Vulnerability management is the process of identifying and mitigating vulnerabilities that exist within an organization and is an integral part of digital systems lifecycle management. Core components include the implementation of technical tools to identify vulnerabilities, triaging discovered vulnerabilities to identify risk, establishing a plan that mitigates vulnerabilities in a timeframe that is commeasure with risk, and continuously monitoring the enterprise to ensure timely identification and removal of vulnerabilities.
The Case for Vulnerability Management
Establishing routine and repeatable processes to manage vulnerabilities while ensuring alignment with the organization’s risk profile and strategic focus is critically important. A vulnerability management program must be both risk and mission-aligned. As vulnerabilities are found and a patches are developed, thousands of other vulnerabilities remain undiscovered, waiting to be exploited. As attackers use newly discovered vulnerabilities to exploit systems, a clear case emerges in support of vulnerability management. Take, for example, the 70 state and local governments throughout 2019 that have been targeted by and have fallen prey to ransomware attacks. Additionally, a2019 report on ransomware and vulnerabilities discovered the following:
1. Attackers use ransomware to target organizational high value assets.
2. Vulnerabilities with a low Common Vulnerability Scoring System (CVSS) score are used to exploit target systems.
3. Many ransomware variants use the same vulnerabilities to implement their exploits.
4. In some cases, older vulnerabilities are still being used to exploit target systems in the hopes that the organization has not patched their systems adequately
It is important to look at all digital systems across an organization’s environment including ones internal to the organization or outsourced to a third party. Any internal vulnerability should be assessed across all deployed platforms to determine their severity. Examples of these deployed platforms include servers and server software, workstations and desktop applications, networking equipment, Internet of Things (IoT) technologies, and webbased applications. Special care must be taken to implement tools and technologies that allow for the identification of vulnerabilities across all these platforms.
"Vulnerability management is the process of identifying and mitigating vulnerabilities that exist within an organization and is an integral part of digital systems lifecycle management"
Vulnerability identification responsibility is not limited to on-premise technologies. Cloud technologies must also be assessed for vulnerabilities that may be present within those implementations. Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service(SaaS) implementations must be reviewed to ensure that all configurations initiated by the customer are applied correctly and do not expose the organization to unexpected risk. Figure 1 identifies the security and vulnerability management complexities and responsibilities for each “…as a Service” model. Moving from left to right in each model requires the client organization to rely more heavily on the provider to manage the bulk of their security and vulnerability considerations.
Responding to and Closing Vulnerabilities
An organization will find vulnerabilities throughout its collection of digital assets. As a result, it may be unreasonable to expect that discovered vulnerabilities can be closed all at once. This is where the concept of triage comes into play. Vulnerability mitigation will typically follow two planning strategies as part of triage. The first strategy focuses on vulnerabilities that have known exploits currently in the wild and can be leveraged over a network connection - these must be immediately mitigated. The second strategy focuses on implementing mitigation activities queued for remediation. A more methodical and queued approach can be used for an asset where physical access is required to exploit a vulnerability and strong segmentation exists on the network to protect the asset.
Tools of the Trade
Continuous monitoring of the enterprise-ensuring that previously discovered vulnerabilities are appropriately mitigated and new vulnerabilities are removed in a timely manner based on risk -are critical activities to ensure a safe and resilient operating environment. Vulnerability and patch compliance tools must be implemented by the organization to address the diverse technologies deployed throughout the enterprise. These tools can provide automated analysis for server and workstation operating systems, server software applications (ex: database and email server software), desktop applications (ex: office productivity suites), network devices (ex: switches, routers and firewalls), and applications and databases (ex: dynamic and static code analysis).
Automated Metrics and Reporting Due to the complex nature of the modern enterprise, automation must be implemented wherever possible to discover, triage and report on the vulnerabilities across the organization. Vulnerabilities are an expected part of the life cycle for digital assets as organizations are growing their use of technology. As such, it should be expected that vulnerability data will grow in tandem with an organization’s technological footprint, and the volume of data will become greater than a manual process can handle. Organizations should implement tools that allow for automated discovery in accordance with enterprise-defined security policies and risk posture. These systems should allow for automated reporting and metrics development. Best Practices
• Implement automation wherever possible to support vulnerability identification, mitigation and reporting regardless of the location or type of technology deployed by the organization.
• Ensure that effective lines of communication are established between Cybersecurity and IT Operations teams. Focus on customer service by establishing effective and repeatable processes related to patch and vulnerability management.
• When a potential vulnerability has been identified through automated tools, the vulnerability must be analyzed to determine its validity (false-positive or false-negative).
• Triage identified vulnerabilities, ensuring that high-risk vulnerabilities are quickly identified, prioritized, assigned a mitigation recommendation and mitigated in a timely fashion according to established organizational or industry standard vulnerability mitigation timelines.
• Tie identified vulnerabilities back to the organizational risk assessment and discuss how vulnerabilities can influence mission performance and objectives.
• Identify, capture and manage any deviations to vulnerability mitigation timelines using repeatable processes at the enterprise level.