Vulnerability Management Best Practices

Introduction

Vulnerability Management is important from both a risk management perspective and as a compliance requirement. Many cybersecurity frameworks and requirements like PCI DSS, HIPAA, and NIST have provisions that require vulnerability scanning. 

Vulnerability scanning is the process of identifying vulnerabilities in an information technology environment. Vulnerability Management includes vulnerability scanning but is a more holistic practice that includes:

  • Establishing a program
  • Identifying the right assets to scan
  • Selecting and implementing a solution 
  • Identifying the business owners and technical owners of assets
  • Training
  • Processes necessary efficiently scan and report on vulnerabilities
  • Steps necessary to remediate, patch, or mitigate issues found 
  • Repeating all of the steps over again daily or weekly as necessary to obtain sufficient scan coverage

Best Practice #1: Establishing a Program

Before starting to perform the functions related to Vulnerability Management, a program needs to be established. The program should be sponsored by a high-level executive in the organization, typically the CIO, and funded. Meaning that there should be a budget for people and tools. 

The program’s goals, objectives, and scope should be defined. The organization needs to decide on several key elements of its program.  For example:

  1. Goals: improve availability or reduce outages, minimize risk, reduce the likelihood of a breach, reduce the number of vulnerabilities  
  2. Objectives: is the organization trying to meet the requirements of compliance or is the organization being driven by an audit, customer, or an internal requirement 
  3. Scope: is the scope everything in the environment, a subset of mission-critical assets, or are there assets that are excluded
  4. Budget: what is the budget allowed to meet the Vulnerability Management program’s goals, objectives, and scope
 
In addition, other decisions need to be made like, who is responsible for scheduling and executing scans (and rescans) and who is responsible for reporting on the vulnerabilities detected. 

Best Practice #2: Asset Identification

One of the most important aspects of the Vulnerability Management program is asset identification. Typically, this step needs to account for both the business value of the asset and its importance to the organization. Systems that provide revenue generation, customer support, accounting and billing, and other mission-critical functions usually needed to be included in the program’s scope. Systems that contain customer data or proprietary information may also need to be included. Lastly, compliance requirements like PCI DSS or HIPAA may change the scope. 

That being said, we know that bad actors don’t limit their scope. The compromise of one system causes a domino effect where you can guarantee multiple systems will be compromised. Back in 2011, Mandiant reported that the average dwell time (the time necessary to detect and respond to a compromise) was 416 days. As of the most recent report, the average dwell time was 56 days. The ability to quickly react to a compromise can limit the number of hosts compromised and reduce the amount of risk and financial exposure.    

Best Practice #3. Scanning Technology and Integration.

The Vulnerability Management program owners need to select the right technology to support their program. The selection of the solution needs to be based on the program’s goals, objectives, and scope. Selecting a technology that doesn’t scale up to support the scanning of a large network with distributed systems would be a mistake if the organization needs to scan and remediate a large number of assets during each scanning and reporting cycle. 

Integrations with other tools and technologies like Intrusion Detection/Prevention systems, help desk ticketing, etc needs to be identified and the integration work completed once a solution is acquired and all of its components are deployed. Depending on the solution acquired, there could be servers to build, management consoles to install, databases and scanners to deploy.    

Best Practice #4: Identification of Business and Technical Owners

Next, the Vulnerability Management program owners should identify and start communicating with both business and technical owners of the in-scope assets. We recommend working with business owners so that they understand the risks related to the assets in their purview. If the asset in question experiences an outage or is compromised, they’ll be called into account to help quantify any damage. Technical owners are necessary because they will help ensure that the asset is properly remediated when necessary.  

Best Practice #5: Training

Multiple employees may need to be trained how to use the Vulnerability Management system. The number of people depends if the program will be centralized, meaning run entirely by information security or decentralized. Decentralized leads to the most effective Vulnerability Management program, especially if the people that own the technical responsibility for the asset is also performing all of the scanning or reporting.         

Best Practice #6: Scanning and Reporting

Scanning frequencies need to be determined and negotiated including any changes to the scanning scope. Before scans can occur, many organizations require going through their change control process, obtaining permission to scan and communicating properly with business and technical owners before scans will occur. Reports must be generated and provided to the right people in a timely fashion. The reports are necessary in order to have the vulnerabilities identified in the scans remediated.   

Best Practice #7: Remediation

The remediation process does not only include patching. There is sometimes a misunderstanding that Vulnerability Management and Patch Management are the same set of processes. That isn’t accurate. Remediation activities do include applying patches. They also include disabling or uninstalling services, removing or upgrading software, installing new security components, modifying configurations, changing where an asset lives in the network, or decommissioning the asset. 

Best Practice #8: Repeating the Process

In order for Vulnerability Management to be effective, the processes involved have to be sustainable and repeatable. The program must be able to identify when assets, scope, responsible parties, scan or reporting needs need to be adjusted to keep the momentum going.   

Other Vulnerability Management Articles

Having the right group of people to run your vulnerability management program is just as important as the actual program itself. Let’s face it; not all companies can keep up-to-date with the latest security trends as technologies continue to advance, all while bringing on more threats.

If you are going to do something, you may as well do it right. A poorly designed and constructed vulnerability management program is essentially like having no program at all. Why spend the time, money, and resources putting together a program that won’t meet or exceed the expectations you have in place for it?

Year after year, cybercriminals take advantage of more opportunities to infiltrate a system’s vulnerabilities. These attackers feast on the systems that show no real signs of cyclical security maintenance and prevention techniques.

Vulnerability Management is essential. It needs investments in tactics, techniques, and procedures to be a successful program.