loss by planning for patches and other security procedures.
Another way to help determine the state of vulnerability management within the enterprise is through risk assessments. These assessments assess the amount of risk that specific systems pose to the network. With this information, executive management can prioritize the discovered vulnerabilities, release the timely patches and mitigate the overall risk. Though these assessments are vital, it is difficult to assign a risk-rating to the identified vulnerabilities without knowing their impact on the business flow.
Let’s understand vulnerability assessment more in-depth here –
Importance of Vulnerability Assessment
A robust vulnerability assessment helps complete enterprise vulnerability management. Enterprises should run these assessments during non-heavy network usage with prior approvals to avoid network disruption. Though these could be time-consuming, saving a company from a major cyber breach is worth more than the time invested in vulnerability assessments!
Integrating Vulnerability Assessments with IDS and IPS
Vulnerability assessments help optimize the functionality of the intrusion detection system and intrusion prevention system tools. With this integration, enterprises can add more details to alerts and thus, preventing false alarms from occurring. These alerts help enterprises develop a better plan of action by providing details of what is happening on the system and the severity of discovered vulnerabilities.
Next, define the threat-level from severe-to-low. Prioritization helps understand which vulnerability to fix first and so on. After the threat-levels are defined, develop vulnerability management countermeasures to mitigate risk.
How to Fit BYODs in Your Enterprise Vulnerability Management Strategy?
For any enterprise, it is of paramount importance to add BYODs (Bring Your Own Devices) in your vulnerability management strategy. It has become a common practice across enterprises to give network access to their internal and external users. Though it is a welcoming practice to build company loyalty and trust, it could prove detrimental to the overall enterprise security posture as many aren’t tech-savvy. Scan every device, whether it is at home or on the enterprise network. Install all the necessary patches or updates or guide the owners to do it before they access the network. Else, deny them the access. This BYOD + Vulnerability Management strategy prevents stakeholders’/users’ devices from opening the network to outside attackers.
Learning from others’ mistakes is probably the best learning an enterprise can gain from. Gathering intelligence on the current threats plaguing your industry can help enterprises to plan and be ready to combat those vulnerabilities. There are many vulnerability management platforms in the cybersecurity industry, but a risk-based vulnerability management platform is the need of the hour, system and network!
What is a Vulnerability Management Policy and How to Draft it?
A vulnerability management policy establishes necessary controls and processes for the identification, prioritization, management, and remediation of technical vulnerabilities and their associated risks which may hamper (business’s name) business-flow. Here is an example of how to draft a vulnerability management policy for enterprises –
Purpose of Policy
(Business name) must assess all its IT assets to determine potential security impacts by identifying weaknesses that might compromise the confidentiality and integrity of sensitive data.
Resources/Entities/Individuals affected by this policy – Any asset/stakeholder associated with (Business Name) managing/using/own an IT system that processes, stores and/or transmits business data should comply with this policy.
Vulnerability Assessment –
Frequency of Scanning –
Periodic (monthly/quarterly/yearly) scanning of the above-mentioned IT assets in the (Business Name) network.
If any aberration/anomaly is found in anyIT asset or if the scanning can’t be performed in a seamless manner, then, the respective asset may be temporarily exempted from the vulnerability scanning process.
Supporting assets to the above assets won’t be exempted from other vulnerability assessment processes.
All exemptions must be approved by following the “information security risk acceptance process” designed by the Executive Director of IT Security.
Accuracy of Scanning –
All the above-mentioned IT assets must be scanned using an authenticated scanner to improve the accuracy of vulnerability scanning.
If authentic or credential-based scanning is not possible, the Executive Director for IT Security must be ready to approve a temporary exemption for seamless business flow.
Validation of Scanning –
As per schedule, internal and external penetration testing will be executed. The purpose of these tests is to verify the working condition of the security controls protecting (Business Name’s) IT assets.
Network and application-level tests would take place.
The IT Security Team will provide the results of the penetrations tests in detailed reports to the concerned system administrator for that particular asset.
Remediation After Scanning –
All the discovered vulnerabilities will be corrected/remediated by the system admin for the asset.
Next, to validate the above remediation, a retest is performed to mitigate any associated risk with the discovered vulnerabilities.
The time-period for remediating high-risk, medium risk and low-risk vulnerabilities are 30, 90 and 120 days, respectively.
If an issue doesn’t get fixed in the above timeframe, then, the Executive Director of IT Security must sign for an approval for an extension.
Who is responsible for Vulnerability Management (VM)?
For an enterprise, segregation of duties ensures efficient vulnerability management. The following roles should take responsibility for vulnerability assessment, remediation and compliance –
The IT Security Team works with the asset owner to perform a technical vulnerability assessment of the supporting IT asset/product or service.
After the mitigation/remediation of the discovered vulnerabilities, asset owners are responsible for ensuring that the associated asset is available for security assessments (auditing, verifications) to reduce further risk.
System Administrators are responsible for implementing the remediation process.
The Executive Director for IT Security is responsible for ensuring enterprise-level compliance with the vulnerability management policy.
Note: Failure to comply with this vulnerability management policy will lead to the interruption of network service and incur legal actions and fines resulting from violating the standards set by HIPAA, FERPA, and PCI.