Q&A: Vulnerability management

Eric Perraudeau is the product manager for QualysGuard vulnerability management (VM) solutions. Prior to Qualys, Eric was a security engineer at Accor and Morse in France. In this interview, Eric discusses the many facets of vulnerability management.

What are the most important steps in the vulnerability management process? What technologies are essential?
When you start the process of managing security vulnerabilities within your organization, there are a few essential steps to make it successful, including:

1. Discover your IT assets and determine the network boundaries.
2. Organize and categorize these assets according to your organization and by business risk, for example:

  • Geography / Function / Technology groups
  • Classified by business risk analysis
  • Remote or centralize administration with multiple user accounts
  • Business Units.

3. Assess the security of these assets on a regular basis in order to discover any new vulnerabilities or misconfigurations.

4. Generate reports and prioritize remediation plans communicated to the correct stakeholders, for example:

  • Executive report with global/transversal metrics
  • Differential reports to measure the improvements and progress of patching.

5. Fix the vulnerabilities and-¦

  • Implement a patch management process/technology
  • Change management process is needed for production systems
  • Test patches before deploying in production
  • Deploy secured configuration policies
  • Update security policies regularly.

6. Verify and monitor the security improvements.
While all the steps mentioned are extremely important, to get an optimal outcome you will really want to focus attention on the prioritization and reporting aspects. Specifically:

Prioritization: vulnerability scans can generate a lot of data and you can be lost in these details. In order to know where to start the process or how you can improve it, prioritize the results based on:

  • Importance of the assets
  • Severity of the vulnerabilities
  • A risk analysis of your assets/network is a good start point: “What assets are important for my company in order for the business to continue to run without interruption?”. Then create an inventory of these applications and assets that are the most important to your business operations.

Reporting: reports should be relevant to your organization and consistent over time. It allows you to measure the progress over time and make sure the same security and patching methodology is used everywhere. The prioritization will also help you to generate accurate technical reports that you can rely on.

In regards to essential technologies, look for:

Scanning technology/architecture that is:

  • Scalable and easy to deploy: As your network will change over time (company growth, acquisitions, re-organization etc.) you need to have a scanning technology that can easily evolve and adapt to support these changes.
  • Accurate: no false positives in order to focus on real vulnerabilities that need to be fixed
  • Universal: should support all the OS’s and products deployed in your company in order to one solution that can give you the coverage you need.

Patch deployment tool/process: a solution that is able to deploy patches, configuration, scripts, software, and security policies. This solution should also provide a way to test and approved the packages before a global rollout, and manage exceptions.

What are the most common mistakes that organizations make when it comes to vulnerability management? How can those mistakes be mitigated?
The two most common mistakes that we seen in customers are:

1. Organization-wide commitment. The vulnerability management project should be a global project with commitment from all the stakeholders and all IT teams. The security team needs to work with operational teams, internal auditors and management teams for a successful outcome.

2. Lack of prioritization. As mentioned earlier, the prioritization of IT assets is an essential step of the vulnerability management process. Prioritization has to be done during the initial phase of the project and should be reviewed on a regular basis in order to make sure it is inline with the risks associated with the business, which can change over the time.

SMBs don’t have the budget of large enterprises when dealing with security threats. Is there a solution that enables them to effectively manage their vulnerabilities on a “modest” budget?
There are multiple technology options that can help SMBs manage their security and compliance initiatives effectively and at lower costs. The Software-as-a-Service (SaaS) delivery model which Qualys pioneered is certainly one of these viable options. SaaS requires no investment in infrastructure for deployment and is free of ongoing maintenance costs. Hence it guarantees a lower TCO for companies of all sizes. With a SaaS delivery model, SMBs can pay as they go and based on usage. They can add /scale their services based on growth of their business. It is a simple subscription model and is very cost-effective for both large and small companies.

Moreover, all IT projects have 3 components: Technology, Process, and People. In an SMB, most of the budget will be used in order to build an IT system that helps to run the business. Security projects are very hard to drive because they require specialists. Using a SaaS solution like QualysGuard, an SMB organization doesn’t have to spend money on deploying, administering or maintaining the technology. Instead, they can focus on actually using the application, making it work for their unique environment, and enhancing their overall security while minimizing costs and manpower.

Let’s take a look at the vulnerability landscape – is the situation better than half a decade ago? What can we expect in the near future?
In comparison to 5-10 years ago, today the situation is completely different because:

  • Everyone understands that vulnerabilities will exist forever and are increasing in count and threat level every year.
  • Conditions are a bit more predictable than the past. For example, Microsoft Patch Tuesday, Adobe, Apple, Oracle, etc. and all vendors have a more predictable process to announce new vulnerabilities.
  • Companies have more mature processes to manage vulnerabilities and a better understanding of consequences if they don’t take appropriate action to secure their systems.

To get a better perspective on how the vulnerability landscape has changed, Qualys performed a detailed study over the past 5 years and produced the results in the Laws of Vulnerabilities research report. This was an analysis of millions of scans from companies across a wide variety of industries. The research revealed some interesting points in regards to half-life, prevalence, persistence, and exploitation:

  • Half-life: Time interval for reducing occurrence of a vulnerability by half. Average duration of half-life continues to be about 30 days, varying by industry sector.
  • Prevalence: Measures the turnover rate of vulnerabilities in the “Top 20” list during a year. Prevalence has increased, with 60% remaining in the list in 2008 compared to 50% in 2004.
  • Persistence: Total life span of vulnerabilities. Persistence remains virtually unlimited.
  • Exploitation: Time interval between an exploit announcement and the first attack. Exploitation is faster, often happening in less than 10 days compared to 60 days in 2004.

What can we expect in the future? Look for:
1. Better integration of the various tools:

  • Prevent-Audit-Fix-Control-Report
  • Open architectures and open API

2. Better management solutions that scale more effectively.3. Top-to-Bottom Risk approach: We need to find a way to talk to business owners and include them in the security process from the beginning.4. Integration with GRC solutions to reduce audit cycles, cut costs and leverage security operations and technologies for better compliance.