Vulnerability management is a very deep topic, consisting of far more than just an anti-virus scan and an automated monthly report, but you don't need a degree in Computer Science to understand what a great vulnerability management program can do for your business!
Today we're going to cover the basics of vulnerability management, including the components, stages, and life cycle of a solid program.
This blog is an excerpt of a recent webinar.
Don't want to read the article? Watch the full recording below.
Be sure to register here for the "Cybersecurity for Business Leaders" Lunch & Learn series!
Components of a Vulnerability Management Program
Vulnerability scanning is simply checking for weaknesses that might be appealing to attackers. However, this is only one part of a comprehensive scanning and remediation plan. It's not just about finding the issues, it's about what you do with the problems you find!
The basic cybersecurity components of a vulnerability management program answer a few basic questions:
- What exactly are you doing?
- How are you doing it?
- Can you provide documentation?
- What tools are you using?
- Who is involved in the process?
- Why are you doing it?
The "why" is especially important in today's modern workplace. Even if you're not required by industry-specific regulatory compliance, potential legal and liability aspects mean that you need to know what your vulnerability management program is doing to protect you.
These sections can be broken down into a few easy to answer questions to ensure you're doing all you can to manage your cybersecurity infrastructure.
Policy and Procedures
Do you have a vulnerability scanning and remediation process?
Without a vulnerability manage remediation process, your vulnerability scanning is practically worthless. Knowing where you have security trouble is one thing, fixing those issues is another. You need a thorough scanning AND remediation process.
Do you keep documentation as evidence to auditors?
Obviously if you have regulatory compliance standards, you need to keep satisfactory documentation of your vulnerability scanning and remediation. But this is also important for those with cyber insurance or any business looking to avoid potential legal issues.
Do you perform trend analysis?
Trend analysis goes hand in hand with documentation. If an auditor shows up and you have two weeks of scans documented, you're in big trouble! While the time varies depending on your industry or insurance requirements, I recommend keeping AT LEAST one year of documentation on hand to show that you're mitigating problems and taking real steps to avoid cybersecurity issues.
Do you have vendor management procedures?
Every vendor you work with will have a different patch schedule. Some are monthly, some are weekly. When you run your vulnerability scans, you're going to notice a pattern of hanging vulnerabilities in correlation with the spaces between those patches. You need to have something in writing from all of your vendors showing their patch scheduling.
Tools and People
Do you own a tool or do you outsource the work to an MSP?
This is a straightforward question, but the answer will shape how your entire cybersecurity infrastructure is built and maintained.
Do you have employees who understand the reports and remediate specific findings?
If you're running scans in accordance with your requirements, but you don't have the staff to comprehend and fix the issues that arise, you're only doing half the job.
To be honest, I find that most small to medium businesses don't have a specified person to handle the vulnerability management process. This is simply due to the fact that they have too much ground to cover. A single vulnerability scan might find issues with email configuration settings, custom code development, and enterprise network settings.
Finding a single person with the skills required to complete these tasks can be downright impossible. In those situations, it's best to work with a managed service provider for a complete vulnerability management solution.
Do you have employees responsible for patching systems and applications?
This is more than just a junior employee to run software updates. Do you have system backup management with high redundancy and availability? What about someone to test your new code in pre-production?
Risk and Compliance
Do you have a committee to review risks and assign vulnerability priorities?
If you have a board, committee, or C-suite that you report to, how are vulnerabilities prioritized? Who assigns severity levels? How do you quantify costs for remediation tools and time?
Do you have a compliance requirement that guides your efforts?
Again, this is a reminder that your industry-specific regulatory compliance guidelines should be your north star! HIPAA, CMMC, OSHA...at a minimum, you need to follow their rules to the letter.
What is your overall risk appetite within the organization?
Risk appetite varies from business to business, even in the same industry. While it can be less pressure on your IT team with a higher tolerance for risk, it also brings more risk and liability to the organization as a whole.
Are you managing risk across all applications (Custom apps, on-prem, cloud, SaaS)?
Before you answer this question, you need to run a full software assett inventory. Most organizations will drastically underestimate the amount of software they use every day. Miscalculating this number can lead to big problems, such as issues with remediation and reporting times!
The Phases of a Vulnerability Management Program
Identification & Assessment
Identification and vulnerability assessment involves gathering subnets, IP addresses, host information, location credential, etc. I find that the first time most organizations do this, they'll find that they're missing a location or subnet. If you haven't been monitoring a location, that means you haven't been protecting or patching it either!
What order do I scan? How many vulnerability scanners will I need? How are my assets performing? Am I maxing out CPU or RAM? You need to schedule when your scans will happen, and what order they will happen in.
Build up timelines with respect to your risk appetite. Prioritize what needs remediated when based on your compliance requirements, budget, and manpower. Also don't forget that these timelines need to match up with your written policy to cover yourself in case of an audit.
Reporting is a subjective process because you need to tailor the information you receive from scans to each audience that reviews it. This includes variables like frequency, snapshot vs trend analysis, and technical reports vs executive publications.
Vulnerability Management Lifecycle
The most important thing to remember with vulnerability management is that it's never done. This is an iterative process that you will go through over endlessly. Let's break down the steps of the process.
This is the most important step of the process. You need to be able to see and communicate with every asset in your organization. Be alert for firewall issues, communication problems, or shadow IT. If the data you're collecting out of the gate is incomplete, you can't be successful.
What do your findings look like? Are you seeing repeat issues? Did a patch complete but still leave you vulnerable? Be sure to look for issues with tools and with processes in your organization.
Who are you reporting to, and what are you reporting on? Again, structure your reporting based on your audience, and give them only the details they need.
After reporting on your findings, you get to the remediation side of the lifecycle. I recommend knowing exactly what your mission-critical systems are, and prioritizing from there. Obviously, any exploited vulnerabilities will take precedent over everything else because they are open to the world. Some will suggest starting with low-hanging fruit or highest scores, but I always recommend prioritizing mission-critical and internet-facing systems to keep your organization safe.
When it comes time to remediate, there are multiple schools of thought for you to consider.
- The 80/20 rule - 80% of your risk comes from 20% of your vulnerabilities. Tackle those first
- Lowest hanging fruit - The easiest work to cover the most ground gets you started.
- Highest CVSS score - Remediate the issue that is most likely to cause damage first. This closes big gaps first.
Which path your team chooses is up to you. All of these have their positives and negatives.
Don't forget to consider vendor patch availability. If there is a known software vulnerability threat but no security patch released by the vendor, you're simply going to have to move on.
Also think about the amount of testing necessary for patch deployment. While you can get away with some small operating system or software patching, most remediations are going to need at least some testing, especially when you get into server-level or network appliance patching. When these patches require downtime, it can be catastrophic for your business.
I can't tell you the number of times I've seen organizations put this entire process into place without validating the results of what they're doing. You can't just schedule system maintenance and never check the end results. Verify that everything you scheduled ran correctly and completed successfully.
Again, this is not a one-time deal. Keep rinsing and repeating this process over and over until your entire tech stack is under control. Even after you mitigated all that you can, and met an acceptable risk appetite threshold, there will still be a vulnerability management lifecycle. It'll just be much simpler, faster, and easier!
Vulnerability Management: The Common Questions
What's the difference between vulnerability mitigation and remediation?
Vulnerability mitigation is resolving some aspect of the vulnerability. Vulnerability remediation is complete and total removal of the issue.
What are compensating controls?
Compensating controls are mitigation techniques that act like a patch for a certain vulnerability. "I can't achieve this in the optimal way right now, but I will do this instead to protect us as best I can."
What is an alert suppression?
Alert suppression is exactly what it sounds like. It means disabling alerts and notifications from a system or software. This can make sense in certain cases, such as an upcoming end-of-line date, but I typically advise against it for fear of missing an emergency issue.
What is Shadow IT?
Shadow IT is every piece of technology that your cybersecurity team simply doesn't know about. Third party software or personal devices can fall in this category. If you don't know about it, you can't secure it.
Can I exclude certain hosts from scans?
You can, but again, I advise against this practice. I know from personal experience that network devices can be finicky, but I would still make sure it is scanned to the best of your ability before considering any exclusions.
Overwhelmed yet? We know that keeping your business protected from threat actors and data breaches is a full-time job. Even if your IT department is well-staffed, our co-managed IT services can help strengthen your organization's security posture. Reach out to us for a personalized consultation!