Vulnerability Management is the practice of identifying and remediating known bugs in software that pose a security threat. During the process of improving and upgrading software, vulnerabilities are fixed even as new ones are inadvertently introduced, in a constant cycle. For organizations, it is a perpetual exercise in weighing the risks and rewards of patching or upgrading to stay ahead of vulnerabilities. This decision-making process can be complex.
What exactly is Vulnerability Management?
At its core, vulnerability management is the practice of operationalizing the risk of known vulnerabilities to aid in making decisions about remediation.
Vulnerabilities are ranked on a scale of severity. While some vulnerabilities are absolutely critical, others are far less so, meaning patching can be postponed or grouped depending on severity.
The practices of Patch Management and Configuration Management enter into the equation as well. Patch Management is the use of strategy and risk management in applying vendor updates. Configuration Management ensures that all settings, parameters, customizations, and access involved in integrating systems are preserved.These go hand in hand with Vulnerability Management; one is the motivator and the other tries to preserve functionality.
Depending on the scale of an organization, applying patches and dealing with the unexpected results of a patch breaking can be a daunting task.In an ideal world, security updates are analyzed, evaluated, and applied in a steady cadence. This is a pain point for everyone, but the risks involved with being too far out of date can be high. There’s also considerable risk of breaking business critical systems or features with a patch. Erecting some structure and policy around the process, while avoiding panic decisions, is critical to remaining secure and operational.
Why is Vulnerability Management so hard to get right?
There are three main pillars of success in executing an effective VM program:
- Visibility and insight
- Policy and controls to aid decision making
- Incentive to act
Asset Visibility and Insight are critical for effective Vulnerability Management.
It doesn’t matter how good an organization is at analyzing the risks and technical details of a vulnerability if they lack the other critical pieces of the puzzle – Asset management and IT operations.
Asset management is the foundation of analysis. It provides inventory of systems, the host OS, software installed, and versions. This insight is absolutely necessary to know whether a particular vulnerability is a factor.
How are new assets added? How are lost or compromised assets dealt with? Who is the actual person applying security updates to endpoints? These actions are the purview of IT operations management.
Vulnerability Management Policy and Controls aid Decision Making
Security researchers and software vendors assign severity to vulnerabilities. This is an indicator that’s calculated as a combination of ease-of-exploit, consequences of compromise, as well as other factors. This is just one part of the decision-making process.
An organization must develop their own policies that reflect the criticality of their own assets and functions. These policies need to take into consideration that a security patch or any software update carries the same amount of risk of breaking things as it does to secure them.
It’s important to operationalize vulnerability intel and deployment of patches by coordinating the blocks of stakeholders. Depending on the size and complexity of an organization, certain stakeholders may have different objectives and/or priorities that need to be coordinated and aligned by policy.
Vulnerabilities Won’t Be Patched Without an Incentive to Act
Not everyone is focused on security. For some stakeholders, other motivating factors may result in pushback when presented with a responsive patching strategy.
There is little incentive to act without compliance requirements or a serious security incident even with good visibility into assets and systems, and the capability to patch. Internal governance to enforce policy is an ongoing battle. Some balance can be found between security and productivity with well-defined policy that uses CVE severity and other factors.
The Elements of Vulnerability Management
VM is a process that begins with the identification of a vulnerability, analysis and evaluation to determine applicability and risk, patching of affected systems, and reporting to reconcile coverage and performance.
Vulnerability Scanning of Assets
With intelligence feeds populated by research and software vendors, the SOC can identify if vulnerabilities exist in the organization. This is purely an exercise in scanning and discovery. In general, no remediation action is taken.
Here are some distinctions in how scanning is performed:
Agent-based scanning vs “agentless” remote scanning
Common endpoint protection solutions accomplish monitoring using an agent that runs locally on the machine to search memory, files, network activity, and software inventory for signs of threats. This same mechanism can correlate software inventory versions with known vulnerabilities. This tends to be a better method for a remote workforce where machines are not always connected to the network during remote scans.
Alternatively, a remote scan method can be used in a more rigid environment where endpoints are connected to a defined network.
Credentialed vs Uncredentialed Scans
An important distinction to make in remote scans is credentialed vs uncredentialed. Does the scanner authenticate in any way to gain access to more detailed information on the endpoint?
Credentialed scans are preferable to obtain software inventory and versions. A passive uncredentialed scan is limited in scope, but is still useful in an asset management capacity for quickly finding deltas in the network client landscape.
Analysis of Vulnerabilities
After a vulnerability is identified and correlated with assets, the team needs to determine if and how a vulnerability represents risk for the organization. No action is needed if a particular CVE only affects a range of older versions of Windows while asset management shows all installed versions are newer.The analysis phase feeds directly into the policies required for decision making.
Reporting is a huge element of VM that allows everyone involved to see progress, coverage, and performance of the teams at work. It involves knowing that vulnerabilities exist in the organization, that they’ve been addressed, and how to best optimize the process. Reporting closes the loop.
The Extended Arena of Vulnerability Management
If Vulnerability Management is operationalizing risk, that simple definition is inclusive of other disciplines beyond what most people associate with VM — most likely traditional CVE correlation and patching.
Here are a few others:
Most people associate the term “vulnerability” with a bug or flaw in a particular application or operating system, but there’s an extended arena of issues that can be considered vulnerabilities and require similar remediation.
A common security vulnerability isn’t a flaw in code at all — it’s the potential to misconfigure. The scope of how secure a given application is could depend entirely upon how it’s configured. How secure is a firewall if its rules are poorly defined?
Pen testing vs vulnerability scanning
Penetration testing is the practice of testing security of infrastructure and its defenses to find weaknesses. It incorporates vulnerability scanning as part of its battery of techniques for seeking ingress.
Frequently, the known or suspected vulnerability is the best way to break into a network. The result of a Pen Test is often the same as what a SOC who manages routine vulnerability scanning would provide- actionable findings.
The software developer is an individual often responsible for introducing a vulnerability through some oversight or lack of insight during the time the software was written. Some libraries included in software applications are pre-compiled and riddled with vulnerabilities — something a primary developer may not have any visibility into.
For this reason, the methodology of peer code review is important. Products such as Fortify are designed to find vulnerabilities in both source code and compiled applications through a systematic process of analysis, scanning, and brute force methods.
Glossary of Terms
Actionable Recommendations: The greatest benefit to a VM program is turning a massive amount of data into action items. Vulnerability data is usually comprehensive, and it takes research and insight to prioritize updates and determine risk to stability vs risk of exposure. Actionable recommendations from a managed services group can make decisionmaking much easier.
CVE: Common Vulnerabilities and Exposure, or CVE, is a standard for tracking data about vulnerabilities. The common nomenclature allows a unique but decipherable ID for each vulnerability record, which can include affected manufacturer, version(s), ranked severity, and technical details of the flaw or bug. For instance, Microsoft assigns a unique CVE ID to each of its posted vulnerabilities, which are tracked across the Internet. Several different websites provided searchable CVE databases.
Operationalize: In the context of Vulnerability Management, operationalizing is to put a methodology, tool, or process into use, such as a policy for upgrading or patching. In cybersecurity, it is the transition from a setup or planning phase into actual utilization.
Patching: Patching is simply the act of apply a software update which provides specific fixes for bugs or vulnerabilities. It is usually a very incremental update, meant to effect the least amount of change in order to not affect stability.
Scanning: Vulnerability scanning is one method for detecting and tracking vulnerabilities on remote endpoints. Scans are limited to what can be detected from outside the endpoint, which usually depends on how the remote host is configured. A local agent which reports back to vulnerability management administration is considered more powerful and comprehensive.