How to build an effective vulnerability management program

The concept of vulnerability management has undergone a number of changes in the last few years. It is no longer simply a synonym for vulnerability assessment, but has grown to include vulnerability prioritization, remediation and reporting.

It has also grown in scope: vulnerabilities don’t just affect IT networks and databases, but also applications, cloud infrastructures, container environments, the mobile infrastructure, IoT devices and OT networks.

It is now expected that a comprehensive enterprise vulnerability management program must cover all those bases.

Responding to demand

“The increasing adoption of hybrid environments poses some interesting challenges for vulnerability management,” Syed Abdur Rahman, Director of Products with unified risk management provider Brinqa, told Help Net Security.

“For instance, a crucial aspect of vulnerability management is maintaining an accurate and context-rich asset inventory. With hybrid environments that scale dynamically based on resource demand, assets are added or removed automatically. How do we keep an accurate inventory in this scenario?”

Fortunately, the cybersecurity community has responded to the demand and has provided tools and solutions dedicated to assessment and monitoring of these environments. But it is on the companies themselves to integrate them effectively into existing security policies and mandates.

Tools at your disposal

A well-designed, effective vulnerability management program is, of course, essential for all businesses, but it’s of crucial importance to large organizations, Abdur Rahman feels.

“A typical medium to large sized organization, at any given time, is analyzing and responding to hundreds of thousands (if not millions) of unique vulnerabilities across their network, application and cloud infrastructure. These vulnerabilities represent a primary attack surface that can be exploited by malicious actors,” he explained.

“The problem is further complicated by the fact that to monitor and scan the entire technology infrastructure, many different types of scanning and assessment tools have to be used. These tools are often sourced from different vendors and follow different nomenclature and methodologies.”

The tools include:

• Vulnerability scanning tools (for assessing the network infrastructure)
• Static application testing (SAST), dynamic or web application testing (DAST), Software Composition Analysis (SCA) (for identifying software vulnerabilities)
• Dedicated, specialized monitoring and assessment tools for business applications (e.g., SAP, Oracle), cloud and container infrastructure, mobile, IoT and OT environments.

Their capabilities can be supplemented with penetration testing or bug bounty programs, but the effectiveness of a vulnerability management program depends on how well organizations orchestrate them toward the common goal of reducing the risks posed to the organization.

In the future, Abdur Rahman expects to see more orchestration capabilities driving towards more automated remediation.

Must haves and pitfalls to avoid

The essential features of a robust vulnerability management product are data connectors, an open risk prioritization model, automated remediation management and an analytics interface for informing and engaging all relevant stakeholders.

“For effective vulnerability prioritization, we must correlate and analyze data from a variety of sources. Risk prioritization should reflect each organization’s unique technology ecosystem and cybersecurity mandates, and automated ticket creation and validation is important for remediation efficiency and consistency,” he noted.

The (most overlooked) pitfalls to avoid are a black-box approach to risk prioritization, fixed scope and lack of automation.

Organizations must have visibility into and control over their risk prioritization methodology, so they may be certain that their most valuable assets are being protected, and organizations’ digital transformation must be accompanied by growing (i.e., widened) vulnerability management programs that cover and secure the expanded scope.

“Often, organizations think that lack of process automation can be remediated by throwing additional resources at the problem,” he also pointed out.

“However, automation does more than reduce resource requirements. Automation is necessary for accurate, consistent efforts and must be extensively used during vulnerability data collection, risk analysis, prioritization, remediation management and reporting.”

Advice for CISOs

CISOs must realize that the goal of vulnerability management is not to reduce the number of vulnerabilities or fix all “critical” vulnerabilities, but to reduce the risks posed to their organization by these vulnerabilities.

“Demand that progress be measured and communicated in terms of risk reduction,” he advised.

CISOs should also be aware that an accurate, context-rich asset inventory can have a tremendous, positive impact on the effectiveness of their vulnerability management program.

“The building blocks for this ideal inventory exist in your IT and security infrastructure today. All that is required, is to bring them all together,” he added.

Lastly, they should aim to make business a true stakeholder in cybersecurity. “An application business owner is the individual most incentivized to ensure its security. Empower business users to be involved in the identification, escalation and remediation of risk.”