Vulnerability management is a key responsibility for CISOs and CIOs alike. Each year, unpatched systems are responsible for a multitude of breaches while thousands of new vulnerabilities are discovered and published. To further compound the issue, zero-day vulnerability exploitation is becoming more prevalent, doubling from 2019 to 2021. Wrapping your arms around effective vulnerability management as a security-focused executive is more than just getting patching stats in a monthly report. Let’s looks at several high-level steps which can serve as the underpinnings of a successful vulnerability management program.
Vulnerability management is not a singularly assigned task nor is it an island. Executives, managers, and operational staff all have a role to play, so it is important to know who is responsible for what. While the CISO is often the vulnerability management program owner, they most certainly cannot do it alone.
The CISO first needs full executive buy-in. Executives set the tone for determining acceptable levels of risk within the organization, gaining support from other department leaders which will be affected by vulnerability management efforts (e.g., patching downtime, security mitigation tactics, etc.), as well as allocating resources for the vulnerability management program to function.
At a managerial level, CISOs need the help of system owners to achieve security related goals. System owners must be receptive to recommended security mitigation strategies, particularly around secure Software Development Lifecycle (SDLC) practices and provide feedback on the ramifications of security decisions. It will also help the CISO determine the real impact of the proposed change, costs, and potential pitfalls. Furthermore, it is the system owners who are ultimately responsible for accepting the risk to their systems. The CISO cannot accept risk on their behalf.
Finally, end users must be educated by the CISO on company practices for vulnerability management, particularly around patching software. If the end user has even a partial responsibility for applying patches, they need to understand that responsibility to keep their devices in compliance.
To protect your valuable assets, you must first know what assets you have and the criticality of those assets to your business. In today’s world of plug-n-play and IoT devices, enterprise network device count is changing daily, meaning this not a onetime effort. In fact, this might be the most difficult part of the entire vulnerability management process.
Start by leveraging an asset discovery software which polls your network at regular intervals for new equipment and adds discovered devices to inventory. Next leverage network mapping tools to generate a map of your infrastructure, aiding you in understanding where certain device types live. Your asset inventory should also have a defined process for dealing with stale devices, removing them as necessary.
Asset criticality can be based on several factors, not the least of which is the type of data they store, process, and transfer. Consider using data analytics tools to determine the criticality of assets based on the data types in use.
A traditional way of prioritizing vulnerabilities is to look at default metrics such as the Common Vulnerability Scoring System (CVSS) score. While this is a good starting point, it doesn’t always paint the priority picture of your own unique environment. Furthermore, some exploits are achieved by chaining together low-level vulnerabilities, so evaluating their risk individually isn’t going to show the true exposure.
Threat intelligence including threat hunting should be used in addition to common vulnerability scoring metrics to aid in vulnerability prioritization. Threat intelligence can be collected from a variety of sources. You should regularly visit security related news websites and subscribe to specific feeds related to your industry. This data will give you a macro view of security trends and how they might apply to you.
To drill down further, conduct regular vulnerability scans and penetration tests to uncover specific issues in your environment. This will help to apply an informed priority to discovered vulnerabilities, especially when it comes to the chaining together of vulnerabilities.
Threat hunting is also a great way to gain insight into vulnerability prioritization. In a threat hunting exercise, the specifics of your environment are combined with log data analysis to uncover threats that might otherwise go unnoticed or might not be readily visible with an automated vulnerability scan. Threat hunt results are very specific to your environment, and as such, highly influence remediation priorities.
Vulnerability management lives one level above patch management and one level below risk management in terms of hierarchy. While patch management should be driven by the priorities set forth in vulnerability management, vulnerability management should be driven by overall risk management policy and procedure. To maximize attack resiliency, broaden your vulnerability management program to involve more areas of the business, ensure an accurate inventory, and leverage intelligence inputs beyond common metrics.