Vulnerability Management is the active identification, assessment and resolution of vulnerabilities that exist within an enterprise’s infrastructure. Implementing an efficient and well-designed Vulnerability Management platform increases an organisations awareness of potential flaws that could be exploited by cyber criminals.
In this article, we look at foundational Vulnerability Management strategies that organisations can implement to identify, assess, and resolve vulnerabilities more effectively.
Firstly, we must make a distinction, conducting vulnerability scans or vulnerability assessments is not equivalent to a well implemented Vulnerability Management program. Vulnerability Scanning simply refers to a scanning platform being run against one or more targets to determine the active vulnerabilities.
While important, scanning in isolation lacks the ability to appropriately identify the underlying risk, assign stakeholders to remediate the issue or catalogue and monitor the various active/resolved vulnerabilities. Vulnerability scanning is one important mechanism of Vulnerability Management but does not by itself represent a well implemented and efficient Vulnerability Management program.
The following strategies and implementation guidelines are a culmination of best practice recommendations we have devised at Aurian, which in our experience implementing various Vulnerability Management solutions, are most applicable to all businesses without direct knowledge of their unique operation and circumstances.
There are various players in the competitive space of Vulnerability Scanning today, such as Qualys, Nessus and Rapid7. The unique benefits of each is not the topic of this article, however regardless of the platform chosen, the installation should abide by the following principles:
An integral part of Vulnerability Management is the somewhat lost art of Asset Management. A Vulnerability Management program is as only as good as the targets/infrastructure that it knows about. A business can implement world-class infrastructure with experts identifying, assessing, and remediating vulnerabilities.
However, if that process is only being applied to a fraction of an organisation’s infrastructure, inevitably a cyber security incident is not far behind. Most modern Vulnerability Management platforms recognise this important fact and include some form of asset management feature set. Commonly, vulnerability platforms allow administrators to ‘tag’ (annotate a recognisable name) network and application resources.
Additionally, vulnerability platforms can discover or map out active systems running in an environment by sending specifically crafted network packets to target systems.
Asset Management at its core should consist of the following:
After completing the Asset Management and Vulnerability Scanning Infrastructure phases, an organisation should now understand the underlying role and level of importance particular asset(s) have for the business. Armed with that knowledge, implementing a risk-rating matrix is the logical next step and is an essential part of classifying the risk and impact a vulnerability can have on your business. It also helps administrators and managers to determine the priority of vulnerability remediation.
Currently there are many common risk matrices available which can be leveraged by an organisation; indeed, most Vulnerability platforms include their own risk rating for identified vulnerabilities. Platform risk ratings are generally a good source of truth for identifying technical risk, which more specifically relates to the specific requirements and result of compromise if an attacker successfully exploited a given flaw. This risk rating is based on the vulnerability scanning platforms understanding of the vulnerability at a technical level i.e. sensitive information disclosure, denial of service or code execution leading to complete system compromise.
A common strategy regarding risk classification is to combine the technical risk rating provided by the vulnerability platform with an additional business risk metric devised by an organisation. While an exact structure of that additional metric is beyond the scope of this article, the design of such a metric can often be aided by the following questions:
The level of diligence and efficiency an organisation can muster in order successfully remediate vulnerabilities is the cornerstone of a successful Vulnerability Management program. It is our opinion at Aurian that no one blanket remediation strategy can lay claim to be the most efficient, as every organisation has varying levels of qualified personnel, compute resources, and regulatory requirements.
However, organisations must ensure that it’s clear who is responsible for remediating specific compute resources. A responsibility matrix should be created which outlines the personnel in charge of fixing a particular set of compute resources and the associated business risk rating (as mentioned above). This simple system is what we at Aurian refer to as our ‘Nametag to Necessity Approach’.
One potential strategy organisations can use to determine both the order of remediation as well as remediation timeframes, is to leverage the responsibility matrix, technical risk and business risk metrics. This strategy shifts priority to remediate flaws that pose the highest technical and business risk to an organisation.
Once a responsibility matrix has been implemented, a well implemented Vulnerability Management platform will include the ability to adequately track the discovery, resolution, and re-discovery of vulnerabilities.
It may seem counter intuitive to leave the design and implementation of the vulnerability scanning procedures until the end. However, if the Vulnerability Management infrastructure has not been considered, strict asset management ignored, a risk matrix and assessment system neglected, and no responsibilities matrix and remediation strategies. The usefulness of multi-million-dollar industry leading Vulnerability Scanning technology will be of little use in making your business more secure.
Once the above important considerations have been designed and implemented, an organisation can now set up the various Vulnerability Scans to commence against in-scope infrastructure. During this stage, organisations should consider the following:
Organisations commonly make detailed documentation pertaining to disaster recovery and incident response yet seem to overlook retaining and documenting the best practice configurations, design decisions and remediation strategies that have been painstakingly implemented in their Vulnerability Management program.
As a result, if key personnel leave, their expertise, and bespoke knowledge regarding the Vulnerability Management program goes with them. Aurian recommends that organisation create and continuously update detailed documentation that describes all stages and outcomes of the design and implementation decisions that have been made.
Additionally, it’s well known to most organisations that technology and business requirements are an ever-changing proposition. As such, a well implemented Vulnerability Management program must be flexible and adapt to the inclusion as well of removal of compute resources, subsequently adjusting the scanning and remediation practices appropriately.
Creating an efficient Vulnerability Management solution is not a simple task, we hope the above strategies will help organisation make more informed decision when it comes to Vulnerability Management. At Aurian Security, we deliver bespoke and tailored Vulnerability Management as part of our Security-as-a-Service offering. For more information, please refer to our Vulnerability Management page.