Vulnerability management programs are the meat and potatoes of every comprehensive information security program. It’s not optional anymore; in fact many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program.
If you don’t have a formal vulnerability program, or if your program is ad hoc, there’s no time like the present. In fact, SANS Critical Security Controls #4 calls out continuous vulnerability assessment and remediation as an integral part of risk and governance programs.
If you’re still thinking about vulnerability management as a tactical operations tool to use occasionally there are a lot of good reasons to reconsider. It should be one of the cornerstones of your security program. At KSG, we have implemented numerous vulnerability management programs.
Vulnerability management can be defined as “the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.”1 Organizations use vulnerability management to preemptively defend against the exploitation of vulnerabilities in company applications, software and networks. Organizations that can effectively implement vulnerability management will be significantly safer from data breaches and theft. This process can be viewed in five key steps:
- Outline vulnerability management policy.
- Discover existing vulnerabilities.
- Analyze current level of security and rank vulnerabilities by threat level/remediation actions required.
- Mitigate the causes of vulnerabilities.
- Maintain security through ongoing testing and discovery.
Vulnerability Management Policy
Defining policy is the crucial first step of vulnerability management. An effective vulnerability management policy should do the following:
- Define the level of security that an organization wants to maintain.
- Set guidelines for vulnerability management practices (from testing to remediation and maintenance).
- Classify vulnerabilities by risk/threat and remediation effort.
- Determine how often scans will be performed and allotted remediation times.
- Define access-control policy for all devices connected to company networks.
- Outline the consequences of noncompliance with vulnerability management policy.
Vulnerability Management Solutions
There are many commercially available vulnerability management solutions. These offerings range from automated vulnerability management systems to vulnerability management tools that require implementation by the organization. Vulnerability management solutions often include features such as policy management, application scanning/testing, vulnerability remediation, network and vulnerability monitoring, and reporting (vulnerabilities, compliance issues, etc). Effective solutions should offer scalability and ease of implementation/integration. It is also important that vulnerability management solutions provide tracking and metrics for measuring success.
Combining Threat and Vulnerability Management
The effectiveness of vulnerability management depends on the organization’s ability to keep up with current security threats and trends. Today’s application security threatscape is constantly evolving and, as a result, organizations need to be proactive in their threat and vulnerability management efforts. Most vulnerability management tools or systems will provide updates as new threats emerge, but organizations should still engage in threat research and analysis on a regular basis.
Network Vulnerability Management
A comprehensive organizational cybersecurity program requires that enterprises engage in both application and network vulnerability management. While application vulnerability management protects the “front door” to a company’s data, network vulnerability management protects the “back door.” Both must be secured for an enterprise to adequately protect its critical data. Organizational security teams must integrate their network security vulnerability management efforts with their application security efforts to ensure that new threats are protected across both layers.
Network vulnerability management typically involves the use of tools such as antivirus programs, firewalls and/or intrusion detection systems. In addition to using these tools, security teams should regularly run security tests against the network from the outside in. This tests the network from the attacker’s perspective, allowing testers to discover vulnerabilities before attackers have the chance.