The effectiveness of a vulnerability management program is highly dependent not just on the technologies used but on the integration among components. Vulnerability identification systems, such as vulnerability scanners and system policy and device configuration audit tools, provide a basis for gathering data, but tight integration with change management software also is needed.
Configuration management, patch management, and identity and access management tools automate system maintenance and provide a real-time view of system and device state. Integrating these products with vulnerability identification tools gives a company a holistic picture of vulnerabilities and risks in its environment. That said, integrating maintenance and vulnerability identification systems is easier said than done.
The key is to identify which elements are crucial to the program. We recommend taking a top-down approach. For example, companies should take inventory of the systems and data they have in production. Key stakeholders should review the state of those systems, evaluate the organization's operational capacity to implement changes, and ask high-level questions that support a higher security posture. How many Windows systems do we have in a given region? What is our exposure to Apache problems? As IT teams compile the answers, they should gather the information needed to act as well. If there are 100 Windows systems in Europe, is that enough information? Do I need to know MAC addresses? Asset owners?
Additional technology should only be considered once these questions have been answered.
STEP 2: PRIORITIZE
Prioritization is always crucial in IT, but its importance is only amplified in challenging times. Clearly, vulnerability management must be deployed in a way that allows for easy prioritization. This typically means establishing groups of assets, to improve data collection effectiveness; and groups of owners, to facilitate relevant and actionable reporting. Groups often are built along regional, operational (accounting, facilities), or technological boundaries (desktop group, Unix team). When determining security posture, asset groups should be aligned with business functions. Groups must be a manageable size, with clearly defined responsibilities.
In the case of attack surface reduction, ownership groups include IT managers, data center owners, and others responsible for maintaining the security and integrity of systems. When addressing company-wide security, ownership groups typically include members of the security organization, internal auditors, and, potentially, business units. Compliance-oriented ownership groups should be aligned with individuals responsible for enforcing and reporting on compliance.
STEP 3: CONTINUE TO REFINE
Part of continuous improvement includes understanding how individual characteristics affect vulnerability management program objectives. The table above outlines the way seven characteristics relate to the objectives of vulnerability management.
When determining security posture or compliance level, quality data is paramount. Missed vulnerabilities will create a false sense of security, and poor data can generate "false positives"--nonexistent vulnerabilities. Data should be collected frequently when reducing attack surface is the top priority, but is not critical for determining security posture. The frequency of data collection for compliance initiatives will be specific to individual compliance requirements.
Trending is most useful for understanding security posture, success of vulnerability reduction efforts, and compliance-related activities. Trending information will show how an organization's risk profile changes over time and how external events, such as vulnerabilities and patch releases, impact enterprise-wide security posture.
False positives often erroneously show vulnerabilities and configuration errors where none exist. Trending can reduce false positives, but they can still have a significant impact on compliance activities, because an accurate picture of vulnerabilities is vital for compliance reporting.
| What's Important To Your Objectives? | |||
| Characteristic | Attack Surface Reduction | Understanding Security Posture | Achieving Compliance |
| Quantity of data | Mandatory | Optional | Mandatory |
| Quality of data | Optional | Mandatory | Mandatory |
| High frequency | Mandatory | Optional | Unnecessary |
| Correlation | Mandatory | Optional | Unnecessary |
| Trending | Optional | Mandatory | Unnecessary |
| False-positive reduction | Optional | Unnecessary | Mandatory |
| Key performance indicators | Optional | Mandatory | Mandatory |
Matthew Miller, Nathaniel Puffer, and Greg Shipley work for Neohapsis, an information risk management software and services company. They can be reached at [email protected].
Illustration by Sek Leung
Keys To Success Of Vulnerability Management