Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The best way to grow and improve a vulnerability management program is to acknowledge the current gaps, determine a more ideal state to aim for, and then take the necessary steps to see the improvements through. Getting better requires better information
in terms of risk insight and having the right people on board to make better decisions. This piece guides you through the process of fine-tuning, even a more mature, vulnerability management program.
Taking into consideration your current state, the best way to build out an effective vulnerability management program requires:
Focusing on risks vs. number of vulnerabilities. If vulnerability scans are not performed correctly or adequately, and it’s common to see very little context placed around the vulnerabilities uncovered. Such an approach to
vulnerability management can lead to security findings that are treated the same way across the board – but not every system is the same, nor should they all be treated that way. Doing so could set an organization up for failure in terms of
trying to “fix” everything. Rather, consider a move to more of a risk-based approach to vulnerability management, in which the most critical risks/vulnerabilities are understood within the context of the organization and are patched first.
Using agents to ensure the mobile workforce is covered. Given the new mobile workforce challenges, moving away from traditional vulnerability scans and leveraging agents is becoming more popular. Some might see yet another agent
as burdensome to users or risky in the event users are able to disable the software. With today’s more powerful hardware and more limited-trust endpoint security capabilities, these concerns are negligible.
Streamlining your toolset. Dealing with multiple tools to gather vulnerability information on endpoints could potentially increase complexity, but it can also generate a skewed sense of security unless both tools are providing the
exact same information on system vulnerabilities, which is likely not the case.
Getting proper governance in place. Having more – and better – information to take to management about active threats, confirmed vulnerabilities and tangible business risks is key. These executives or an IT/security governance
committee can help to create the standards by which technical staff determine how and where to focus their efforts, especially as it relates to prioritization. If concerns are raised regarding who should be responsible for both vulnerability management
and patch management, it really comes down to business preference and, specifically, culture and politics.
Taking it one step at a time. Integrating the findings from the application side is not going to be simple. The vulnerabilities are different. The approaches to remediation are different. The teams to deal with are different. That’s
not to say that having application security under the same vulnerability management umbrella can’t work. It can. Consider not doing it all at once. Try getting infrastructure vulnerability management under control first and then moving on to
application vulnerabilities – or vice versa, depending on criticality and preference.
Standardization is critical. So is keeping things as simple as possible. Depending on the size of the business and how much you’re spending with vendors, you might have leverage to bring such vendors on board and have them help
with integrating their tools to meet specific vulnerability management needs. Some specific areas to focus on include:
Asset classification. Determine which hosts, applications and data are most important to the business. This alone will provide guidance on where security testing and remediation work needs to be focused.
Vulnerability Management Metrics. Common vulnerability management metrics involving both infrastructure hosts and applications include:
Prioritization. Determine how vulnerabilities and quantifiable risks are prioritized. Does each vulnerability translate into business risk, or are some vulnerabilities riskier than others when considered against your specific environment
and business goals?
Patch management. How does vulnerability identification and prioritization fit in with current patch management standards? If vulnerabilities considered critical or high are identified, do the current business workflows and resources
support getting patches applied or compensating controls implemented within reasonable timeframes, e.g., 15-30 days?
Vulnerability management requires both good people and good information – tangible insight that clearly shows where the problems lie and what the solutions need to be.
Vulnerability management across a large network environment is one of the greatest challenges in managing an information security program. At the heart of all this, the real question is: Where are IT resource hours best spent to minimize vulnerabilities/risks
and maximize positive outcomes?
READ: How to Formalize Your Vulnerability Management Program
Ensuring every decision is made with the Pareto principle (also known as the 80/20 rule) in mind. This lets the team focus on the relatively small number of vulnerabilities across the most critical systems that are creating the greatest number of business
Getting buy-in from stakeholders and leadership. Those responsible for information security and, specifically, vulnerability management need the necessary financial and political support from executive management and others, including the actual system/data
owners themselves. Summarizing and presenting the specific challenges associated with these areas, including good information and lack of information, is a great way to make the case for such support.
Focusing on compensating controls. In areas where compromises cannot be reached, compensating controls are essential. Even with asset classification, criticality analysis and risk prioritization, all it takes is a single employee clicking a phishing link
to end up with the exploitation of a vulnerability or the leakage of information.
There will always be outlying vulnerabilities that cannot be effectively prevented. However, with the proper visibility and security controls, quick response on the part of technical staff will help minimize any issues that do arise.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.