Vulnerability scanners are not enough, according to an expert who champions an all-encompassing holistic approach to vulnerability management as a means to eliminate surprises.
Cybercriminals have several options when it comes to plying their trade. Currently, ransomware and phishing appear to be the most popular methods. As a result, those responsible for a company’s cybersecurity are focusing on solidifying defenses against ransomware and phishing—and overlooking the fact that most cyberattacks rely on finding and exploiting a weakness within the intended victim’s digital infrastructure.
If that’s not bad enough, there is confusion surrounding managing vulnerabilities (found and zero-day), with most organizations depending on vulnerability scanners and some kind of policy as to when to update or patch the software/hardware. That’s not sufficient, according to Joe Schorr, VP of strategic alliances at LogicGate. “Multiple interpretations and definitions of Vulnerability Management (VM) exist,” Schorr wrote during an email exchange with TechRepublic.
The Check Point Cyber Security Report 2021 appears to agree, mentioning that three out of four attacks exploit flaws reported in 2017 or earlier. “Quarterly/biannual vulnerability scans and other stop-gap measures aren’t enough to provide the level of defense needed,” Schorr advised.
SEE: Security incident response policy (TechRepublic Premium)
A more comprehensive approach
Schorr suggests implementing VM programs offering an all-encompassing or holistic point of view—doing so increases insight and context. “Because thousands of vulnerabilities can potentially hide in a large enterprise network, it’s critical to have a solid understanding of the organization’s applicable best practices, compliance standards, and legal mandates,” Schorr said. “It’s the only way to prioritize fixes reliably.”
To start, Schorr suggests responsible parties in the company need to consider the following:
- Security: VM programs facilitate an organization’s ability to monitor and remediate threats to hardware, software and other tech infrastructure.
- Regulatory compliance: This consideration is especially critical for the financial, government and healthcare sectors. All businesses should have VM. Without it, companies could face fines for noncompliance.
Components for holistic VM programs
Companies implementing a holistic (all-encompassing) VM program, according to Schorr, are better able to protect their data and digital assets. To start, Schorr recommends using the following components to create a holistic VM program:
Asset awareness: It may seem obvious, but having a complete understanding of the company’s network and digital assets is often not taken seriously. “Unknown/unidentified assets result in unpatched vulnerabilities,” Schorr wrote. “Don’t neglect to check external network assets, too, like cloud-based apps, external servers, and vendor networks.”
Important benefits from increasing the scope of asset classification and inventory control include:
- Companies can run risk and compliance management more efficiently and effectively.
- Organizations can create protocols that mitigate vulnerabilities uncovered by scans.
- Asset awareness increases insight when using the VM program’s threat intelligence program.
Vulnerability governance: New vulnerabilities are found every day. To stay current, companies should use a governance framework to identify new assessments, risk-management processes or testing requiring modification to the existing VM program.
Using a governance framework ensures alignment with a company’s priorities, maintains high-level visibility and provides the following indicators:
- Key performance indicators
- Key risk indicators
- Service level agreements
Testing and assessment: While most companies already use testing and assessment, many are not thorough enough. “Those who own an organization’s risk management should adjust tests to include defined criteria to achieve specific Service-Level Agreements (SLAs),” Schorr advised. “And those testing forms should be linked to vulnerability governance and the risk-management functions.”
Risk management: It’s a broad umbrella under which threat intelligence and incident management fall. Those responsible for risk management can combine holistic risk management plus testing and assessment results to generate a risk profile of potential cyberattacks.
Change management: Helping those responsible for governance, risk management, and compliance (GRC) manage patches, inform and guide configuration management and manage organizational changes fosters communication throughout the company. “Even in siloed environments, change management ensures stakeholders receive timely updates and potential impacts of changes on each operation’s processes,” Schorr said.
Patch management: Sometimes repairing identified vulnerabilities competes with other IT initiatives when deciding priority. When creating a policy to determine what priority to give initiatives, those responsible need to consider:
- How to deliver patches to network assets
- When to apply the patches
- Whether any or all of the network must be disabled to allow teams to address and apply fixes to major vulnerabilities
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Best practices for implementing a holistic VM program
Schorr offered the following list of best practices for implementing an effective holistic VM program:
Define the VM program’s goals, objectives and scope, and gain buy-in from the company’s leadership.
Identify all organizational assets vulnerable to cyberattack—accounting, customer data, mission-critical data and all compliance requirements.
Select the appropriate scalable tech to support the organization as it evolves.
Create a clear, consistent communication channel between technical personnel and upper management for providing updates and recommendations about risks and assets.
Train every employee on the VM program—once employees understand and buy into the VM program, they’re more likely to use it.
Create procedures to determine the frequency of scans and create/distribute reports efficiently to the appropriate personnel.
Develop remediation activities and processes to address issues requiring more than patches. Those activities might include:
- Updating asset network locations
- Decommissioning assets
- Uninstalling/disabling/upgrading services or software
- Modifying configurations
Set clear expectations for each team with agreements—like an internal equivalent of SLAs—so everyone works cooperatively and efficiently toward a common goal of protecting an organization’s assets.
Establish a disaster -recovery process. Whether it’s included as part of the VM program or the VM program is folded into the disaster recovery plans, companies without a formal process to handle a disaster—natural or man-made—affecting technical assets, leave themselves open to financial and reputational risk.
Schorr builds a strong case for implementing a holistic VM program. He concluded with this observation: “Innovative product development and a robust approach help companies prioritize security, which in turn allows the development of a VM program that will be taken seriously.”