Anyone who has been in the field of cybersecurity for some time is familiar, likely painfully, with vulnerability management. Vulnerabilities are essentially weaknesses or flaws in systems and software that are able to be exploited by malicious actors to wreak havoc on your organization, access sensitive data, or perform some other ill-intended actions.
There’s also the painful reality that vulnerabilities are a part of life when dealing with technological systems. No system or software is impervious, so the need for sound vulnerability management is and will be a mainstay indefinitely in the field of cybersecurity. As technological systems become more complex through Cloud, microservices, IoT, and more, the need for sound vulnerability management is even more paramount.
There are entire guides dedicated to the topic of vulnerability management and preventative maintenance for technology, so we certainly won’t entirely cover the topic here. But we can dive into some of the core areas as well as methodologies and technologies that can be leveraged to mitigate vulnerabilities and drive down organizational risk.
Building an Organizational Vulnerability Management Program
Organizations such as CISA, NIST, and others have created comprehensive guides to help others build robust vulnerability management practices. SANS, a cybersecurity education leader, has developed a Vulnerability Management Maturity Model on the topic as well. For the sake of brevity, we will utilize their maturity model to discuss building an organizational vulnerability management program.
Much like other maturity models, the SANS model has phases, such as Prepare, Identify, Analyze, Communicate, and Treat. It also has levels of maturity, which are Initial Managed, Defined, Quantitatively Managed, and Optimized. Organizations will exist on a range of these levels of maturity across the various phases, as it is unlikely that any organization of significant size and complexity is optimized across all phases.
From the preparation standpoint, this involves policies and standards as well as context. Further, this involves having documented processes and standards related to how your organization handles vulnerabilities. It also utilizes contextual data to provide actionable insights for your systems and applications.
Addressing Your Vulnerability Footprint
Identification is a key first step to being able to address your vulnerability footprint. This means that the scanning activities must be automated, ideally throughout your software and system development life cycle. However, that manual testing is utilized to augment automation deficiencies or dive deeper when warranted.
This phase also involves ensuring you have a coherent way to aggregate your vulnerability data so that it isn’t scattered across various tools and environments, giving you a fragmented view of your security posture.
Once vulnerabilities are identified, they need to be analyzed. This facilitates prioritization, as not all vulnerabilities are the same. It also identifies the root cause of the vulnerability. Mature organizations are utilizing company-specific threat intelligence to prioritize vulnerabilities and determine if there are mitigating controls in place to drive down the risk of exploitation or not.
Vulnerability Management Requires Effective Communication
In large organizations, in particular, it is key to have effective communication when it comes to vulnerability management. This involves providing metrics and reporting — and ideally not only customizing the information for those in a position to make decisions regarding the courses of action but also being able to remediate the findings.
There has also been a push towards self-service models of vulnerability management. With self-service models, security no longer is a silo that provides reports externally. Development teams are now empowered to identify and remediate vulnerabilities themselves, rather than waiting for an out-of-band report from an external team. DevSecOps is also breaking down team silos integrating security expertise with the development and operational teams.
Lastly, organizations need to treat the vulnerabilities they’ve identified and prioritized. This involves activities such as change, patch, and configuration management. These activities are enriched when data from the vulnerability and configuration management processes are coupled with data from security incidents and organizational processes to adjust remediation timelines and activities.
While this is a high-level overview of building a mature vulnerability management program, it is far from simple or easy. Modern organizations involve a plethora of technology, often with inconsistent hardware and software asset inventories. Couple this with the reality that modern technologies are often being consumed as-a-Service versus produced directly, and you now have external dependencies and relationships to consider.
Vulnerability management is a complex topic — and arguably increasingly so, as the technology powering modern businesses, economies, and societies evolve. That said, starting with sound proven guidelines and references can have your organization on a path to better protect, detect, and respond to vulnerabilities when — not if — they occur.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: