What is a vulnerability management program

The idea of outsourcing this should be considered, despite any desire to handle this in-house — and for a few really good reasons. Second, internal staff may not have the expertise, experience, and exposure to the nuances of vulnerability management that an outside provider may have, along with advanced technologies that will have been tested across many organizations, geographies, and threats.

Lastly, most outsourced managed services — particularly in the cybersecurity space — are designed to be less costly than if you perform the same service in-house; they have the staff, process, and security tools necessary and traditionally offer them together in a cost-effective subscription pricing model. At a minimum, consider using outside expertise to help build a vulnerability management program in-house — their expertise and experience can help your organization to more accurately and quickly get your program to a level of maturity and effectiveness that can help positively impact organizational security.

Benchmark your cybersecurity maturity. We use cookies to provide you with a great user experience. What is a vulnerability management program and should your business have one? January 13, Nick Cavalancia.

This blog was written by a third party author. What is a Vulnerability Management Program? The pillars of vulnerability management A Vulnerability Management Program generally consists of just four basic pillars: Discovery — Having an understanding of every potential source of vulnerability including laptops, desktops, servers, firewalls, networking devices, printers, and more serves as the foundation for any solid Vulnerability Management Program.

Identification — Using a vulnerability scanning solution, those systems and devices under management are scanned, looking for known vulnerabilities and correlating scan findings with said vulnerabilities. Keeping in mind that you may have thousands of potential vulnerabilities depending on the size and complexity of your environment , there will no doubt be varying factors that will determine which discovered vulnerabilities take priority over others.

There are four stages to a vulnerability management program:. The first stage focuses on building a process that is measurable and repeatable. Stages two through four focus on executing the process outlined in stage one with an emphasis on continuous improvement. To build an effective risk management program, one must first determine what assets the organization needs to protect.

Assets should be classified and ranked based on their true and inherent risk to the organization. For example, an asset in the DMZ with logical access to an account database is going to have a higher criticality than an asset in a lab. An asset in production is going to have a higher criticality than an asset in a test environment. An internet routable web server will have a higher criticality than an internal file server.

However, though an asset is a lower criticality, remediation on that asset should not be ignored. Attackers can leverage these oft-ignored assets to gain access and then traverse through network by compromising multiple systems until they get to the systems with sensitive data. The remediation effort should always be based in relation to overall risk. System owners are ultimately responsible for the asset, its associated risk and the liability if that asset becomes compromised. This step is critical in the success of the vulnerability management program, as it drives the accountability and remediation efforts within the organization.

If there is no one to take ownership of the risk, there will not be anyone to drive remediation of that risk. Scanning this frequently allows the owners of the assets to track the progress of remediation efforts, identify new risks as well as reprioritize the remediation of vulnerabilities based on new intelligence gathered. When a vulnerability is first released, it may have a lower vulnerability score because there is no known exploit.

Once a vulnerability has been around for some time, an automated exploit kit may become available which would increase the risk of that vulnerability. A system that was once thought to not be vulnerable may become susceptible to a vulnerability or set of vulnerabilities due to new software installed or a patch rollback. There are many factors that could contribute to the risk posture of an asset changing. Frequent scanning ensures that the owner of the asset is kept up to date with the latest information.

As an outer limit, vulnerability scanning should take place no less frequently than once per month. Vulnerabilities that are able to be exploited in an automated fashion, that yield privileged control to an attacker, should be remediated immediately. Vulnerabilities yielding privileged control that are more difficult to exploit or are currently only exploitable in theory should be remediated within 30 days. Vulnerabilities lower than this can be remediated within 90 days.

In the event of a system owner being unable to remediate a vulnerability within the approved time frame, a remediation exception process should be available. As a part of this process, there should be a documented understanding and acceptance of the risk by the system owner along with an acceptable action plan to remediate the vulnerability by a certain date.

Vulnerability exceptions should always have an expiry date. Asset discovery and inventory account for Critical Security Control numbers one and two.

This is the foundation for any security program — information security or otherwise — as the defenders cannot protect what they do not know about. Critical Security Control number one is to have an inventory of all authorized and unauthorized devices on the network. Once they are in, they can leverage the control they have on that system to attack other systems and further infiltrate the network.

Ensuring that the information security team is aware of what is on the network allows them to better protect those systems and provide guidance to the owners of those systems to reduce the risk those assets pose.

There have been many cases where users deploy systems without informing the information security team. Without the appropriate asset discovery and network access control, these types of devices can provide an easy gateway for an attacker into the internal network. Tripwire IP conducts a discovery of assets within defined ranges as well as discovers what applications are running on those discovered assets prior to conducting a vulnerability scan.

Once all the assets on the network are identified, the next step is to identify the vulnerability risk posture of each asset. Vulnerabilities can be identified through an unauthenticated or authenticated scan or by deploying an agent to determine the vulnerability posture.