The 4 Key Components of a Strong Vulnerability Management Program
May 11, 2020
A strong Vulnerability Management (VM) program allows organizations to identify potential security gaps including access points that threat actors leverage to gain entry into corporate networks, and then prioritize them for remediation. However, due to their complexity, most organizations experience challenges in building a robust VM program.
According to Herjavec Group’s JR Cunningham, a strong Vulnerability Management program relies on 4 key components:
- Asset & Vulnerability Discovery
- Vulnerability & Risk Prioritization
- Patch Management
- Remediation & Exception Tracking
While each component comes with its own unique challenges, JR has provided additional questions and discussion points for IT teams to consider throughout the program building process.
Asset and Vulnerability Discovery
One of the most common issues in vulnerability management lies in Asset Discovery. Many organizations (especially those in manufacturing, healthcare, and critical infrastructure) have operational technology environments that simply never, or rarely, get scanned and end up being “out of scope”.
As an example, in a healthcare setting, this commonly occurs with the medical device VLANS, which often gets an “off-limits” status for scanning and can create a risk that ends up being somewhat “invisible” to the organization. In this scenario, HG recommends leveraging non-scanning device discovery (network-based) or behavioral analytics to determine what the normal behavior of a device is and monitor for a variance. To further the example, if a network-enabled security camera always acts like a security camera, that’s expected. If that device begins acting like a wireless access point, it is a good signal that the device needs to be investigated.
At the end of the day, visibility is key and organizations need to know where they have technology deployed, even in scenarios where remediation might not be possible or easy. It is important to always understand the “surface area” of your organization.
In this phase, the scanner will be the key. While there are subtle differences in the leading scanners, all use the NIST CVE Data and will generate some form of score based on the Common Vulnerability Scoring System (CVSS). Since tuning a scanner requires effort, HG recommends ensuring that your scanning solution has a proven track record in your specific industry, and is able to demonstrate the ability to do custom scanning profiles for different parts of the organization, as well as keep up-to-date on the CVE Database.
Key Questions to ask your existing or prospective VM service partner:
- How often do you update scanning engines to account for new CVE entries?
- How do you validate updates?
- How do you ensure CVE entries that were marked as “exempt” from scanning remain exempt when new updates are applied?
- What’s your roll-back process?
- Can you adjust scan intervals?
- Can you modify reporting intervals?
Vulnerability & Risk Prioritization
This component is where taking a risk-based approach to vulnerability management comes into effect. Most organizations have a threshold for time taken to patch based on the Common Vulnerability Scoring System (CVSS) score of the vulnerability. However, the issue is prioritizing which of the high and critical vulnerabilities are most likely to compromise your environment. Therefore, the key question with managing vulnerabilities should be around data enrichment. What can your service provider do that will enhance the raw vulnerability data in order to effect precise risk-based decision making?
- What is the number of vulnerabilities that meet the crux of being critical or exploitable, on essential assets, and exposed? How old are the vulnerabilities that meet this criteria?
- What’s my policy state for my prioritized segments and how “out of compliance” am I? This question is important since even if thousands of new vulnerabilities emerge, you aren’t measuring what you cannot control. However, if a new vulnerability emerges and it’s not patched according to your policy, that’s an indicator that something may not be working in your program.
The biggest challenge in Patch Management is that the patching policy often competes in priority with other IT initiatives. Therefore, the security team may end up being a “drag force” in moving the business forward. Two components help alleviate this drag force:
- Risk-Based Vulnerability Management as defined earlier helps reduce the noise and provide IT more precision on what to patch and how critical the patch is.
- Patch management gets easier when the vulnerability management platform is integrated with the ITSM platform for creating tickets and tracking progress. HG recommends asking vulnerability management vendors how they plan to integrate with your existing ITSM platform.
Remediation and Exception Tracking
Some well-run vulnerability management programs have provisions for self-service scanning, especially in environments where there’s an application development organization that’s spitting out code faster than the normal scanning interval would be able to keep up with. If this scenario applies to your organization, ask your existing or prospective service providers what provisions they have for on-demand scanning as it can be valuable where you may wish to validate whether or not a vulnerability has been patched.
On May 12th, JR Cunningham, HG’s VP of Strategic Solutions, and Ed Bellis, Co-Founder & CTO of Kenna Security, delivered a webinar that provided great insights on how remote working has added to the challenge of vulnerability management and why a risk-based approach may be beneficial for organizations to adopt. Watch the full webinar here.
To learn how Herjavec Group can help you implement a Vulnerability Management program, please connect with a security specialist here.