It is important to implement a robust Vulnerability Management (VM) program with an aim to keep the IT infrastructure of the organization protected from existing and emerging security threats. The program should not only look at identifying security vulnerabilities, but it must also establish a process for planning and controlling the risks effectively within desired timelines.
Some of the generally observed challenges of a vulnerability management program are:
- To Assess Increasing Number of IT Assets as per Business needs
- Fixing security vulnerabilities within desired timelines
- Ambiguity in Risk Rating and Prioritization
- Redundant efforts spent on tracking and follow-ups with many teams
- Lack of Security Resources
A typical vulnerability management program is shown below.
With an aim to coordinate the VM processes in an effective and efficient manner, many factors must be considered. The list of some of the essential elements that make up a good VM system is listed below.
- IT Asset Management
- Nature of Security Assessment
- Vulnerability Reporting & Tracking
- Mitigation & Control Plan
- Vulnerability Intelligence
Let us understand each of these sections in detail.
IT Asset Management
Asset management is an important element with respect to Vulnerability management. It helps to define its scope and objective.
The organizations must necessarily maintain information about all its assets and classify them based on their location, criticality or impact to the business. Such contextual information associated with an asset helps to determine the schedule for testing, its security risks, and prioritizing them for closures.
The asset inventory must also be complemented by a change management system. This will facilitate the InfoSec team to initiate security testing at an appropriate time; thereby ensuring secure state of all the IT assets all the time.
Nature of Assessment
The nature of assessment determines the extent to which an organization can uncover all the security flaws in the IT assets. It is the most crucial aspect of any VM program. It is important to look at following aspects of security assessments:
Security Testing Methodology – A stable testing process should include both automated and manual analysis. The manual testing is required to verify the scan results, enumerate false positives and analyze areas requiring business sense. Thus, the capability of the process to uncover all the security vulnerabilities in IT assets can be inferred from the kind of the methodology it follows to assess them.
Periodic Assessments – To maintain a steady state of security the IT assets must be subject to periodic testing. However, as the resources are limited, the assessments cannot be carried out for all the assets in most cases. Thus, selection criteria must be in place by the organizations to select the assets for periodic testing.
Such a criteria must take into consideration the criticality of assets, the frequency of change that the assets are subject to and their network architecture. There must be a balance between the periodicity of testing and the rate of changes in the assets. The frequency of assessment must ensure that the all the assets are thoroughly tested before being released on a production environment.
Types of Assessments – As a part of vulnerability management program, it is imperative to conduct different kinds of security assessment, as required for the nature of asset being tested. Some of the important security testing types are given below:
- Application Security Testing (DAST)
- Security Code Review (SAST)
- Network Penetration Testing
- Configuration Review
- Firewall Analysis
- Network Architecture Review
- Process Review
These are necessary types of assessments that must be a part of the VM program. The suitability of the test, however, would depend on the nature of IT assets and their business and technical environments.
overage of Assessments – The security tests must be exhaustive. Any security hole that is left undiscovered may result in an entry point for hackers. The security assessments must thus incorporate methods like threat modeling and analyze the security controls for well-known as well as application/business specific cases.
Tools for Assessments – The selection of security tools also plays a key role in assessments. They are a number of open source tools and scanners that are used to automate security testing. However, the scope and capability of such tools are limited. So, depending on the nature of the tool being used, the organizations must determine the extent manual efforts required in the security testing process.
Skill Set Requirements – The vulnerability management must not be limited to just testing for security vulnerabilities. It is important that the consultants involved in this program are proficient in many other security aspects like defensive programming, compliance etc. This would make them competent to help business teams in understanding and addressing security gaps in the system in an efficient manner.
Vulnerability Reporting & Tracking
After assessing the IT assets it’s important to systematically report the security vulnerabilities to teams. The report must ensure that it has all the relevant information. A detailed report helps the business teams to understand the vulnerability and fix it within deadlines.
Along with vulnerability information, its risk must also be appropriately analyzed. With constraints in time and budget having correct risk level associated with the flaws will help the team to plan the work and address the important issues on a priority basis. There are many security risk rating frameworks available, but the organization must choose the one that best suits their environment.
The vulnerabilities present in the assets must be tracked separately to ensure that they are fixed, and necessary remediation is applied before the assets are made live. It is also important to keep a track of information related to the vulnerability like deadline date (as per the business requirement), the person who is responsible to fix the issue, the priority associated with the issue, time and efforts required to fix. It would also help the organization understand the delays in fixing the issue and would highlight the areas that need immediate attention and escalations. This would bring efficiency to the overall system.
Mitigation & Control Planning
Vulnerability Fixing – The process of vulnerability management does not stop at the identification of security vulnerabilities in IT assets. To achieve the desired level of security it is imperative to fix the reported issues on time. The Vulnerability management program must have provisions to facilitate the teams in this area. The list of security patches to be applied to the assets must be periodically updated to the IT teams.
The process also should include follow-ups with the asset management team to know about the status of the work, understanding the challenges faced and providing on-demand support to them.
The support provided by InfoSec team is crucial as it will help to address the gaps in understanding of asset management teams about the reported vulnerabilities and collectively plan a feasible solution to mitigate them.
Vulnerability Exception – At times all the security issues cannot be fixed before the release date, due to dependency on other systems, budget and time constraints, lack of technical feasibility in implementing the solution or in most cases due to business requirements. In all such cases, a security exception is taken to have a provision to fix the issue at a future date, as desired by the business team. In this case, as the risk remains untreated, the vulnerability management program should have enough provisions to allow, track and follow-up for the closure of such exception issues. There must be criteria that define the nature of security issues that can be allowed to be taken an exception. Moreover, the exception issues must have an approval process involving the senior management. Once such exceptions are taken, their end date must be tracked, and it must be ensured that the business teams close the issue before the duration of which exception was taken ends.
Security Standard – Along with running vulnerability assessment activities for IT assets, organizations must also pay attention to increasing the security know-how of the business teams. This would help in reducing the security vulnerabilities in the assets, as their respective teams would proactively apply required security controls to them. Thus, overall security standard of the organization will get enhanced.
Maturity in the overall vulnerability management exercise can be achieved by implementing methods to detect, prioritize and mitigate security risks at early stages of the development in an effective and efficient manner.
Vulnerability Metrics & KPIs – With different teams involved in planning, assessing and mitigating risks in security assets, it is important to know the investment in terms of time and efforts being spent on different VM activities and the gaps in the processes. Measurement of different parameters would help in better planning, increasing the depth of assessment or the support to the business teams. This would, in turn, increase the returns from the security investment in the Vulnerability Management process.
Integration with Other Processes – Vulnerability management should not be an isolated process, its outcome must be fed into other allied processes like patch management, risk management so that it helps in addressing the overall organizational risks effectively.
Integration of Vulnerability management program with other processes is extremely important and can be a rewarding exercise. The overall vulnerability state of IT assets can aid the risk management teams to plan for effective security policies for the organization and guide the management teams for taking proactive steps towards security.
Vulnerability Research – With zero-days attacks and new threats released on an ongoing basis, it is important to invest time in researching for such issues and incorporating them in the security knowledge base of the organization. The research should not just be limited to vulnerabilities, but it could not include looking out for new security tools, technologies and ways to detect security vulnerabilities. This process will increase the overall security quotient of the organization and allow it to stay ahead of hackers all the time.
These are some of the important aspects of the VM program. And implementing such a program effectively is a continuous exercise of executing, measuring and improvising the processes with security in mind. We may have to keep reinventing these approaches to keep pace with the changing technology landscape. However, the underlying principles of security will remain the same.