As with any program, establishing a written policy or procedure document can clarify objectives and expectations for all participating members. The following components should be incorporated into a VM policy document:
- Responsible parties. Individuals who will be responsible and accountable for the identification and remediation of network, system, and application vulnerabilities should be identified.
- Oversight. An executive should be designated to oversee the program and establish the vulnerability management committee.
- Cadence. A good starting point is monthly, as this time frame aligns with patching schedules for major IT software vendors.
- System classification. Vulnerabilities discovered might be more likely to be exploited based on the system in which they reside. Example classifications might be internet-accessible servers, internal servers, or user workstations. Systems subject to compliance requirements, such as with payment card industry or the Health Insurance and Portability Accountability Act, also might be appropriate.
- Vulnerability scoring. Not every vulnerability requires the same level of attention. Prioritizing issues can help focus efforts on the most important issues first. For example, internet-accessible or compliance systems should translate to higher scores.
- Remediation timeline. Based on the score of the vulnerability, default remediation timeline expectations should apply. For example, critical vulnerabilities must be remediated within 30 days.
- Exception handling. Not every vulnerability can be remediated within the expected timeline. Exceptions must be documented and approved, or compensating controls should be documented.
“To know your enemy, you must become your enemy.” – Sun Tzu
Vulnerability management enables an organization to examine itself through the eyes of an adversary. A VM program must have an offensive perspective to properly prioritize remediation efforts. Inputs into the VM program include results from vulnerability scanning applications, which are validated by information security, and penetration testing, performed either internally or by an external third party. These reports come with a default risk score, and it is up to the vulnerability management committee, consisting of information security, information technology, application development teams, and the appropriate business units, to agree on the final risk rating. This important effort is based on:
- Initial rating provided by the assessment
- System classification as defined in the policy
- Impact to the organization should the vulnerability be successfully exploited
- Requirements and complexity involved to successfully exploit the vulnerability
Outputs from the VM program include:
- Prioritized list of vulnerabilities risk-scored for the organization and agreed on by the VM committee
- Tasks and tickets detailing the changes required for remediation of the vulnerabilities and identification of the assigned resource or team
- Exception requests (routed to the executive)
One last output is metrics, including the mean time to identify, time to remediate, scan run time, and coverage percentage. The mean time to identify is defined as the difference between the time the vulnerability was first identified and when it was disclosed to the public. The time to remediate is the difference between the time a vulnerability was first identified by the organization and when it was mitigated. The scan run time is the amount of time necessary to run a vulnerability scan, and coverage percentage is the number of systems scanned as compared to the total number of company systems. All these metrics are good starting points. The main focus for many organizations is identifying open vulnerabilities organized by score and system classification.
Many tools exist that can run scans and produce lengthy lists of vulnerabilities, but without proper validation and prioritization, large amounts of time and resources might be spent fixing very low-risk issues. That’s why technology must be chosen and implemented to support the VM process. Too often, organizations start with technology and do not consider the people and processes involved until much later.
“The supreme art of war is to subdue the enemy without fighting.” – Sun Tzu
Incident response is a very expensive endeavor, yet vulnerability management is an effective way to subdue the enemy without fighting. Proactively identifying and remediating vulnerabilities in a network can prevent attackers from being successful in the first place. Attention to fixing vulnerabilities can increase the time, effort, and complexity necessary to escalate privileges, maintain access, and move laterally should attackers obtain that initial point of entry. Further, attackers might be forced into compromising stealth to make progress, thus making it easier to detect and neutralize them.
While not every path to corporate data and systems can be blocked, an active VM program can make things much more difficult for would-be attackers, reducing the occurrence of cybersecurity incidents.
“In the midst of chaos, there is also opportunity.” – Sun Tzu
Vulnerability management is a powerful preventive control that should be implemented in every organization. Organizations can take advantage of the chaos of the modern cybersecurity battleground by proactively addressing their weaknesses and capitalizing on their strengths. Sun Tzu might agree that the opportunity to strengthen cybersecurity posture lies right in the middle of the chaos.