An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals. These goals should address the information needs of all stakeholders, tie back to the business goals of the enterprise, and reduce the organization’s risk. Existing vulnerability management technologies can detect risk, but they require a foundation of people and processes to ensure that the program is successful. One way to approach a vulnerability management project is with a 4-staged approach, each containing its own set of subtasks:
- The discovery and inventory of assets on the network.
- Asset classification and task assignments:
- the process that determines the criticality of the asset:
- the owners of the assets;
- the frequency of scanning;
- The discovery of vulnerabilities on the discovered assets.
- timelines for remediation of discovered vulnerabilities.
- The reporting of remediation of discovered vulnerabilities.
Each stage involves a measurable and repeatable process, as well as a phase of execution. Of course, the aim is to create a managed, and optimized process for continuous improvement.
Stage One: Asset Discovery and Inventory
According to the CIS Critical Security Controls, as well as all other authorities, asset discovery and inventory are the first step in any vulnerability management system. After all, you cannot protect what you do not know about. An accurate inventory of all authorized and unauthorized devices on the network, as well as all software installed on the assets on the organization’s network go hand-in-hand, as attackers are always trying to identify easily exploitable systems. Ensuring that the information security team is aware of what is on the network allows them to better protect those systems and provide guidance to the owners of those systems to reduce the risks those assets pose. There have been many cases where systems are deployed without informing the information security team. These could range from test servers, to misconfigured cloud systems hosting company data. Without the appropriate asset discovery and network access control, these types of devices can provide an easy gateway for an attacker into the internal network.
Stage Two: The Vulnerability Scanning Process
Once an inventory is completed, assets should be classified and ranked based on their true and inherent risk to the organization. Many factors need to be considered in developing an asset’s inherent risk rating, such as physical or logical connections to higher classified assets, user access, and system availability. For example, an asset in a production environment is going to have a higher criticality than an asset in a test environment, and an internet-facing web server will have a higher criticality than an internal file server. However, though an asset is a lower criticality, remediation for that asset should not be ignored. Attackers can leverage these assets to gain access and then traverse through network by compromising multiple systems until they get to the systems with sensitive data. The remediation effort should always be based in relation to overall risk.
System owners are ultimately responsible for the assets, their associated risks and the liability if those assets become compromised. This step is critical in the success of the vulnerability management program, as it drives the accountability and remediation efforts within the organization. If there is no one to take ownership of the risk, there will not be anyone to drive remediation of that risk.
As part of continuous vulnerability management, an organization should run automated vulnerability scanning tools against all systems on the network on a frequent basis. This frequency can be determined by multiple dynamics, and could occur as broadly as annually, or as narrowly as weekly, depending on the asset classification. Scanning this frequently allows the owners of the assets to track the progress of remediation efforts, identify new risks, as well as reprioritize the remediation of vulnerabilities based on new intelligence. When a vulnerability is first released, it may have a lower vulnerability score because there is no known exploit. Once it has been around for some time, an automated exploit kit may become available which would increase the risk of that vulnerability. A system that was once thought to be invulnerable may become susceptible to a vulnerability or set of vulnerabilities due to the introduction of new software, or a patch rollback. There are many factors that could contribute to the risk posture of an asset changing. Frequent scanning ensures that the owner of the asset is kept up to date with the latest information. As an outer limit, vulnerability scanning should take place no less frequently than once per month.
Documented Timelines and Remediation Thresholds
Easily exploitable vulnerabilities should be remediated immediately. This is especially true of those that can yield privileged control to an attacker. Lesser rated vulnerabilities can be remediated according to a timeline agreed by the organizations risk appetite. In the event of a system owner being unable to remediate a vulnerability within the approved timeframe, a remediation exception process should be available. As a part of this process, there should be a documented understanding and acceptance of the risk by the system owner along with an acceptable action plan to remediate the vulnerability by a certain date. Vulnerability exceptions must always have an expiration date.
Stage Three: Vulnerability Detection
Vulnerabilities can be identified through an unauthenticated or authenticated scan, or by deploying an agent to determine the vulnerability posture. Typically, an attacker would view a system with an unauthenticated view. Therefore, scanning without credentials would provide a similar view to a “primitive” attacker. An unauthenticated scan is good for identifying some extremely high-risk vulnerabilities that an attacker could detect remotely and exploit to gain deeper access to the system. However, there are often vulnerabilities that can be exploited by an unwitting download of an attachment or malicious link execution that can remain undetected. A much more comprehensive and recommended method for vulnerability scanning is to scan with credentials, or deploy an agent. This allows for increased accuracy in the determination of the vulnerability risk to the organization. Vulnerability signatures specific to the operating system and installed applications that were detected in the discovery and inventory stage are run to identify which vulnerabilities are present.
Stage Four: Reporting and Remediation
It is not uncommon for an organization to have a very high average vulnerability score with lengthy remediation cycles in the initial stages of building the vulnerability management program. The key is to show progress month by month, quarter by quarter and year by year. The vulnerability risk scores and time to remediation should be decreasing as teams become more familiar with the process and become more educated on the risks that the attackers pose. To drive remediation, system owners need empirical vulnerability data to outline which vulnerabilities should be remediated along with instructions of how to conduct the remediation. Reports should outline the most vulnerable hosts, the highest scoring vulnerabilities and/or reports targeting specific highly vulnerable applications. This will allow the system owners to prioritize their efforts with a focus on the vulnerabilities that will reduce the most amount of risk to the organization. As new vulnerability scans are run, the metrics from the new vulnerability scans can be compared to the previous scans to show trending analysis of the risk as well as remediation progress. Vulnerability and risk management is an ongoing process. The most successful programs continuously adapt and are aligned with the risk reduction goals of the cybersecurity program within the organization. The process should be reviewed on a regular basis, and staff should be kept up to date with the latest threats and trends in information security. Ensuring that continuous development is in place for the people, processes, and technology will ensure the success of the enterprise vulnerability and risk management program. Interested in learning more about building a mature vulnerability management program? Click here to discover more.