Operational challenges are always associated with a vulnerability management program. However to tackle with the new trend of complexity in IT infrastructure, security professionals are putting immense effort to transform vulnerability management into an effective risk reduction solution. Tuning the same into full efficacy can be highly significant and provide great return in investment if implemented carefully and adjusted regularly. The Organization need to modify traditional pattern and adopt the required-modern approach of vulnerability management. Following approaches will lead to acquire the best solution.
- Persistent Vulnerability Finding
Most of the Organization use traditional active scanning to discovery vulnerabilities, which requires a remote scan of each network-attached device. But this approach to vulnerability assessment is often constrained. We should avoid using traditional scanning roads to discover vulnerabilities, which follows a remote scanning technique with network attached device as this approach is linked to various limitations such as:
- Access Limits: Few assets and services are always kept so critical that you might be hesitant to access them to scan being on a falsified anticipation of affect to its availability. This becomes the paradox of vulnerability assessment; the assets that need it the most are the ones we are the most reluctant to assess.
- Asset distribution: Proper asset inventory is quite a challenging area I have noticed in multiple Organization. It is always a big challenge to access due to location, such as cloud assets or mobile assets like laptops and other mobile devices.
- Huge information : The scanners pours data in the form of long 300, 500 and almost 1000 page report containing long diagrams and tables focusing less visibility on network context, risk prioritization , or actionable fixes ; specific to the Organization.
- Neglected Areas: Automatically generated reports prioritize vulnerabilities based on predefined asset importance and vulnerability severity ranking. This methodology does not consider network context and might misguide the implementation team to fix the non-threatening vulnerabilities and ignore the critical ones.
Above constraint guides most of the Organizations to scan portions or segments of their infrastructure creating lengthy scan cycles which in turns lead to inadequate frequency and scope of vulnerability management. With traditional vulnerability management; monthly or quarterly typically not covering the entire network, a proper asset and patch management might help to accurately deduce vulnerability data on all infrastructure nodes.
- Analysis & Validation: Critical risks are specific to every Organization
Automated analysis of vulnerabilities allows subsequent prioritization to focus on the critical risks and reduces waste of time chasing low-risks findings. The intention is to create a FastTrack list of action items to be executed quickly to eliminate risk of getting exploited by attackers. The logic to achieve the automation can be:
- Hot target Analysis: Track groups of hosts on the attack surface with a high density of severe vulnerabilities, which can be fixed in bulk by broad action items, such as patching.
- Attack Vectors Analysis: Utilizing attack anatomy to find specific, high-risk attack vectors around one or a few hosts that would require quick remediation (patching, shielding, network configuration) to eliminate exposure of specific targeted assets.
- Intelligent risk rating - Vulnerability that actually pose a significant risk
With limited IT resources, one need to prioritize identified vulnerabilities to target remediation efforts. Traditional approach focuses on pre-defined severity rating and asset importance based on CVSS. But this is not specific to any organization rather is a generic approach. Asserting that the criticality of a vulnerability should hover around several factors, including existing security controls, threat data, the business asset, and the impact of a potential attack.
- First, you need to determine whether the vulnerability is threatening an important system or not?
- Second you need to determine the likelihood of the same getting exploited.
- Third you need to determine impact analysis; what will happen if the vulnerability is exploited? Or will it be considerable, taking down a critical system or extending to other assets?
- Fourth analyze the attack simulation technology in a lab environment to identify what would happen if the steps are put together.
The generic severity might be different to your Organization. E.g. if an asset runs an application that is crucial to maintaining the business and requires continuous availability, a medium-level vulnerability that threatens to disable this asset might be a critical/high-level risk to this particular business.
- Effective remediation and tracking – Not only patching
The final and the most important step is to remediate the discovered vulnerabilities. For effective vulnerability management program remediation should be integrated into solution and must consider all available security controls.
- Patch availability: Can a patch be deployed or is it “unpatchable” due to system integration issues, location, availability requirements, custom application limitations, etc.?
- System's susceptibility: Are you able to reconfigure the network or change access controls to mitigate the vulnerability?
- Availability of other security controls: If a patch is not available, are there other security controls that may provide protection such as firewalls, IPS or anti-malware signatures, or other defenses?
Remediation must consider all security controls, not just patching, and the availability of security controls should be part of the prioritization process. E.g. when you have a list of critical vulnerabilities for your organization, you might prioritize easy-to-remediate vulnerabilities over ones that are resource intensive. This would allow you to get the most protection in the shortest amount of time. The division of labor says security team to find the vulnerability but the network operation and development team to implement the remediation. The vulnerability management program must enable effective communication with relevant IT Operations team, and an integrated workflow should be generated and track remediation process across these teams. To ensure maximum efficacy skilled & trained resources should be incorporated into security team, who can validate and work in parallel with IT Operations team for vulnerability closure.
Adopting the mentioned approach for a vulnerability management program can definitely reduce risk across one's infrastructure. Find or develop a vulnerability management solution which automates and integrates its process to support the capabilities outlined above. The gaps tracked from the first cycle of vulnerability management must be filled properly and must be used as a lesson learnt for further cycle. The right tool, in the right time, with the right resource along with the right approach will surely enhance the efficiency of your existing or new vulnerability management program.
Authored by Sameer Nanda