This is the conclusion to a three-part series of building a successful vulnerability management program.
The first installment focused on Stage One, the vulnerability scanning progress. Without a foundation of people and process, the remaining stages are prone to failure. The second installment focused on Stage Two and Three, using a vulnerability scanning technology to discover and inventory assets followed by detecting vulnerabilities on known assets.
In this article, I conclude my three-part series by diving into the fourth and final stage: reporting and remediation.
Stage 4: Reporting and Remediation
Once the vulnerability scan is complete, a score is attached to each vulnerability using an exponential algorithm based on three factors:
- The skill required to exploit the vulnerability;
- The privilege gained upon successful exploitation; and
- The age of the vulnerability.
The easier the vulnerability is to exploit and the higher the privilege gained, the higher the IP360 risk score will be. In addition to this, as the vulnerability age increases, the score of the vulnerability also increases.
The first metric that should be taken is an overall baseline average IP360 risk score for the organization.
Successful Tripwire vulnerability management customers start by targeting a risk reduction of 10% to 25% year over year. As the program matures, a target IP360 risk score can be set for the organization to achieve. In the initial years, an average risk score per asset of below 5,000 is a good target.
Most mature organizations strive to have even lower averages and focus on addressing any single vulnerability with a score higher than 1,000.
The next metric that should be taken is the average IP360 risk score by owner.
The ownership of assets was identified in the first stage; therefore, each owner should be able to see the baseline IP360 risk score for their assets. Similar to the target for the overall organization, each owner should target reducing their average risk score by 10% to 25% year over year until they are below the accepted threshold for the organization.
System owners should be able to view their scores in comparison with other system owners to create a sense of competition among their peers. Those who have the lowest scores should be rewarded for their efforts.
In order to drive remediation, system owners need empirical vulnerability data to outline which vulnerabilities should be remediated along with instructions of how to conduct the remediation. Reports should outline the most vulnerable hosts, the highest scoring vulnerabilities, and/or reports targeting specific highly vulnerable applications. This will allow the system owners to prioritize their efforts with a focus on the vulnerabilities that will reduce the most amount of risk to the organization.
As new vulnerability scans are run, the metrics from the new vulnerability scans can be compared to the previous scans to show trending analysis of the risk, as well as remediation progress.
Some metrics that can be used to track remediation are as follows:
- What is the average vulnerability score of each asset by owner and overall?
- How long does it take, on average, to remediate infrastructure-based vulnerabilities by owner and overall?
- How long does it take, on average, to remediate application-based vulnerabilities by owner and overall?
- What percentage of assets have not recently been scanned for vulnerabilities?
- How many remotely exploitable vulnerabilities yielding privileged access are exposed on systems?
It is not uncommon for an organization to have a very high average vulnerability score with lengthy remediation cycles in the initial stages of building the program. The key is to show progress month by month, quarter by quarter, and year by year.
The vulnerability risk scores and time to remediation should be decreasing as teams become more familiar with the process and become more educated on the risks that the attackers pose.
Vulnerability and risk management is an ongoing process. The most successful programs continuously adapt and are aligned with the risk reduction goals of the cybersecurity program within the organization. The process should be reviewed on a regular basis and staff should be kept up-to-date with the latest threats and trends in information security.
Ensuring that continuous development is in place for the people, process and technology will ensure the success of the enterprise vulnerability and risk management program.
Interested in learning more about building a mature vulnerability management program? Click here to discover more.
Title image courtesy of ShutterStock