To effectively manage your company’s vulnerabilities, it’s worth taking a few preparatory steps. First, you should assess your IT infrastructure and current information security processes, identify the most dangerous types of vulnerabilities, and determine personnel responsibilities. organization.
Software vulnerabilities, configuration errors, and unrecorded IT assets exist in every organization. Some of these issues are more dangerous from an information security perspective, while others are less dangerous. But either way, it opens the way for attackers to penetrate the company’s internal infrastructure. Building a vulnerability management program can reduce the number of potential and existing cybersecurity threats. This is a process that consists of several key steps.
- Regular infrastructure inventory
- Vulnerability scan
- Processing scan results
- Eliminate vulnerabilities
- Management of the execution of the above tasks
As mentioned above, you can’t start a vulnerability management program “immediately.” First, you need to do your “homework”. Evaluate your existing information security infrastructure and processes, understand how well trained your staff are, and select scanning tools and methods. Otherwise, vulnerability management and vulnerabilities will exist separately.
Evaluate internal information security processes
The first step to effective vulnerability management is an assessment of your business and information security processes. An organization can do this on its own or involve an external auditor.
When evaluating your information security process, it is worth answering the following questions:
- Is there a process to centrally manage all of the company’s IT assets, and how effective is it?
- Do you currently have a method in place to find and fix software vulnerabilities? How regular and effective is it?
- Are vulnerability management processes documented in internal information security documents, and is everyone familiar with these documents?
Suppose the answers to these questions do not correspond to the actual situation of the company. In that case, the assessment turns out to be incorrect and many errors occur when implementing or refining the vulnerability management program.
For example, enterprises have vulnerability management solutions, but they are often misconfigured or lack the experts to manage them effectively.
Formally, vulnerability management exists, but in practice parts of the IT infrastructure are invisible to the tool and either are not scanned or the scan results are misinterpreted. These misinterpreted results should be addressed within the enterprise.
Based on the audit results, a report should be generated that clearly shows how the company’s processes are in place and what shortcomings they currently have.
Choosing a scan tool
There are now several options for implementing vulnerability management. Some vendors offer self-service and simply sell scanners. Others provide professional services. Scanners can be hosted in the cloud or at your company perimeter. You can monitor hosts with or without agents and use various data sources to replenish your vulnerability database.
At this stage, you should answer the following questions:
- How is your organization’s IT infrastructure structured and how specific is it?
- Is there regionality in your company’s work?
- Do you have many remote hosts?
- Does your company have a qualified professional to service your scanner?
- Do you have the budget to purchase additional software?
Building interaction between information security and IT teams
This is probably the most difficult stage, as people’s interactions need to be properly structured here. As a general rule, an organization’s security specialist is responsible for information security, and the IT team is responsible for eliminating vulnerabilities. Also, IT and information security issues can be the responsibility of one team he or her one employee.
However, this does not change the approach to task distribution and responsibilities, and at this stage the current number of tasks may prove to be beyond the power of one person.
As a result, a consistent synchronization process must be formed that eliminates vulnerabilities. To do this, you need to determine the criteria for transferring information about discovered vulnerabilities from your information security team to IT (that is, form a convenient data transfer method for everyone).
In fact, the biggest problem is the lack of good analysts who can properly audit news sources and prioritize vulnerabilities. News, security bulletins, and vendor reports often point out which vulnerabilities should be addressed first. In my experience, analysts have to deal with the most dangerous vulnerabilities. All other work should be done automatically by processing patches received from the software her vendor.
Some types of vulnerabilities (malwarefox dotcom, zero-day exploits) and attacks are difficult to detect. To effectively control all processes, her KPIs and SLAs for IT and security teams should be discussed and agreed upon at this stage of building a vulnerability management program.
For example, in information security, it is important to set requirements for the speed of detecting vulnerabilities and the accuracy with which to determine their severity, and for IT, the speed of remediating vulnerabilities of a given severity level.
Implementing a vulnerability management program
After assessing the effectiveness and availability of processes, determining scanning tools, and coordinating interactions between teams, you can begin implementing a vulnerability management program.
We do not recommend using all the functional modules available in the scan tool in the early stages. Information security and IT teams would probably be in trouble if they hadn’t been continuously monitoring for vulnerabilities in their organizations before. This can lead to conflicts and out-of-compliance with KPIs and SLAs.
We recommend that you introduce vulnerability management gradually. The entire vulnerability management cycle (inventory, scan, analysis, elimination) can proceed at a slow pace. For example, you can scan your entire infrastructure quarterly and business-critical segments monthly.
In about half a year, the team can “work together” to find and fix the most critical vulnerabilities, understand the obvious flaws in the process, and provide a plan to eliminate these flaws.
In addition, outside experts can be involved to help significantly reduce the day-to-day operations of the company’s full-time employees. For example, service providers can be involved in inventory and scans, and processing results. The service approach also helps managers plan work and monitor progress.
So, for example, if a provider’s report reveals that a vulnerability found in a previous scan hasn’t been fixed, the manager looks at the employee’s SLA and understands that the information security department doesn’t have time. Otherwise, the IT team will not have time to fix the identified issues.
When building a vulnerability management program, companies can make mistakes such as:
- An overestimation of the current processes within the organization and their effectiveness.
- Incorrect assessment when choosing scanning methods and tools. This happens because some experts choose scanners “top to bottom” based on subjective evaluation or without proper evaluation of the process and analysis. If you don’t have enough experience and competence for a full-time employee, we recommend choosing a service her provider that scans, analyzes results, and fixes vulnerabilities.
- Lack of boundaries of responsibility between information security and IT teams.
- All implementations at once. “We regularly monitor all our servers, workstations and clouds. We also focus on ISO 12100 and PCI DSS. We install a patch management solution and John controls everything.” approach is dangerous. John said in a month he had a fight with IT and in three months he quit. This process is perceived as inefficient and forgotten until the first cybersecurity incident occurs.
Therefore, we recommend that you first “lay the groundwork” and only then start building your vulnerability management program.
Main image credits: Christina Morillo; Pexel; Thank you!