Be organized and efficient. It’s a simple rule of life that makes things run a whole lot smoother. This is something especially important when running your vulnerability management program. There are only so many hours in a day, rather, there are only so many hours in a down cycle where the business will let you scan their environment for vulnerabilities! Let’s assume for a minute that your vulnerability management solution is not safe to run during production hours. (If you’re not using IP360, this may be the case, but that’s a topic for another day!) Most lines of business will only let the security team scan their environments after hours. These days, that means after about 8 or 9 pm and before 5 or 6 am. That leaves you with somewhere between 8 and 10 scanning hours each night, plus weekends if you’re lucky. Further to that, some folks who are scheduling these scans end up with scenarios where they only want to scan the Unix servers that are supporting application X on Wednesday Night, the databases servers supporting that application on Friday, the supporting network gear on Monday and the web servers on Sunday morning. Take that scenario and multiply it by the hundreds of applications, and you have yourself a hot mess of scheduling tasks. I’ve seen some organizations with thousands of scanning windows and tasks that are next to impossible to manage! This is definitely not fun and can be extremely time-consuming. Who has time for that? The end result is that you end up unsure if you’re actually covering everything in your environment and hoping that you didn’t miss recommending remediating something that an attacker can easily take advantage of. Well, what should we do about this, you ask? Firstly, when selecting a VM solution, find one that is non-intrusive. (This buyer’s guide may help.) Have the system owners monitor their system usage when you run a scan. This will prove to them that the load on the system is quite low. Furthermore, if they prefer that you do not do a credentialed scan, you can use a lightweight agent that will provide the data without needing to log in.
Business value: This speeds up the scan and ensures even cloud assets and transient devices are monitored for their vulnerability risk.
Secondly, organize your scans based on IP subnets. Work with your networking team to get a solid understanding of how the networks are deployed in your organization. You can strategically set up scanners to have minimal impact on the network by not having scans running through firewalls. For larger subnets, you can configure multiple scanners to pool together for a much faster run through of those subnets.
Business value: This will simplify the number of groups and tasks the security team needs to configure and keep up-to-date as well as minimize the network traffic.
Finally, once the assets are discovered, sort your reporting by line of business or system owner, so the organization can track the risk and report in a manner best suited for your particular organization. You can do this by leveraging your vulnerability vendors reporting options or by integrating with something like ServiceNow’s SecOps tool.
Business value: This will allow you to sort, organize and prioritize your remediation based on not only on what is the greatest risk to the organization but also based on what matters most to your particular organization.
Having a solid vulnerability management program is part of every organization’s information security program. Ensuring that it is configured in an efficient manner will make your organization successful in reducing risk and allow your security professionals to focus on actioning the data rather than administering a tool.