Have you ever been around someone who is just better at something than you are? Like when you were in grade school and there was this person who was effortless at doing things correctly, like getting high grades? They had great study habits, they arrived on time, they were prepared and confident in the materials that they studied in class, and they were a consistently high performer at every stage?
What about golf? I remember reading a book called “The Big Miss” by Hank Haney. He talked about nine specific tee shots that Tiger Woods hit: three from the right side of the tee box, three on the left side, and three in the middle. High, medium, and low for each shot. And then he went through the other areas of Tiger’s game, like how the thunderclap of Tiger hitting the ball was nothing like he had ever heard of in his life. He also stated by being so well-practiced, Tiger minimized his misses even under the highest level of pressure.
All of this occurs in the same vein as that in which we are trying to minimize risk in our vulnerability management programs. Those frameworks with the most resilience are ones that are able to minimize risk over the long-term.
But how does this relate to building out a vulnerability management program that helps you successfully manage risk in your company?
Just like there is a process to hitting golf balls, there is a process to building out a successful vulnerability management program as well as a secure change management program. Tripwire is here to help.
There are four main stages of any effective vulnerability management program:
- The discovery and inventory of assets on the network – You’ve got to understand what you have in your environment.
- Understanding the criticality of each asset, the owners of the assets and the frequency of scanning – This establishes the timelines for remediation.
- The discovery of vulnerabilities on the discovered assets – Things you need to fix.
- The reporting and remediation of discovered vulnerabilities – What has been found, and what is going to be done about it?
Let us examine briefly each stage and see how Tripwire can help you.
The First Stage: The Scanning Process
The first step is to identify the criticality of your organization’s assets. How can you build an effective risk management program if you don’t determine what needs to be protected? This includes networks, computing systems, storage devices, different data types and connected third-party systems on the company’s network. These elements need to be classified and categorized based on risk to the business. Many phases need to be measured as increasing an asset’s inherent risk such as physical or logical connection to higher ordered assets, user access and system availability. There are terms called coupling that deal with interdependencies of systems. The tighter the coupling, the more that something will have the propensity to adversely affect something else such as a higher risk asset.
Assets of higher importance in terms of measuring risk to the organization will be ranked at a higher level than those assets with lower risk value. However, remediation on assets with lower criticality should not be ignored or postponed indefinitely. Per the example of coupling and interdependencies, everything is tied to everything else, so all risks need to be addressed. Indeed, all assets contribute to the overall operational risk, and a remediation effort should always seek to minimize the overall risk.
Risks can be avoided, transferred, mitigated, or accepted.
The second step is to identify the owners of each system. Who owns what?
Asset owners are responsible for the asset, its related risk and the obligation if that asset becomes compromised. Responsibility is a driving factor for the success of the vulnerability management program. Bereaved assets and vulnerabilities will be forgotten and will become a nameless risk unless there are individuals within the organization who are responsible for them.
The third step is to establish the consistency of scanning. In its Control 3 “Continuous Vulnerability Management,” the Center for Internet Security (CIS) recommends that an organization “utilize an up-to-date vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.”
Recurrent scanning allows the owners of the assets to track the advancement of remediation, recognize new risks and re-prioritize the remediation of vulnerabilities based on updated information.
The fourth step is to establish timelines for remediation. These timelines need to take into consideration the magnitude of the effect of an attacker exploiting a known vulnerability. Security flaws with high impact should be remediated as fast as possible, and the effort should also provide for mitigation measures in case a vulnerability cannot be remediated within a defined timeline.
Remediation exclusion progressions will document the accepted risk and allow for a timeline to remediate the vulnerability.
Stage Two: Asset Discovery and Inventory
Asset discovery and inventory are the first and second CIS Controls.
These are the basics for any security program. The purpose of CIS Control 1 is to “actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” Additionally, CIS Control 2 highpoints the need to “actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”
These two controls are married together, as attackers are always trying to identify systems that are easily available so they can get into an organization’s network by exploiting potentially unpatched shadow IT devices.
Without a suitable asset discovery program and/or network access controls, these types of devices provide launch points for major attacks. Hackers get in and leverage the initial breach to attack other systems, thereby ensuring even greater damage.
Working with the information security team to make sure that it’s mindful of what’s on the network helps the team to protect identified systems, and it helps to identify guidance that’s useful for reducing the risk posed by those assets.
(You can learn more about the CIS controls in this blog series by Travis Smith.)
Stage Three: Vulnerability Detection
Vulnerability scanning, also commonly known as ‘vuln scan,’ is an automated process of proactively identifying network, application, and security vulnerabilities. Vulnerability scanning is typically performed by the IT department of an organization or a third-party security service provider. And for the record, this scan is also performed by attackers who try to find points of entry into your network.
The scanning process includes distinguishing and categorizing system weaknesses in networks, infrastructure equipment, and computers. In addition to identifying security areas of concern, the vulnerability scans also predict how effective countermeasures are in case of a threat or attack.
A vulnerability scanning service uses software running from the standpoint of the person or organization inspecting the attack surface in question. The vulnerability scanner uses a database to compare details about the target attack surface.
Stage Four: Reporting and Remediation
Once the vulnerability examination is accomplished, a score is devoted to each vulnerability using a specialized convention that’s tied to the skills necessary to exploit the flaw along with other critical data.
The easier the vulnerability is to exploit and the higher the privilege gained, the higher the risk score will be. In addition to this, as the vulnerability age increases, the score of the vulnerability also increases.
By applying Kaizen principles of continuous process improvement ensuring this program’s success, will show progress from months, to quarters, to years, and as a result vulnerability risk scores will trend lower and time to remediation will be reduced.
How Tripwire Helps
Understanding security risk on your network is essential to IT risk management. This task is complicated today by the high rate of change within your network, the constantly evolving threat landscape, and the increased requirements for regulatory compliance.
The solution is Tripwire IP360. Tripwire IP360 delivers risk-based vulnerability assessment and asset discovery capabilities. These are among the top foundational controls recommended by security experts. With Tripwire IP360, you get:
- Comprehensive discovery and profiling of all network assets
- Highly scalable architecture with low network impact
- Advanced vulnerability scoring that identifies top risks
- Prioritized change results when used with Tripwire Enterprise
- Agent-based vulnerability management for superior protection
You can learn more on how to build a mature vulnerability management program by reading this white paper.