On the surface, vulnerability management (VM) is nearly ubiquitous. If you ask someone whether their organization has VM, the vast majority will reply in the affirmative.
In fact, Tripwire asked that very question in a recent survey on the topic. Eighty-eight percent of respondents said yes. Beneath that surface of ‘yes’ responses, however, lies a varied spectrum of implementation ranging from periodic penetration testing to full-blown enterprise vulnerability management. As a VM vendor presenting your solution, you get used to the response (in a faux French accent) of “We’ve already got one!”
At the same time, the problem of vulnerability risk has hardly been solved. In the same survey, 27% of respondents indicated that they’ve experienced a breach as a result of an unpatched vulnerability. The VM market is growing, and that means that organizations are expanding and replacing the tools they have.
If you’re going to increase investment, or make a replacement decision, you have to answer this most difficult question: how do you know your vulnerability management program is effective? In order to shed some light on that question and how it might be answered, let’s look at seven habits of highly effective VM programs.
1. Executive Buy-In
It’s easy to say that tone-from-the-top makes a big difference, but how do you actually determine if an initiative has executive buy-in? Start with the phrase ‘buy-in’ perhaps. If a VM initiative has the right level of sponsorship and visibility, then you should be able to articulate how the success or failure of the initiative impacts those executives. It might be that there’s a specific compensation impact, or it might be less concrete, but when a program can succeed or fail without affecting someone, then that person definitely does not have buy-in.
2. Asset Discovery
Any limit you place on the scope of vulnerability management is a limitation on the risk to which you have visibility. That’s why asset discovery has to be a core component of any vulnerability management program. If a VM program excludes assets or specific areas of the business, that’s a sign that it’s not going to be effective at risk reduction. You can’t remove risk you don’t know about. Likewise, if asset discovery isn’t continuous or performed with frequency, it’s likely to become stale and inaccurate.
3. Scan Frequency
You might think that the mantra here is something like ‘scan continuously,’ but that’s a red herring. The reality is that you’re conducting scans for two reasons: first, in order to drive remediation activity and second, in order to identify meaningful changes in your risk profile (e.g. find new, high-risk vulnerabilities). Your scan frequency should be, first and foremost, rational. That means it should be tied to those two objectives. If you remediate on a monthly cadence, then scanning daily isn’t going to improve your outcomes. If, however, you have inadequate change management, then you might mitigate some of that risk with more frequent scanning in order to achieve the second objective. The ideal scenario is that scans occur in a similar cadence with remediation activities and automatically when changes occur.
4. Incorporating Business Context
Vulnerability risk isn’t absolute, and if you’re basing your remediation priorities on some notion of absolute risk, then you’re likely leaving risk on the table. Highly effective vulnerability management incorporates the business context of the discovered vulnerabilities, and the systems on which they exist, into the prioritization mechanisms used to drive remediation activity. What does that mean in practice? It means that assets of higher value and higher risk to the business get addressed first.
5. Exceptions are the Exception
You can’t manage risk you don’t know about, and creating exceptions from scanning creates pockets of unknown risk. There may well be devices in an environment that can’t be scanned, but they should be few and far between and hopefully on their way to retirement. Organizations that actively measure the total surface area they’re missing are generally high-performing when it comes to VM.
6. Managing to Metrics
Panic is not a strategy, but it’s a big part of the information security industry. There is a lot of fear, uncertainty and doubt to be had out there. Effective vulnerability management programs aren’t built on FUD. They’re built on metrics. Progress is inevitable if you simply start with the question “how do I know we’re doing a good job?” That question leads to some definition of good, a requirement to measure it and likely a bunch of other metrics to help understand why you’re not there yet. There are plenty of metrics to choose from and more than enough advice on which are the best. I’m always in favor of using the metrics that drive the right behavior in your organization.
7. Remediation Workflow
The point of all this activity to find and measure vulnerability risk isn’t a pretty report. The point is to make better risk mitigation decisions. The point is to take action. Effective vulnerability management has to result in effective remediation actions. No vulnerability assessment tool does this automatically for a variety of valid and invalid reasons. That means that effective VM programs integrate with the remediation workflows that drive action within an organization. The tricky part is that these workflows are likely to be unique, and there are usually multiple of them.
If your VM program consists of generating a report and handing it off to another team, you might have some room for improvement. Start by finding out how work gets done inside your organization, then figure out how to get the right remediation work into those processes.
The evidence in the market is that there’s plenty of vulnerability assessment out there but also room for improvement with effective vulnerability management. If you find yourself in a position of ownership for a vulnerability management program, these seven habits should help you get the most out of your efforts to manage and reduce vulnerability risk.