7 Step Guide to Vulnerability Management

Many organizations are still struggling with their ability to detect unpatched vulnerabilities, which could explain why they’re responsible for so many breaches. In a report entitled, “Costs and Consequences of Gaps in Vulnerability Response,” 60% of responding IT professionals told Ponemeon Institute and ServiceNow in FY 2019 that at least one of the data breaches they suffered over the previous two years might have occurred because of an unpatched vulnerability. More than half (64%) of survey participants said that their organizations planned on responding by hiring additional staffers to support their patching efforts over the next 12 months. They revealed this intention despite the fact that vulnerability scanning didn’t take place in over a third (37%) of respondents’ workplaces.

Upping Digital Securing with Vulnerability Management

Many organizations could benefit from restructuring the way in which they address security vulnerabilities. One of the ways they can do this is by creating a formal vulnerability management (VM) program, or what the SANS Institute defines as “the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated.” SMEs can then use that information to remediate those known weaknesses and thereby minimize digital risk within their environments.

Vulnerability management isn’t the same as vulnerability scanning, or the practice of using software to identify vulnerabilities within apps and other computer infrastructure. But vulnerability scanning is oftentimes part of vulnerability management. The same is true about patch management, as it shapes how and when organizations implement fixes to known vulnerabilities. Patches are one means by which security analysts can remediate vulnerabilities. They do not cover the other remediation options available to organizations, nor do they factor into the decision to mitigate a security hole using compensating controls and/or other measures.

Clearly, a lot goes into a successful VM program. This is why it’s worth the effort to understand the seven discrete steps of a VM initiative. These are as follows:

Stage 1: Create an Inventory of Existing Assets

Shadow IT is antithetical to an effective vulnerability management effort. If they don’t know about them, organizations can’t properly secure those assets. Acknowledging this fact, it’s important for organizations to begin their VM program by creating an inventory of all hardware and software that’s connected to the corporate network. They can actively seek out those devices, but in the interest of detecting possible shadow IT instances, they should also consider using passive asset discovery tools to help them build a map of their network.

Stage 2: Identify the Criticality of the Assets

Once they have created an inventory of existing assets, organizations should go about identifying the criticality of those assets to the business. They can use risk assessments to help them evaluate the physical and/or logical connections that some assets might have to other resources, the types and number of users who can access those assets, and the granular details about those assets’ availability. Organizations will naturally prioritize assets with a higher risk profile. But they shouldn’t ignore their other assets, either. As noted by Tripwire, “all assets contribute to the overall organizational risk, and the remediation effort should always be based in relation to minimizing overall risk.”

Stage 3: Identify the Owners of Each System

System owners are an integral part of a vulnerability management program. As the owners of their employer’s assets, they’re the ones who are ultimately responsible for mitigating the risks posed by those devices. It’s therefore important that organizations be able to identify the system owners of each asset. If they find any assets that lack an owner, they should consult with their department heads to assign ownership over those assets in a manner that complements their business flows and processes.

Stage 4: Define the Frequency of the Vulnerability Scanning

With that done, it’s time for organizations to figure out how often they’d like to scan their environments for vulnerabilities. The Center for Internet Security recommends in its Critical Security Control 3: Continuous Vulnerability Management that organizations scan their connected systems at least once a week. This timetable will enable system owners to track remediation, identify new threats and take care of those risks without having them dwell in their environments for longer than necessary.

Stage 5: Establish Timelines and Thresholds for Remediation

Organizations also need to specify their VM program’s timelines and thresholds for remediation. In this step, organizations want to make sure that they’re clearly defining the assets, the types of flaws, and other factors that would require them to remediate along with the timelines in which they must implement a fix. They also need to allow for the possibility that they won’t be able to implement all necessary patches within a given timeline and that some assets might require special treatment in their VM program. They can document those exceptions at this time.

Stage 6: Identify the Vulnerability Risk Posture of Each Asset

After completing those steps, organizations can run the vulnerability scan. It’s recommended that they do so with credentials, as this will increase the level of accuracy in determining organizational risk. Security analysts can also run scans with vulnerability signatures to try to find weaknesses in their inventoried hardware and software.

Stage 7: Remediate Vulnerabilities in an Effort to Minimize Risk

Each security hole identified in a vulnerability scan receives a score that reflects a number of factors including its age and the skills required to exploit it. Organizations and system owners can use those scores to begin remediating their vulnerabilities. Sometimes, all they’ll need to do is install a software patch. Other times, they might need to look to a more expensive fix such as replacing an outdated device that no longer receives updates.

Help for Organizations’ VM Efforts

Running an efficient VM program is a lot for organizations to do on their own. That’s where Ampcus Cyber comes in. This managed service provider uses its team of experts and researchers to identify vulnerabilities and other threats in their environments. Through its vCISO services, Ampsuc Cyber can also help organizations set up and manage an enterprise-wide vulnerability management program.

To get started with your organization’s VM initiative, click here.