InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
The best way to grow and improve a vulnerability management program is to acknowledge the current gaps, determine a more ideal state to aim for, and then take the necessary steps to see the improvements through. Getting better requires better information
in terms of risk insight and having the right people on board to make better decisions. This piece guides you through the process of fine-tuning, even a more mature, vulnerability management program.
Taking into consideration your current state, the best way to build out an effective vulnerability management program requires:
Focusing on risks vs. number of vulnerabilities. If vulnerability scans are not performed correctly or adequately, and it’s common to see very little context placed around the vulnerabilities uncovered. Such an approach to
vulnerability management can lead to security findings that are treated the same way across the board – but not every system is the same, nor should they all be treated that way. Doing so could set an organization up for failure in terms of
trying to “fix” everything. Rather, consider a move to more of a risk-based approach to vulnerability management, in which the most critical risks/vulnerabilities are understood within the context of the organization and are patched first.
Using agents to ensure the mobile workforce is covered. Given the new mobile workforce challenges, moving away from traditional vulnerability scans and leveraging agents is becoming more popular. Some might see yet another agent
as burdensome to users or risky in the event users are able to disable the software. With today’s more powerful hardware and more limited-trust endpoint security capabilities, these concerns are negligible.
Streamlining your toolset. Dealing with multiple tools to gather vulnerability information on endpoints could potentially increase complexity, but it can also generate a skewed sense of security unless both tools are providing the
exact same information on system vulnerabilities, which is likely not the case.
Getting proper governance in place. Having more – and better – information to take to management about active threats, confirmed vulnerabilities and tangible business risks is key. These executives or an IT/security governance
committee can help to create the standards by which technical staff determine how and where to focus their efforts, especially as it relates to prioritization. If concerns are raised regarding who should be responsible for both vulnerability management
and patch management, it really comes down to business preference and, specifically, culture and politics.
Taking it one step at a time. Integrating the findings from the application side is not going to be simple. The vulnerabilities are different. The approaches to remediation are different. The teams to deal with are different. That’s
not to say that having application security under the same vulnerability management umbrella can’t work. It can. Consider not doing it all at once. Try getting infrastructure vulnerability management under control first and then moving on to
application vulnerabilities – or vice versa, depending on criticality and preference.
Standardization is critical. So is keeping things as simple as possible. Depending on the size of the business and how much you’re spending with vendors, you might have leverage to bring such vendors on board and have them help
with integrating their tools to meet specific vulnerability management needs. Some specific areas to focus on include:
Asset classification. Determine which hosts, applications and data are most important to the business. This alone will provide guidance on where security testing and remediation work needs to be focused.
Vulnerability Management Metrics. Common vulnerability management metrics involving both infrastructure hosts and applications include:
Prioritization. Determine how vulnerabilities and quantifiable risks are prioritized. Does each vulnerability translate into business risk, or are some vulnerabilities riskier than others when considered against your specific environment
and business goals?
Patch management. How does vulnerability identification and prioritization fit in with current patch management standards? If vulnerabilities considered critical or high are identified, do the current business workflows and resources
support getting patches applied or compensating controls implemented within reasonable timeframes, e.g., 15-30 days?
Vulnerability management requires both good people and good information – tangible insight that clearly shows where the problems lie and what the solutions need to be.
Vulnerability management across a large network environment is one of the greatest challenges in managing an information security program. At the heart of all this, the real question is: Where are IT resource hours best spent to minimize vulnerabilities/risks
and maximize positive outcomes?
Ensuring every decision is made with the Pareto principle (also known as the 80/20 rule) in mind. This lets the team focus on the relatively small number of vulnerabilities across the most critical systems that are creating the greatest number of business
Getting buy-in from stakeholders and leadership. Those responsible for information security and, specifically, vulnerability management need the necessary financial and political support from executive management and others, including the actual system/data
owners themselves. Summarizing and presenting the specific challenges associated with these areas, including good information and lack of information, is a great way to make the case for such support.
Focusing on compensating controls. In areas where compromises cannot be reached, compensating controls are essential. Even with asset classification, criticality analysis and risk prioritization, all it takes is a single employee clicking a phishing link
to end up with the exploitation of a vulnerability or the leakage of information.
There will always be outlying vulnerabilities that cannot be effectively prevented. However, with the proper visibility and security controls, quick response on the part of technical staff will help minimize any issues that do arise.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.