The evolution of the cyber threat landscape highlights the emerging need for organizations to strengthen their ability to identify, analyze and evaluate cyber risks before they evolve into full-fledged security incidents. When it comes to cyber risk mitigation, the terms “patch management” and “vulnerability management” are used as if they are interchangeable. This is absolutely not the case; in fact, they are confused because applying patches is one of the many ways to mitigate cyber risks. The decision to either roll out, unroll or disregard a specific patch falls within the larger context of vulnerability management. Defined as “a security practice specifically designed to proactively mitigate or prevent the exploitation of IT vulnerabilities,” vulnerability management is not a stand-alone scan-and-patch function. It’s a holistic function that takes a proactive view of managing the daunting task of addressing identified vulnerabilities in deployed hardware devices and software. Simply put, vulnerability management is a superset of patch management. Vulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. Vulnerability management is about making informed decisions and properly prioritizing what vulnerabilities to mitigate and how. This is achieved by embedding internal hooks for telemetry into all systems of interest as well as external hooks for threat intelligence from all sources. Vulnerability management has to be backed up by good threat intelligence that provides a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Intelligence on vulnerability exploitability prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations. A risk-based approach to vulnerability management makes it much easier to communicate the danger of a vulnerability across your security and operations teams up through senior managers and even to the board. This level of visibility into the rationale behind decisions made around vulnerabilities will increase confidence in the security team across your entire organization and will help prevent data breaches, such as the one Equifax suffered, from happening to you.
Stages of a Mature Vulnerability Management Program
There are four main stages of any effective vulnerability management program:
- The process that determines the criticality of the asset, the owners of the assets and the frequency of scanning as well as establishes the timelines for remediation.
- The discovery and inventory of assets on the network.
- The discovery of vulnerabilities on the discovered assets.
- The reporting and remediation of discovered vulnerabilities.
The first stage focuses on building a process that is measurable and repeatable. Stages two through four focus on executing the process with an emphasis on continuous improvement. Let us examine briefly each stage and see how Tripwire can help you.
Stage 1: The Vulnerability Scanning Process
The first stage can be divided into four steps. The first step is to identify the criticality of the assets in the organization. You can’t build an effective risk management program if you don’t determine what assets you need to protect. These include computing systems, storage devices, networks, data types and third-party systems on the organization’s network. Assets should be classified and ranked based on their true and inherent risk to the organization. Many aspects need to be considered in developing an asset’s inherent risk such as physical or logical connection to higher classified assets, user access and system availability. Assets with higher criticality will be prioritized higher than assets with lower criticality. However, remediation on assets with lower criticality should not either be ignored or postponed indefinitely. All assets contribute to the overall organizational risk, and the remediation effort should always be based in relation to minimizing overall risk. The second step is to identify the owners for each system. System owners are responsible for the asset, its associated risk and the liability if that asset becomes compromised. Accountability is a driving factor for the ultimate success of the vulnerability management program. Orphaned assets and vulnerabilities will be left forgotten and will become an unidentified risk to the organization. The third step is to establish the frequency of scanning. The Center for Internet Security in their CIS Control 3 “Continuous Vulnerability Management” recommends that an organization should “utilize an up-to-date vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.” Frequent scanning allows the owners of the assets to track the progress of remediation, identify new risks and re-prioritize the remediation of vulnerabilities based on updated intelligence. As an outer limit, vulnerability scanning should occur at least monthly. The fourth step is to establish and document timelines and thresholds for remediation. Remediation timelines should take into account the severity of the impact of a known vulnerability exploitation to the whole organization. Vulnerabilities with highest probable impact should be remediated immediately. The program should also cater for waivers in case a vulnerability cannot be remediated within the approved time frame. Remediation exception processes will document the accepted risk together with an action plan to remediate the vulnerability by a certain date.
Stage 2: Asset Discovery and Inventory
Asset discovery and inventory are actually CIS Controls one and two. These are the foundations for any security program. You can’t protect what you don’t know about. The purpose of CIS Control 1 is to “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” Furthermore, CIS Control 2 highlights the need to “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.” These two controls go hand in hand, as attackers are always trying to identify systems that are easily exploitable so they can get into an organization’s network such as shadow IT. Without the appropriate asset discovery and network access control, these types of devices can provide an easy gateway for an attacker into the corporate network. Once they’re in, they can leverage the control they’ve gained to attack other systems and further infiltrate the network. Ensuring that the information security team is aware of what’s on the network allows them to better protect those systems and provide guidance to the system owners to reduce the risk those assets pose.
Stage 3: Vulnerability Detection
Once all the assets on the network are identified, the next step is to identify the vulnerability risk posture of each asset. The recommended method for vulnerability scanning is to scan with credentials. This allows for increased accuracy in determining the organization’s vulnerability risk. You can then run vulnerability signatures specific to the operating system and installed applications that were detected in the discovery and inventory stage to identify which vulnerabilities are present.
Stage 4: Reporting and Remediation
Once the vulnerability scan is complete, a score is attached to each vulnerability using an exponential algorithm based on the skills required to exploit the vulnerability, the privileges gained upon successful exploitation and the age of the vulnerability. The easier the vulnerability is to exploit and the higher the privilege gained, the higher the risk score will be. In addition to this, as the vulnerability age increases, the score of the vulnerability also increases. The first metric that should be taken is an overall baseline average risk score for the organization. Based on this metric, organizations should start targeting at a risk reduction rate of 20-25% on a yearly basis. The next metric is the average risk score by owner. Similar to the target for the overall organization, each owner should target reducing their average risk score by 10% to 25% year over year until they’re below the accepted threshold for the organization. An idea that promotes the successful implementation of the program is for the C-Suite to award the asset owners with the lowest scores. Empirical vulnerability data to outline which vulnerabilities should be remediated along with instructions of how to conduct the remediation allow the system owners to prioritize their efforts with a focus on the vulnerabilities that will reduce the most the overall organizational risk. As new vulnerability scans are run, metrics, such as the ones offered by CIS, can be used to show trending analysis of the risk and remediation progress. The key is to show progress month by month, quarter by quarter and year by year. The vulnerability risk scores and time to remediation should decrease as teams become more familiar with the process and become more educated on the risks that the attackers pose.
How Tripwire Helps
Vulnerability and risk management is an ongoing process, and it should continuously adapt to the evolving cybersecurity threat landscape. Therefore, the process should be reviewed on a regular basis, and staff should be kept up to date with the latest threats and trends. Continuous development for the people, process and technology will ensure the success of the enterprise vulnerability and risk management program. If you want to have an unmatched vulnerability management program, Tripwire IP360 is the solution you have been looking for. Tripwire IP360 discovers all assets within your organization and what applications are running on those prior to conducting a vulnerability scan. Authenticated vulnerability scans also identify vulnerabilities that an attacker would see from an external unauthenticated vulnerability scan and provide a detailed analysis. Finally, Tripwire IP360 provides a meaning risk scoring and ranks vulnerabilities numerically based on impact, ease of exploit and age. You can learn more on how to build a mature vulnerability management program by reading this white paper.