The third article in this Vulnerability Management series from Lamar Bailey, senior director of security research at Tripwire, explores how to cut down time and effort and focus on prioritising the most crucial vulnerabilities for your organisation.
If you haven’t read the previous article in this series, click here and here to learn the fundamentals of vulnerability management (VM) and the steps you need to take in order to prepare for your journey up VM Mountain using the Capability Maturity Model.
Without a suitable VM tool at your disposal, vulnerability assessments require a ton of manual effort. This is especially difficult to address given the current shortage of skilled cyber security talent that organisations can use to build out their teams. Most organizations are best equipped if they invest in an automated VM solution that slashes time spent collecting vulnerability data.
Automating Asset Discovery
Once you have defined your VM program to the extent that its importance and processes are well-understood amongst stakeholders, it’s a good time to conduct a complete asset discovery mission. At the beginning of the asset discovery phase, many organisations are surprised at what their scans turn up.
It’s common to have old yet reliable systems that haven’t been updated in years because admins are afraid to touch it for fear of breaking something that’s currently working. Rooting out vulnerabilities like these can do a great deal of heavy lifting in terms of hardening your attack surface against breaches.
Mapping Your Network into Zones
Your initial VM discovery phase will help you get a clear picture of what’s on your network and your overall volume of vulnerabilities. Investing in an automated scanning tool will cut down on manual time and costs, and one of the most important things to do when using a new solution is to first segment your network into logical chunks that can be assessed and mitigated in a timely manner.
There are many ways to break up the environment into zones, and the right choice depends on a multitude of factors. For smaller networks of 1,000 devices or less, it may be best to simply group into internal, external and DMZ groups..
If your organisation is geographically spread out, you may want to break up the networks based on location by country, state, county, or province. If you do not have a huge mixture of operating systems, breaking up the scans by operating system is also a good option. Alternatively, you can organize systems by owner. This way you can produce reports by system administrators and the group of systems they are responsible for. Lastly, breaking up systems by type is also popular. This would be laptops, web servers, desktops, network devices, and so on.
As you can see, there is a multitude of ways to break up the environment into manageable segments. There is no correct one-size-fits-all answer here, so pick a methodology that works for your specific organisation’s network and know that you can modify it in the future as needed.
Determining When to Scan
Deciding when to conduct vulnerability scans is often a big question amongst security teams. You don’t want to run the risk of taking business processes offline during business hours when important assets are in use. This often applies to network devices, IP phones, printers, and the like. Start with scans at the close of business and monitor for system failures until you know it won’t cause disruptions..
You have to think about how often to scan in addition to when. Continuous scanning is a great end goal, but most organisations need to start with periodic scanning as they build up to full VM program maturity. One important thing to remember is to align your scanning with the cadence of patch release dates of the asset vendors in your environment, like Microsoft or Cisco.
If you scan too frequently, you run the risk of wasting resources because you don’t have adequate time to respond to the results, and your system admins will be hit with too much data that they do not have time to address. A good approach is to plan your time frame to run the scan, then at the next scan you can compare and catch new issues.
Prioritising Scan Results
Once you get your report from a vulnerability scan, it is time to prioritise the results. The tool you implement may have sorted the vulnerabilities by Critical, High, Medium, Low or CVSS. One common problem is that the scores will be dumped into big groups. So which of the 50 critical vulnerabilities is the most critical? CVSS-based grouping is better, but they still group up, thus making it hard to pick the most important one.
A good VM tool will sort the results in a logical, more granular manner. You can start small by picking the most important asset and just looking at those vulnerabilities. Try sorting by ease of exploit, then see which are easiest to exploit and give the most access to the system to find the ones that pose the most risk. Then check the remediation information for those vulnerabilities and apply accordingly.
Goal Setting Beyond the Basics
Even if your VM program is still just fixing issues in an ad-hoc manner, you can always be goal-setting and putting optimisation processes in place. For example, you can set a goal to fix issues scoring a CVSS 9 or above by the next scheduled scan. This method is not perfect, but it fixes some of the highest priority issues, and we can improve from here.
Now that you’ve thought about your network’s assets and your strategy for scanning then and prioritising the results, make sure you’ve clearly defined your VM program in writing with objectives and goals. This program is expected to grow and evolve over time along with the scale of your organisation.
There are a couple of key elements to consider when you’re getting the documentation together on your VM program. First, you’ll want to make sure you document what is currently in place now along with the objectives you’re trying to reach in the future with realistic plans and timelines around how to get there.
Next, make sure you have also documented the various stakeholders from multiple departments within your organisation. You will likely want to get official buy-in from IT, executive management, legal, and your security and compliance departments. Obtain endorsement from your executive team about VM being a business priority that the entire org supports.