To manage vulnerabilities in your company effectively, it is worth going through several preparatory stages. It is necessary first to assess the IT infrastructure and current information security processes, identify the most dangerous types of vulnerabilities, determine the areas of responsibility of personnel, etc. Let’s figure out what questions you need to answer before implementing a vulnerability management program in an organization.
Software vulnerabilities, configuration errors, and unrecorded IT assets exist in any organization. Some of these issues are more dangerous from the point of view of information security, and some are less. But in any case, they open the way for attackers to the company’s internal infrastructure. You can reduce the number of potential and existing cybersecurity threats by building a vulnerability management program. This is a process that consists of several important steps:
- Regular infrastructure inventory
- Vulnerability scanning
- Processing of scan results
- Eliminating vulnerabilities
- Controlling the implementation of the above tasks
As mentioned above, you cannot start a vulnerability management program “in a snap.” First, you need to do the “homework”: evaluate the information security infrastructure and processes that exist, understand how well the staff is trained, and choose a scanning tool and method. Otherwise, vulnerability management and vulnerabilities will exist separately from each other.
Assessment of information security processes in the company
The first step to effective vulnerability management is an assessment of business and information security processes. The organization can do this on its own or engage an external auditor.
When evaluating information security processes, it is worth answering the following questions:
- Is there a process of centralized control of all IT assets of the company, and how effective is it?
- Is there currently an established practice of finding and fixing software vulnerabilities? How regular and effective is it?
- Is the vulnerability control process described in the internal information security documentation, and is everyone familiar with these documents?
Suppose the answers to these questions do not correspond to the actual state of affairs in the company. In that case, the assessment will turn out to be incorrect, and many errors will appear when implementing or refining the vulnerability management program.
For example, it is often the case that a company has a vulnerability management solution, but either it is not configured correctly, or there is no specialist who can effectively manage it.
Formally, vulnerability management exists, but in reality, part of the IT infrastructure is invisible to the tool and is not scanned, or the scan results are misinterpreted. These misunderstood interpretation results need to be addressed in companies.
Based on the audit results, a report should be generated that will clearly demonstrate how the processes in the company are arranged and what shortcomings they have at the moment.
Choosing a scanning tool
Today, there are several options for implementing vulnerability management. Some vendors offer self-service and simply sell the scanner. Others provide expert services. You can host scanners in the cloud or on company perimeters. They can monitor hosts with or without agents and use different data sources to replenish their vulnerability databases.
At this stage, the following questions should be answered:
- How is the organization’s IT infrastructure built, and how specific is it?
- Are there regional peculiarities in the work of the company?
- Are there plenty of remote hosts?
- Does the company have qualified specialists to service the scanner?
- Does your budget allow you to buy additional software?
Building interaction between information security and IT teams
This is perhaps the most difficult stage since here it is necessary to properly build the interaction of people. As a rule, security specialists in an organization are responsible for information security, and the IT team is responsible for eliminating vulnerabilities. It also happens that IT and information security issues are the responsibility of one team or even one employee.
But this does not change the approach to the distribution of tasks and areas of responsibility, and sometimes it turns out at this stage that the current number of tasks is beyond the power of one person.
As a result, a consistent and synchronous process of eliminating vulnerabilities should be formed. To do this, it is necessary to determine the criteria for transferring information about discovered vulnerabilities from the information security team to IT (that is, to form a data transfer method that is convenient for everyone).
In fact, the greatest problem is the absence of a good analyst who can competently audit news sources and prioritize vulnerabilities. News, security bulletins, and vendor reports often point out what vulnerabilities should be addressed first. In my experience, analysts should deal with the most dangerous vulnerabilities. All other work should be done automatically by processing patches received from software vendors.
Some types of vulnerabilities (malwarefox dotcom; zero day attack) and attacks are hard to detect. To effectively control all processes, at this stage of building a vulnerability management program, you need to discuss and agree on KPIs and SLAs for the IT and security teams.
For example, for information security, it is important to set requirements for the speed of vulnerability detection and the accuracy of determining their significance, and for IT, the speed of fixing vulnerabilities of a particular severity level.
Implementing a vulnerability management program
After evaluating the effectiveness and availability of processes, deciding on a scanning tool, as well as regulating the interaction between teams, you can begin to implement a vulnerability management program.
At the initial stage, it is not recommended to use all the functions modules available in the scanning tool. If earlier there was no constant vulnerability monitoring in the organization, then, most likely, the information security and IT teams would experience difficulties. This can lead to conflicts and non-compliance with KPIs and SLAs.
It is better to introduce vulnerability management gradually. You can go through an entire vulnerability management cycle (inventory, scanning, analyzing, eliminating) at a slower pace. For example, you can scan the whole infrastructure once a quarter and business-critical segments once a month.
In about a half year, your teams will be able to “work together,” find and fix the most critical vulnerabilities, understand the obvious flaws in the processes and provide a plan to eliminate these flaws.
Additionally, you can involve external experts who will help to significantly reduce the routine work for the company’s full-time employees. For example, a service provider can be involved in inventory and scanning and in processing the results. The service approach will also help managers plan work and monitor progress.
So, for example, if it is clear from the provider’s report that the vulnerabilities found during the previous scan have not been fixed, the manager, having looked at the SLA of his employees, will understand that either the information security department does not have time to transmit the scan data, or the IT team does not have time to correct the identified issues.
When building a vulnerability management program, a company may encounter the following mistakes:
- Overestimation of current processes and their effectiveness within the organization.
- Wrong assessment when choosing a scanning method and tool. This happens because some specialists choose a scanner either based on a subjective assessment or “as ordered from above” without proper evaluation of processes and analysis. If full-time employees do not have sufficient experience and competencies, then it is better to choose a service provider for scanning, analyzing results, and fixing vulnerabilities.
- Lack of delimitation of areas of responsibility between the information security and IT teams.
- Implementation of everything at once. “We will regularly monitor all servers, workstations, and clouds. We will also focus on ISO 12100 and PCI DSS. We will install a patch management solution, and John will control it all.” Such an approach is dangerous. In a month, John will quarrel with IT, and in three months, he will quit. The process will be recognized as inefficient and forgotten about until the first cybersecurity incident.
Therefore, it is better to first “lay the foundation” and only after that start building the vulnerability management program.
Featured Image Credit: Christina Morillo; Pexels; Thank you!