Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Before jumping into the ways you can improve your vulnerability management program, it's important to build the big picture of the organization and establishing a solid foundation before getting lost in scan results and other weeds. This piece details key steps existing InfoSec teams or new information security managers should take
to set your vulnerability management program up for success.
For years, vulnerability scanners competed in a race trying to be the vendor with the most vulnerability checks. This has led us to a situation where the results of a scan will nearly always be more than any organization could ever manage or remediate.
The first task is to get the lay of the land and understand the scope of the organization’s assets. Asset discovery and management are essential to vulnerability management because you can’t assess the state or risk of an asset until you know
what you have. This is a big undertaking, so try slicing it into more manageable pieces:
Once that’s done, you can start to establish baselines, and create workable standards, procedures and metrics.
Please note: This discussion excludes application security vulnerabilities, because those are typically handled by separate tooling and teams in most organizations (but not all). Figure 1 shows how responsibilities tend to be separated out in most organizations.
Figure 1: Typical Vulnerability Management Responsibilities
1. Find the Assets and Categorize Them
Assets can be categorized in many ways, which can help with vulnerability prioritization, setting asset criticality and overall risk analysis. Example categories include by purpose, location, etc.
2. Find the Asset Owners
It's the InfoSec team's job to identify security issues and bring them to peoples' attention, but in almost every case, someone else will be responsible for fixing them. As early as possible, identify key contacts you can work with to get security issues
fixed. This should include (but probably won't be limited to):
Disaster recovery (DR). You don't want your first task on the first day of a disaster to be dealing with a delay in switching over because DR systems are two years behind on patches. Most organizations of this size go high availability (HA) or hot/hot
for DR these days, so this might not be a concern, but it's always worth checking.
Marketing: Typically, marketing will own some of its own hosted or software-as-a-service (SaaS) infrastructure. It's extremely visible and shouldn't be overlooked.
Miscellaneous: It’s possible other groups own their own infrastructure or SaaS as well. Human resources (HR), legal and finance are all worth an exploratory look. It might be worth setting up a short 20-minute interview with each group to get a
better understanding of what software they use to get the job done. From there, you can often trace the software back to SaaS/infrastructure and figure out who the asset owners are.
3. Understand the Process
Once you find the asset owners, get an understanding for the current change management and patching/remediation process. Is there one company-wide process that's closely followed? Does each team fend for itself? Is there no change management at all? Are
patch management systems integrated into vulnerability management systems?
It’s important to understand current expectations and time constraints.
READ: How to Formalize Your Vulnerability Management Program
1. Choose Your Data Sources
A major source for vulnerability information will likely be a vulnerability scanner or management platform.
A common pitfall is to treat the vulnerability scanner as the sole source for vulnerability data. Asset owners will often trust the criticality set by the patch management system or the vendor over the score the vulnerability scanner assigns.
Vulnerability data sources could include:
Having a vulnerability disclosure policy (VDP). A VDP aims to make it easy for researchers or good Samaritans to quickly report security issues to an organization.
2. Decide How to Gather the Data
In addition to the sources of vulnerabilities, it’s also important to consider how the vulnerability data is gathered. This data can be gathered in a variety of ways, each with pros and cons. Take a hard look at how vulnerability data is currently
gathered and consider whether it is the best approach for the size and type of environment. Typical approaches include:
Network scanning. This is a point-in-time method that’s highly susceptible to changing network conditions, and whether assets are online or offline at the time of the scan. Scans often “get stuck” and some tools will automatically cancel
network scans if they don’t complete in 24 hours, without alerting you to the fact they gave up mid-scan. Network scanning is also the most likely method to produce false positives.
Credentialed scans. These are more accurate and reliable, but return much more data (most of it of a lower criticality and importance).
Agent-based scans. These are similar in completeness and quality to credentialed scans, but they require the additional inconvenience of rolling out agents to systems and maintaining the health of those agents. Agents are typically only compatible with
popular workstation and server operating systems, so network scans are still required to analyze network, internet of things (IoT) and other types of devices.
1. Establish Baselines and Identify Anomalies
The key to identifying anomalies is establishing a baseline. Some anomalies are easier for humans to spot, while others can be spotted with automated reports or checks
2. Establish Custom Standards, Procedures and Metrics
Work to establish:
Getting started with vulnerability management can be daunting for a new InfoSec professional starting at a new organization or establishing program at an existing company, but if you break down the major tasks into manageable pieces, you should be well-positioned
for success at the end of your first three months. It’s important to:
Find the assets and owners. Establish solid relationships with the asset owners – you need them to get anything substantial done.
Remember the goal. It isn’t to squash all the bugs and patch all the vulnerabilities (that’s impossible). It’s to squash and patch the ones that matter.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.