In the second of this Vulnerability Management series from Lamar Bailey, senior director of security research at Tripwire, he outlines the preparations to make at base camp before taking the first steps – how to plan and what products are required to avoid further risk down the line.
If you haven’t read the previous article in this series, click here to learn a bit about the basics of vulnerability management (VM) and the steps you need to take in order to prepare for your journey to reach peak VM program maturity.
Taking the first major steps to a mature VM program is generally the most difficult part of the process. It’s important to know that your program won’t be built in a day. Set ambitious but achievable goals to help you mark your progress as your program continues to develop.
As you progress up the mountain into higher and higher levels of VM effectiveness and efficiency, the manual efforts of the early stages will be replaced by greater automation, speed, and well-defined processes. One great resource to look to during this early phase of your VM journey is the Capability Maturity Model.
The Capability Maturity Model leads the way
The Capability Maturity Model (CMM)—a model developed by the U.S. Department of Defense to improve processes—aims to give you an idea as to how to take your organization’s VM program to the next level of maturity.
The CMM is a model that helps develop and refine a process in an incremental and definable method. The five stages of the CMM are as follows:
CMM Stage 1: Initial
In the “Initial” stage of a VM program, there are minimal processes and procedures in place. Vulnerability scans are performed by a third-party vendor as part of a penetration test or external scan.
These scans are typically done one to four times per year due to a regulatory requirement or at the request of an auditor.
The organization will typically remediate any “critical” or “high” risks, ensuring that they achieve or remain compliant.
The remaining information typically gets filed away once a passing grade has been given. Because new vulnerabilities are discovered every day, organizations remain easy targets for attackers at this stage. They remain vulnerable within the gaps between assessments.
CMM Stage 2: Managed
In the “managed” stage of a VM program, scanning is brought in-house. The organization acquires a VM solution and begins scanning on a more regular—typically weekly or monthly—basis.
Many organizations in this stage don’t have support from their upper management, resulting in a limited budget to work with. This results in purchasing “budget” or even free solutions.
While lower-end solutions provide basic scans, they’re limited in the reliability of their data collection, their ability to incorporate business context, and their ability to automate and improve operational efficiency.
CMM Stage 3: Defined
In the “defined” stage, the processes and procedures are well-defined and understood throughout the organization.
The information security team has executive management support and trust from system administrators. Authenticated vulnerability scans that are run daily or weekly generate audience-specific reports; system administrators receive vulnerability reports, while management receives risk trending reports.
VM state data is shared with the rest of the information security ecosystem to provide actionable intelligence.
Critical assets have VM agents deployed for streamlined data gathering without the need for scanning credentials.
CMM Stage 4: Quantitatively Managed
Once your VM program is “quantitatively managed,” the specific attributes of the program are quantifiable and metrics are provided to the management team.
The organization uses well-defined pass/fail criteria for assessing the CI/CD pipeline, and there is a strategy in place for remediating or destroying non-compliant images and containers.
These metrics can be viewed holistically as an organization, or broken down by the various business units to see which are reducing their risk—and which ones are lagging.
CMM Stage 5: Optimizing
Lastly, in the “optimizing” stage, the metrics defined in the previous stage are targeted for improvement. Once those targets are met consistently, new and more aggressive targets can be set with the goal of continuous process improvement.
Know where to focus first
At stage two—“Managed”—and beyond, organizations have an in-house solution they are regularly using for vulnerability assessment. If you are running regular scans with a VM solution, you will be amassing data that needs to be translated into actionable responses.
Security teams don’t have the time or resources to assess everything under the sun and can easily end up with too much data and not enough insight.
Let’s look at your asset inventory as an example. How do you determine which systems within your organization to focus your biggest efforts? Some systems that might come to mind are code repositories, the DMZ, or even the laptop used by a high-level executive within the organization.
Focus on assets by thinking in terms of balancing essential business and security goals. Let’s say the next change control window for servers in the DMZ is four months away—it’s probably not the wisest place to start now because of the span of time that will occur between the assessment itself and the available change window.
On the other hand, those systems may be of extremely company value. In this case, you might need an assessment now so that you can understand their status or alert you to the need for an emergency change control window to take care of an exploitable vulnerability.
Using the CMM alongside a healthy dose of internal prioritization of which assets are most important to cover will help set you up for success as you make your way up toward the top of VM mountain.