Making Vulnerability Management Relevant to Your Organization's Needs

Making Vulnerability Management Relevant to Your Organization's Needs

Mike Holcomb, Director - Information Security, Fluor Corporation

One of the most common questions I answer is “How do I best secure my company from cyber attacks?” The seemingly-simply question does not have a simple answer, so I always begin with "It depends." Initially this answer can be disappointing because it dashes hopes of a cyber silver bullet, but as I explain further what “it depends” means, disappointment turns to understanding. Furthermore, understanding turns to urgency as I detail the area of cyber security that will have the most impact in securing their company:vulnerability management.

Although other areas of cyber security should not be overlooked, vulnerability management has the most potential to lower risk. In other words, the best way for companies to prevent a cyber attacker from finding and exploiting vulnerabilities is to find their vulnerabilities first, and to remediate any weaknesses—before an attacker does.

Because every company is unique, each vulnerability management program must be customized to ensure it is effective as possible

A successful vulnerability management program begins with five building blocks: scan, prioritize, remediate, verify, monitor. Because every company is unique, each building block should be customized to suit the company’s specific needs most effectively. Thus, as I explain each building block, I will also provide important questions companies should be asking when customizing their own unique vulnerability management program.

1. Scan

The first step in vulnerability management is to scan for vulnerabilities using a vulnerability scanner. Although it might sound simple, answering just a few questions can help to ensure scanning is done efficiently and effectively.

What gets scanned?

Everything. Scan all internal and Internet-facing network segments for vulnerabilities.

How often does a scan need to occur?

Although scanning an entire network might seem like a challenge that takes considerable time, plan a schedule that more frequently scans the business’s most important systems as well as those associated with the highest level of exposure. For example, Internet-facing systems might be scanned daily, mission-critical assets might be scanned weekly, and all other systems might be scanned monthly.

2. Prioritize

The second step in vulnerability management is to review the results of each vulnerability scan and prioritize any discovered vulnerabilities for remediation.

Which vulnerabilities should be fixed first?

Whereas IT teams often use risk values from a report to determine which vulnerabilities have the highest level of risk and should be addressed first, remediation should prioritize items that are being actively exploited in the wild, not just items that receive a high CVSS score. Many popular scanners will even help identify which vulnerabilities have publicly available exploits. Then, once these are addressed, remediation teams can begin addressing vulnerabilities according to their overall risk score, from highest to lowest, as time permits.

Which vulnerabilities need to be addressed for compliance reasons?

Although many vulnerabilities are addressed because of “true risk,” some are addressed because of the risk perceived by regulations and audits. For example, having TLS v1.1 enabled on an internal web server hosting general data might not be considered a true risk by the organization’s security team, but an auditor might see it as a reportable item that needs to be addressed. Thus, it is important to be familiar with and understand any compliance regulations applicable to the organization as well as any additional requirements by auditors in order to adjust remediation strategies accordingly.

3. Remediate

The third step in vulnerability management is to fix the vulnerabilities before an attacker can exploit them (or an auditor can find them).

Are vulnerabilities fixed within a reasonable timeframe?

Most organizations scan for vulnerabilities and do their best to remediate discovered issues, but it is just as important to address these issues in a timely manner. Tracking how long it takes to address an issue once it has been discovered helps the security team understand how effectively and quickly they are lowering the organization’s overall level of risk.

4. Verify

For the fourth step, after a vulnerability is believed to have been remediated, a new vulnerability scan should be run to confirm the issue was indeed addressed.

Are vulnerabilities remediated on the first attempt?

Especially when starting a new vulnerability management Program, remediation teams can struggle to fix issues correctly on the first try. Tracking this information helps the remediation teams become more effective over time while continuing to lower overall risk.

5. Monitor

Finally, organizations must continually monitor for the announcement of new vulnerabilities which could affect their company.

Would the security team know when action needs to be taken for a new vulnerability that is announced?

This is an area where many organizations can struggle if they are not organized. Using a central platform to track a complete inventory of the company’s hardware and software implementations helps ensure that when a new vulnerability is announced, the security team can more quickly determine if the organization is impacted.

Weekly Brief

Read Also

The future of Electric Utilities

The future of Electric Utilities

Roderick Conwell, Director, Transmission & Distribution Engineering, AES Indiana
M&As in the Semiconductor  Industry are Here to Stay

M&As in the Semiconductor Industry are Here to Stay

David Stein, Vice President of Global Supplier Management, Digi-Key Electronics
Making Vulnerability Management Relevant to Your Organization's Needs

Making Vulnerability Management Relevant to Your Organization's Needs

Mike Holcomb, Director - Information Security, Fluor Corporation
Application Security Fundamentals and Coaching Basketball

Application Security Fundamentals and Coaching Basketball

Lee Bailey, Director, Information Security & Compliance, Tupperware Brands