Vulnerability Management software has evolved from scratching a list of things onto the wall of a dimly lit cave using a stick, all the way to advanced platforms that use AI, ML, and every other latest buzzword under the sun. These software platforms, and now, even Managed Vulnerability Management services promise to provide insight and prioritization of your risks, integrate into ITSM tools, and also perform automated remediation. Breaches are on the rise, data proliferation is rampant, perimeter boundaries have disappeared, and “the cloud” will always rain on your parade. So now that we are out of the cave (i.e., tracking remediation with Excel), do you have a complete and planned-out strategy that provides continuous vulnerability management?Will it prevent you from being attacked by the sophisticated cyber threats as well as the not-so sophisticated threats?
Developing a Continuous Vulnerability Management Program
Plan your work and work your plan! Whether you are building a new program or have inherited an environment, the tool or service that you select will play a significant role. The foundation of your program needs to align closely with the first five controls of the infamous CIS Top 20.
"Use automation and APIs to add CMDB data and identity to your assets through tags"
As a reminder, those are:
• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Continuous Vulnerability Assessment and Remediation
• Controlled Use of Administrative Privileges
Implement solutions that allow you to get a holistic scan of your environment, which should also include cloud containers and resources. I have not met a person on this planet that does not comprehend that concept, but I know very few who can do it well. The top Vulnerability Management (VM) vendors have set the standard for automatically detecting and scanning new cloud resources, on-prem virtual machines, as well as watching DHCP for hidden assets. Use blackout windows and throttling capabilities where low-bandwidth links are a factor. I also recommend taking advantage of the lightweight agents that can be utilized on remote worker systems such as laptops that infrequently connect to your network. Use automation and APIs to add CMDB data and identity to your assets through tags. Knowing the department or job title associated with an asset can provide valuable insight. For example, an asset named ABC1234 means nothing to someone, but knowing that it is issued to the CEO, provides significance and urgency to your efforts. Choose the scan frequency that works for your organization, butdo ensure that you are performing authenticated scans. Otherwise, your assessment will be incomplete. This goes without saying, but don’t focus solely on software vulnerabilities, patching, and vulnerabilities in code. Attackers are not going to drop through the ceiling and deliver a 0-day exploit; instead, they will take advantage of misconfigurations and exploit the potential shortcuts made by system administrators. Does your solution scan for misconfigurations and provide a risk score? Taking time to perform more frequent Vulnerability Assessmentswhether on your own or having a paid engagement performed will help you build a more effective threat map and test the effectiveness of your controls. Most solutions will allow you to add weight multipliers to their risk score by looking at these often-missed dangerous configurations, some of which include:
• A server running services or scheduled tasks configured to run under a Domain Admin account or some other privileged account.
• Does the system have any unsanctioned or unattended remote access software installed? (e.g. TeamViewer, GoToMyPC, LogMeIn, etc.)
• A built-in local admin account password, which is the same on every asset and has not been changed in a long period.
• A system not running EDR or some next-gen AV.
• Systems that have owners with an ongoing policy exception for local admin rights should be highly scrutinized and scanned more frequently.
• Does the system allow unsigned PowerShell scripts to run?
How Do I Prioritize and Effect Change?
There are numerous useful publications on prioritization on this site, so I will keep it high level. You are not going to be able to complete an enterprise-wide scan overnight nor patch everything overnight. Look for a solution that generates automated reports and delivers them to stakeholders on a reoccurring basis that emphasizes risk and provides clear actionable information. Executive-level reporting is beneficial to see trending, a breakdown by criticality, and age. Additional “Top 10” or “Top 20” reports broken down by vulnerability are helpful to give to remediation teams. It allows them to reduce a large chunk of risks on a large population of assets. Significant consideration should be taken into determining a risk score that works for you. CVSS 1-10 provides a simple to understand system, but enterprises with a backlog may find it challenging to prioritize due to the number of vulnerabilities that match the high and critical levels. Solutions that provide a broader risk score will allow you to sort by the absolute largest risk score and work your way down. Do maintain a healthy relationship with your remediation teams and do your homework. Spend time to weed out false positives and figure out what are the most critical systems and vulnerabilities and then ideally deliver it to them using an ITSM tool in groups that are realistic to complete in the time allotted. Do not overwhelm them and provide a reasonable timeframe to complete, but if it is truly urgent provide a clear explanation of the threat vector as opposed to “because I said so”.Think of how you can gamify the process with props or visuals, set monthly or quarterly risk reduction targets, and reward your teams when they hit them.
In summary, you will get out of it what you put into it. Ensure you incorporate as many vulnerability Assessment risks as you can into your VM program. It cannot be a “set it and forget it” or check the box type of program; it takes constant review, adaptation, and honestly a bit of stubbornness to be successful.