Vulnerability management (VM) programs are the meat and potatoes of each comprehensive info security program. They’re not optional any longer. In fact, several info security compliance, audit and risk management frameworks need organizations to keep up a vulnerability management program.
If you don’t have vulnerability management tools, or if your VM program is accidental, there’s no time just like the gift. In fact, the center for net Security’s #3 critical Security management calls out continuous vulnerability assessment and rectification as an integral a part of risk and governance programs.
If you’re still wondering a vulnerability management policy as a tactical operations tool to use, often there are a lot of fine reasons to rethink. It ought to be one in all the cornerstones of your security program.
A Quick Vulnerability Management Definition
Let’s begin by ensuring we’re all talking regarding constant issue. The vulnerability management method may be a continuous info security risk enterprise that needs management oversight. There are four high-level processes that comprehend vulnerability management: discovery, reporting, prioritization and response. In an exceedingly robust vulnerability management framework, every method and sub processes among it ought to be a part of a nonstop cycle targeted on rising security and reducing the danger profile of network assets
Vulnerability Management Best Practices
Managing vulnerabilities with discovery and rediscovery
Discovery is that the method by that network assets square measure found, categorized and assessed. Info regarding assets ought to be categorized into knowledge categories like vulnerability, configuration, patch state, compliance state or simply inventory.
The discovery part ought to notice each computing plus (yes, each single one) on your network and build a information of information alternative VM processes will use. Since your network is in an exceedingly constant state of modification, the knowledge regarding your assets must be frequently rested.
Reports, reports, reports
Reporting of the info found throughout discovery typically provides variety of various outcomes applicable for various audiences. Reports ought to produce a prioritization matrix that feeds into vulnerability management processes. After all, the raw data on each vulnerability on an enterprise isn’t very helpful. Ideally, these reports may also be used for tactical operations tasks and, at a better level, to produce visibility and business-oriented risk metrics to higher management
In VM, Priorities Are (Almost) Everything
Prioritization could be a vital vulnerability management method that ranks notable risks in step with a predefined set of characteristics. As an example, prioritization ought to spark an inspiration method one thing like this: Given the present state of the plus from the invention method, the worth of that specific plus and any notable threats, however vital is it that we tend to pay resources to correct or mitigate these risks? Alternately, are the notable risks on this specific plus at now acceptable to our business?
The goal of prioritization is to use a vulnerability management tool to make a customized list of what to tackle 1st, second, third and then on. Ideally, this prioritized list of actions is employed to feed into ticketing systems for IT Ops and drive specific tasks for system operators.
Risk response is that the last half of the vulnerability prioritization method. Primarily, risk response is that the approach a corporation chooses to deal with the well-known risks (note: ignoring risk may be a not a response).
Addressing risk falls into 3 categories: remediate, mitigate or accept. Remediation will be thought of because the act of correcting a discovered flaw. As an example, if a vulnerability is caused by a missing patch, one possibility is to rectify the matter by putting in the patch.
On the opposite hand, mitigation is that the act of reducing risk by taking another action usually outside the immediate realm of the affected system. As an example, rather than fixing a discovered net application flaw on your system, you’ll prefer to install an online application firewall. The vulnerability remains there, however with the net application firewall in place, the chance is diminished.
Risk acceptance is creating a option to accept the chance while not remedy or mitigation. As an example, the protection operations team could suggest that lab equipment run antivirus software system. However, business stakeholders conform to not use av software system as a result of it might have an effect on engineering take a look at cases. During this case, the business has elite to simply accept the well-known risk.
In Scope, Out of Scope
Now that we all agree on the importance of vulnerability management and what it includes, we should also discuss things that it doesn’t include because it seems like a lot of people are confused about this.
Pen testing not included in vulnerability management
Vulnerability management is not a penetration test. Just because a product scans your systems doesn’t mean you have a pen test tool. In fact, the reality is quite the opposite. A vulnerability management scanner is often checking for the presence or absence of a specific condition such as the installation of a specific patch.
A pen test tool, on the other hand, will actually attempt to break into the system using predefined exploits. While both types of tests might ultimately deliver the same recommendation, the methods used to arrive at these conclusions are wildly different. If you’re looking for a good pen test, odds are good that you need more than a tool. A pen test should be exhaustive and include physical testing and in-person interviews as well as many other things.
While several vulnerability management systems add conjunction with configuration management systems, there’s a crucial distinction between the 2. In fact, CIS has a lot to say regarding this. Vulnerability management could uncover issues related to system configuration and flag them as risks. However, the operations and management of system configurations area unit distinctively a part of the configuration management program.
Define Continuous VM
Your vulnerability management information in is barely nearly as good because the last time it absolutely was updated. Similar to an audit, the info reportable is barely relevant to the last time a plus was assessed. The key to making the foremost relevant information set is to run your vulnerability management program oftentimes. For a few corporations, this implies daily or weekly. I don’t assume you’ll be able to decision your program continuous if you update it once a quarter, and let’s not even bring up annual assessments as a result of we tend to all recognize the speed of amendment on networks means that annual information is pretty useless eleven months of the year.
The Alpha and the Omega (NOT)
Vulnerability management is just one piece of a security program. It’s not getting to solve the whole risk management challenge. Vulnerability management is that the foundation of a security program. You’ve got to begin with a comprehensive understanding of what’s on your network. If you don’t grasp it’s there, there’s no approach you’ll be able to shield it. You furthermore ought to perceive the risks for each quality on your network so as to effectively prioritize and remediate.