The Best Vulnerability Management Program in 2020
Data breaches have been the new normal for nearly two decades, and 2020 is shaping up to be just as bad. In the first quarter of 2020 alone, the number of disclosed data breach records rose by 273%. There could be more undisclosed breaches waiting to be discovered. We may not know about them because of the chaos caused by the pandemic. We’ll know more as Covid-19 becomes less of a factor and people return to a normal routine.
We all know that data breaches put our personal information at risk. We’re used to seeing our credit cards, Social Security Numbers, dates of birth, and other personally identifiable information (PII) stolen. We know that our disclosed personal information puts us at risk for identity theft.
The sad fact is that most people have become somewhat numb by all of the data breaches. Data breaches are so common that we have numerous laws, rules, and regulations meant to strong arm companies into protecting our data. We have laws in all 50 states requiring private and governmental entities to notify individuals of security breaches. In many cases, these laws come with fines.
Only, fines haven’t solved the problems related to large data breaches. Neither has the drop in stock price and market value that publicly traded companies experience. In an article on Threat Post, Matthew Gardiner of Mimecast said, “While some organizations are no doubt reckless stewards of data and intellectual property, the problem of security and resilience is a very challenging one,” Gardiner said — “one that can’t be fixed with such a blunt instrument as a fine”.
Largely, data breaches occur because it is much easier to compromise systems than it is to protect them.
The Federal Trade Commission (FTC) is starting to hand out its largest and most severe fines. The Equifax data breach alone resulted in $700 million in penalties. These penalties make the Equifax agreement the most significant data breach settlement on record. Yet, it’s certainly not the only fine. This Threat Post article states, “Despite trillions of dollars in breach fine payouts, each year the number of compromised companies and individuals with private data exposed rise”.
Unfortunately, fines have not resulted in better security practices or improved consumer privacy. News of a breach disclosure tends to negatively affect the stock price of publicly traded companies.
Stock prices tend to drop right after a public breach announcement. Once the news has worn off, it’s business as usual. In most cases, stock prices continue to climb and wind up higher than what they were before the breach.
Meaning that the stock price isn’t negatively affected enough to harm a publicly traded company. The phenomena demonstrates that a breach doesn’t signal the death of a company’s business. Publicly traded companies that experience breaches tend to underperform in the stock market, concluded a recent study of 28 breached publicly traded companies.
That being said, the security industry has erroneously believed that data breaches would have longer lasting negative effects. The study found that “after three years, [the] average share price [of a breached publicly traded company] is up by 32.53% but down against the NASDAQ by -13.27%”.
So, in conclusion, fines and stock price drops are penalties for sure, but not so severe as to warrant real change. If we want lasting change, we need to embed information security best practices into our everyday culture. Companies should want to improve their information security programs because it’s the right thing to do.
Compliance Isn't Enough
Meeting compliance requirements alone isn’t enough to prevent breaches. Many organizations were compliant when they experienced their data breach. Organizations that focus on achieving compliance can miss out on the opportunity to excel and do more than the bare minimum. Unfortunately, compliance can be a check box only exercise for far too many companies.
In the case of PCI DSS, the scope of compliance is limited to cardholder data. Systems that don’t process, store, or transmit cardholder data are considered out of scope. Meaning that in order to achieve compliance, you need to only focus meeting the requirements for those in-scope systems. That’s not the way that large data breaches happen.
Cyber attackers don’t pull their punches by “limiting their scope”. Instead, they go after any system that could lead them to their ultimate prize. They will target seemingly unrelated systems and sometimes spend months or even years compromising systems and user accounts.
Most of what criminals do once they compromise a network is to improve their hold on the network. They may harvest accounts and credentials, learn the network, and install backdoors as they go. Once cybercriminals have learned where the most valuable information is, they steal it. Then they look for a way to avoid data security protection and detection technologies in order to ex-filtrate the stolen data out of the network.
Making a Case for Vulnerability Management
- Application security coding standards and developer training
- Change control (aka change management)
- Reliable security technologies in place that help with data loss, network and host security
- Robust patching and vulnerability remediation programs
- Server build practices to reduce the number of vulnerable services and misconfigurations
- Desktop build processes to reduce the threat profile of endpoint systems Vulnerability Management can help illustrate how the information security program is performing. Problems can be analyzed and practices improved to better protect data. Because Vulnerability Management can do so much, we need to implement the best Vulnerability Management program possible.
Modern Threat & Vulnerability Management
As a rule, information security programs should include a holistic Threat & Vulnerability Management (TVM) program. Threat & Vulnerability Management is a process. We use this process to detect, identify, and remediate a wide range of threats an organization might face.
Vulnerabilities can exist in applications, operating systems, services, and network devices. By exploiting these vulnerabilities, criminals bypass data protection controls and gain access to valuable data. Once hackers have personal data, they either use it or sell it.
The number of security issues and vulnerabilities an organization must address can be complicated. Security issues can include a number of problems. Examples include software defects, user errors, fraud, and configuration problems.
Modern Threat & Vulnerability Management includes merging threat intelligence information with vulnerability data. Threat intelligence gives vulnerability data an important risk-based context. That context helps us decide what to fix and when to fix it.
Otherwise, without context, organizations simply can’t keep up with the number of vulnerabilities their vulnerability scanner reports after each scan. When the right mitigating controls are in place, the company may decide not to fix a number of low priority issues.
We find that when companies combine Vulnerability Management with risk assessments, program assessments, and penetration tests they improve their security posture. Even the most simple risk assessments can be a benefit by focusing attention on the most realistic threats. Program assessments are essential because they can help identify gaps in best practices, policies, and standards. That is, the Information Security Management System.
Finally, penetration testing is a proven way of demonstrating that particular vulnerabilities are exploitable and not just theory. A successful penetration test can provide the ammunition and evidence leaders need to drive change. Information security leaders must make difficult decisions about where to invest budget dollars. Penetration tests can help leaders make those decisions.
Vulnerability Management, even on a small scale, can help even the most budget constrained organizations. Even small companies need to find and mitigate the high risk issues that makes them most vulnerable.
To reduce the number of threats, organizations must define policies and follow best practices. Systems with missing patches need to be identified. Policies must also dictate that at-risk systems get fixed in a timely fashion. That’s what happened with Equifax – they identified an issue but didn’t apply the patch in time.
How Vulnerability Management Fits into an Organization
A good Vulnerability Management program should be highly visible and touch many parts of both the business and Information Technology. In order to protect data, we must understand what the organization needs to protect. In other words, what are the crown jewels?
Vulnerability Management starts and ends with asset identification and helps with risk management. It touches many IT disciplines including asset acquisition, device configuration, and asset management. Vulnerability Management also touches application development, patch management, change control, and even asset disposal.
It may sound complicated, but with the right mindset and advisors, it’s not as difficult as it sounds. Vulnerability Management is unique in that it touches so many IT and IT Security processes. It’s one of the few areas of information security that can provide both meaningful metrics and a return on investment.
Done right, Vulnerability Management can help an organization reduce threats with repeatable processes. In other words, Vulnerability Management is not a practice done once and forgotten; you must scan on a regular basis. Vulnerability scanning is designed to help detect:
- Buffer overflows
- Denial of service
- Malicious applications
- Remote Access Trojans
Tools we typically see, use, and recommend include popular commercial solutions like Qualys, Tenable Nessus, and Rapid7 Nexpose. Open Source solutions include OpenVAS, nmap, and Burpsuite, to name a few.
These solutions are designed to detect vulnerabilities that might be present on any networked asset. The type of networked assets supported includes servers, workstations, networking devices (routers, switches, firewalls), and peripherals like printers. Most any device with an IP address can be scanned. These vulnerabilities may even be designed to evade detection by antivirus software or antimalware solutions.
We usually recommend commercial solutions over Open Source. Commercial tools generally have more integration, vulnerability scanning, and reporting options. In our experience, commercial tools work well and are more reliable than their Open Source counterparts.
Modern vulnerability management tools integrate with threat intelligence solutions, SIEM technologies, help desk ticketing, and defect tracking systems. Some of them also integrate with continuous integration (CI) and continuous delivery (CD) pipeline technologies like Jenkins. Commercial solutions provide more choices related to scanner deployment. That could include physical, virtual, containers, cloud based, and Internet hosted scanners.
Companies can leverage their own security professionals to run their program or transfer the responsibility to a Managed Security Service Provider (MSSP). Either way, an organization must make investments in people, processes, and technology to make the program sustainable.
The benefit of using an MSSP is that you don’t have to perform the Vulnerability Management processes and procedures yourself. The MSSP provides access to all of the technology and experienced professionals needed.
Vulnerability Management Best Practices
In some cases, a fully-staffed Security Operations Center or SOC may own Vulnerability Management and all supporting information security processes. In this case, the scanning and reporting functions may truly be a 24×7 operation.
Even if that’s not the case, the program needs executive sponsorship to remove any political issues and barriers. The best case is for the Vulnerability Management program to be owned or governed by an oversight committee. The committee should have full visibility into the health and vitality of the program.
In general, most programs start and end with asset discovery. The reason for this is because you can’t manage what you don’t know. In large organizations, we get our understanding of the network from asset management systems, purchasing records, or network administrators.
We find the best programs combine multiple sources of asset information. Asset Configuration Management Databases (CMDBs) are notorious for being incomplete or inaccurate. Combining sources of asset information improves the quality of asset data kept in a CMDB. Adding asset data found during vulnerability scans can help provide more complete records.
The more complete asset records are when performing scans, the easier it will be to find asset and technical owners so that issues can be remediated. The people responsible for scanning aren’t always the same people responsible for remediating the issues.
Coordination and Communication
Vulnerability scanning should be a highly coordinated activity. Typically, we recommend that scanning schedules be presented to and approved by a Change Control Board. Days and times should be set aside exclusively for specific schedules.
Coordination of scanning activities allows the right people to monitor systems for outages that might be caused by scanning. In some cases, IT may request that specific assets are excluded from scans. These could be computing devices that are sensitive to scanning. Sometimes, the TCP/IP stack in some devices becomes unstable and causes the device to lose network connectivity.
Scanning is the heart of the Vulnerability Management lifecycle. This process is where scanners detect assets and assess them for any vulnerabilities. We highly recommend a decentralized and distributed model that includes as many IT administrators and owners within the organization as possible. Meaning, that you shouldn’t have only limited contact with the people that can help scale your Vulnerability Management program.
We recommend that all scanning be done by authenticating to the machine (or domain) as a local administrator. An alternative is to run an agent with higher level privileges on the target device. Either of these techniques provides a higher quality of information about the machine being scanned. It doesn’t eliminate false positives but it does help. When we’re scanning a target machine, we’re looking at information that includes information about the ports, particular services, version numbers, and even how the service might react to specific TCP/IP and UDP packets.
Like scanning, reporting functions must also be automated as much as possible. If a person must provide each report that technicians and owners need, the deployment of a fix might get delayed.
The “right” information also needs to be conveyed to the right people. Information important to decision makers might be the device(s) affected, the severity of the vulnerability, and the recommended remediation action.
When a report provides actionable recommendations, the report is more effective. Reporting and remediation should be able to fit within existing patch cycles. Meaning, the reports should be delivered with enough time for analysis, testing, and deployment.
Remediation is likely the most essential and key aspect of Vulnerability Management. We can identify vulnerabilities but if they’re not fixed, we don’t improve security. The remediation process includes any and all processes necessary to fix a system. That could include patching or changing the configuration of the system.
Where possible, programs should include regression testing. The business can’t afford to allow information security processes to break critical revenue generating applications. Regression testing helps to minimize collateral damage when a patch is applied that could break an application. Running both functional and non-functional tests ensures that critical functions haven’t been negatively impacted by remediation.
IT and Information Security programs must adopt a risk-based approach to vulnerability management. Patching processes must be able to distinguish between false positives and false negatives. When necessary, IT processes must help companies deploy a patch in 30 days or less. In some cases when there are severe vulnerabilities that affect business critical applications, the fix needs to be deployed as soon as possible. It is even more important to deploy a fix when there is an exploit available.
If a company wants to improve beyond having an ordinary Vulnerability Management program that plays “whack a mole”, they must do more than just scan. In order to move into the realm of extraordinary, Vulnerability Management programs must become repeatable and sustainable processes. With the right technology and process integrations, Vulnerability Management can successfully reduce the risk of compromise.
Technology integrations that we see helping in these areas include:
- Exploit DB – context for the exploitability of vulnerabilities
- Help desk ticketing systems – automation of remediation workflow
- Intrusion Detection Systems and Intrusion Prevention Systems – adjust severity levels and provide additional context
- Metasploit – for penetration testing and manual exploitation
- Network security architecture solutions like RedSeal
- SIEM – for security monitoring
In conclusion, Vulnerability Management is an essential part of a healthy information security program. As such, it needs the time and attention it deserves to be successful. That means investments in the tactics, techniques, and procedures that can enable a program to make progress and reduce risk.
Other Vulnerability Management Articles
Having the right group of people to run your vulnerability management program is just as important as the actual program itself. Let’s face it; not all companies can keep up-to-date with the latest security trends as technologies continue to advance, all while bringing on more threats.
If you are going to do something, you may as well do it right. A poorly designed and constructed vulnerability management program is essentially like having no program at all. Why spend the time, money, and resources putting together a program that won’t meet or exceed the expectations you have in place for it?
Year after year, cybercriminals take advantage of more opportunities to infiltrate a system’s vulnerabilities. These attackers feast on the systems that show no real signs of cyclical security maintenance and prevention techniques.