Attributes of a Robust Vulnerability Management Program

Attributes of a Robust Vulnerability Management Program
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

How to Protect Enterprises in a Challenging Security Environment

Vulnerability management programs are no longer an option or a luxury for most enterprises: their subsets, vulnerability assessments, are a compliance, auditing and risk management requirement, and creating a structured program to facilitate regular and deliberate execution of this function has become important However, many enterprises face significant challenges in strategizing, configuring and implementing suitable solutions.

We discussed what a vulnerability assessment is and why it’s important to cybersecurity. Now let’s focus on putting a one-time assessment into a process to create a more strategic approach.

Here is a closer look at the common attributes of an effective vulnerability management program, one with the capability to provide a deeper understanding and control over organizational information security risks in its endeavor to create a risk-based security approach.

Network Vulnerability Assessment and Identification Processes

Effective vulnerability management is only possible once relevant assets and potential vulnerabilities are identified and categorized. Discovery must include a comprehensive network scan and system audit; sophisticated software tools and applications can effectively automate a large part of this process.

The catalog of assets should be classified according to potential vulnerabilities, as well as configuration, patch, and compliance states, which generates an initial risk assessment. The catalog of assets must also be continually refreshed to remain relevant, since networks are in a constant state of change.

Related Reading: What is a Vulnerability Assessment and Why is it Important?

Prioritization and Risk-Based Vulnerability Management

Enterprises are commonly challenged to accurately prioritize which assets to protect first: They may not have an accurate understanding of criticality, or could be unaware of the actual behavior of real-world threats and attackers. Major standards agree that reducing risk and responding to vulnerabilities should be accomplished in a risk-based, prioritized fashion:

  • NIST Framework for Improving Critical Infrastructure Cybersecurity – Provides a definitive framework that “uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. [It] gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments.”
  • PCI DSS, Requirement 6.1 – Organizations must “establish a process to identify… and assign a risk ranking to newly discovered security vulnerabilities.”
  • HIPAA, Security Rule – Mandates an “assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
  • GLBA, Safeguard Rule – Requires organizations to “identify and assess risks to customer information… and evaluate the effectiveness of current safeguards for controlling these risks.”

By using a predefined set of characteristics for scoring, assets can be ranked according to their risk value; known risks with the highest risk value are first in line to be resolved. Creating a ranked list provides an effective framework to focus security team efforts on patching and eliminating the most critical risks as soon as possible.

Related Reading: Got Patch?: Why Patch Management is Important for Cyber Security

Ongoing Vulnerability Detection

A robust vulnerability management program provides for a continuous monitoring and data-driven approach to identify, understand and act against vulnerabilities, effectively closing the window of opportunity for damaging attacks. Information is gathered from a variety of sources, including software updates, patches, threat bulletins, security advisories, and vendor recommendations.

Malicious actors typically receive data from the same sources, and a race begins to see if a vulnerability can be exploited before the target can conduct remediation. This highlights the importance of timely patching and updating. Enterprises that are not proactive and resolute in their continuous vulnerability detection and management risk falling victim to opportunistic attackers.

Risk Response

Vulnerabilities that cannot be remediated through patching, updating, or replacement can be managed in one of three other ways:

Mitigate. Risk is reduced by applying controls to reduce the threat posed by the vulnerability. In a cybersecurity context, this can include operations like segregating vulnerable portions of the network or devices, or deploying enhanced authentication or authorization solutions.

Compensate. Compensating controls are deployed when total remediation fails or is not possible: compensation introduces a level of control that is similar, but not exact. Segregation of duties policies, which remove the ability of a single individual to have complete authority for a critical process, are commonly deployed as a compensating control by enterprises.

Accept. The risk is accepted: There’s no effective solution, or the risk posed is outweighed by the cost of response. This is only recommended as a last resort.

Recover and Report

Recovery involves processes and procedures aimed at restoring services and systems that have been affected by a vulnerability or attack. Damage has already been contained, now the focus is on minimizing disruption to normal activities and restoring interrupted service. Analysis of incident data can yield new insights into vulnerability management processes and strategies, to further hone security capabilities.

Vulnerability management reporting provides a framework to analyze vulnerability program performance. Metrics should demonstrate success or improvement in the following key areas, among others:

  • Vulnerabilities identified and remediated
  • Time required to identify and resolve high-risk vulnerabilities (Mean time to remediate – MTTR)
  • Previously unknown assets, services and applications discovered
  • Cost of prioritization and remediation processes
  • Error rate of IT operations
  • Compliance audit preparation costs
  • Compliance audit success rate
  • Resources required for reporting
  • Amount of risk over time

Vulnerability Management Should Be an Asset to Your Enterprise

An ideal vulnerability management solution should add value to your operations that far outweigh the cost of implementation: it should help your team function more capably and efficiently, without monopolizing resources. If your enterprise is facing challenges with the scope, resources or skills required to implement a vulnerability management program with your own team, outsourced solutions can help you bridge the gap.

Contact us for more information about Avertium’s full range of services to help you create a robust vulnerability management program.

Threat-Based Security at the Intersection of MITRE ATT&CK and NIST CSF

Managing alerts and responding to incidents are the most dramatic and visible aspects of cybersecurity. But maintaining the tactical actions of a buzzing “alert factory” is not enough to protect a business long-term.

Learn why much of modern security ops function at a strategic level for threat-based security and how to apply this to your SecOps.

Download Now

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates