Starting your journey up Vulnerability Management mountain
April 28, 2020
How to best tackle Vulnerability Management (VM)? Here is the first in a series from Lamar Bailey, senior director of security research at Tripwire, for organisations wanting to tackle Vulnerability Management (VM).
Vulnerability management (VM) is one of the most critical cyber security processes organizations must find a way to execute effectively, and it’s not a walk in the park.
A mountain climb is a much more apt comparison. This is especially true considering that even if the peak now seems far off and the journey arduous, the diligent work required to implement a mature VM program will pay off in the end with a spectacular view from the top.
But before we begin, let’s go over a few of the key terms around VM that you’ll want to be familiar with. The following definitions are from NIST (National Institute of Standards and Technology):
Vulnerability:Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Asset:Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware.
Vulnerability Assessment: Formal description and evaluation of the vulnerabilities in an information system.
Remediation: The act of mitigating a vulnerability or a threat.
Don’t be like Sysiphus
Modern-day enterprises have more endpoints to manage than ever before. Some of those endpoints are likely only occasionally-connected as well, making them even harder to keep updated.
The fluctuating state of your organization’s network and devices is then further complicated with the need to conduct VM in the cloud, at DevOps speed, in environments that are elastic, distributed, dynamic . . . the list goes on.
If the idea of running VM across such a tricky attack surface makes you feel like the Greek Sysiphus who had to push the same boulder up the same hill each day for eternity onto to have it roll back down, that’s understandable.
However, you can break down your VM program into manageable parts, just like you would when preparing for a mountain excursion: you’ll need to get prepared with an inventory of what you have, the right equipment, your climbing partners, and a map of the terrain.
Know that a vulnerability management plan is something that’s meant to evolve over time. Your plan should be documented, clear, and detailed.
Assess your inventory
It would seem like knowing what assets your environment holds would be a given.
However, the question of inventory can be a lot harder than meets the eye. This is especially the case considering the increase in work-from-home and bring-your-own-device policies.
Cloud and virtual assets complicate matters further. Start by checking to make sure you have an up-to-date configuration management database (CMDB).
The most straightforward way of getting an accurate assessment of your assets is to use a tool to do an in-depth scan of your network – certain vulnerability management tools are very good at this. It should scan all IP addresses across the network and deliver the needed information about your assets.
Gear up with equipment
Mountain climbers would be in big trouble without the right gear, just like cybersecurity teams. Shopping around for the right tools requires a fair amount of research beforehand so you know that you’re getting your money’s worth.
You also need to make sure that the tools you buy play well together within your technology environment—look for integrations between essential IT and security processes you depend on.
Select your partners
Climbing the VM mountain isn’t meant to be a solo journey. A successful VM program is one that includes collaboration and information sharing from penetration testing teams, security advisors, business partners, industry contacts, and so on. Choose VM product vendors who make their research and vulnerability content teams available to help you work through any issues that arise.
Use a good map
Before you purchase your first automated VM tool or upgrade to a better one, you need to know your network layout and what your environment’s specific needs are.
Just like you would with a real mountain climb, you need to consider your environment. Are you climbing the Himalayas or Mount Kilimanjaro? Prepare for success by inventorying the requirements of your network.
Does your organization use ephemeral assets that come and go from the network? Do you need VM in cloud and container environments?
Asking these questions early on will help you a lot once you get to higher ground. Unless you have a small flat network, you are going to need to decide how you want to break up your network for assessment.
Some popular ways to divide up networks are by functional group or business unit, system administrator owners, and geographical location.
Like most complex cybersecurity processes, VM isn’t something you can implement perfectly in a day or set-and-forget. It takes time to reach the summit of VM maturity, and the trickiest part can be taking the first step.