Market observations show that more than two-thirds of companies over the world anticipate either a decrease or no change of their IT budget in the “Covid-19 recovering phase”. In the meantime, about 80% declare they do not adjust their budget according to the business impact1Source: Gartner. As the market continues to lack skilled cybersecurity staff to meet the growing demand, organizations are forced to do “more with less”.
IT can involve irremediable damages on an organization. The impact can range from reputational, financial, legal or operational repercussions potentially fatal for some business.
Large enterprise networks contain more vulnerabilities than their cybersecurity teams can fix. On average, we estimate 10% of them can be patched. Then, it is essential to prioritize the efforts on the riskiest ones.
The traditional approach of Vulnerability Management is to reduce the numbers of critical tagged vulnerability (based on metrics like CVSS). However, Vulnerability Management can only be an effective means of preventing breaches if organizations’ first focus is eliminating the imminent risks that can cause the most significant impact on the business.
According to Gartner: “By prioritizing treatment of vulnerabilities exploit kits commonly target, malware, ransomware and threat actors, while also considering asset criticality and external exposure, will focus remediation on the elimination of imminent risks. This approach will result in a reduced attack surface and will provide “breathing room” for additional patch installation”.
To deal with these organizations’risks it is necessary to have a good knowledge of the organization and its context. Then, it is mandatory to identify IT assets and witch and what business processes they support. In fact, this will permit to build of a risk analysis of the organization’s IT services and network design to map potential assets impact (Confidentiality, Integrity and Availability of the information) to business risks.
The knowledge of the field reality to focus on the vulnerabilities that matter
Some vulnerabilities are very widely exploited and therefore more potentially risky. Knowledge of the field reality permits to predict the probability of the exploited vulnerability, this information’s constitute a key insight to patching and success with risk-based vulnerability management. To consider this reality, it is important for the efficiency of vulnerability management to get expert teams aware of these trends.
Note: Tools such as Qualys VMDR use machine learning to provide risk score of vulnerability considering the reality of the field about the vulnerability exploitability rate.
Design a Vulnerability Management Strategy
Vulnerability management refers to a process of identifying, analyzing, remediating, and reporting on security vulnerabilities related to systems and software. Designing the vulnerability management strategy requires defining and improving a mature vulnerability management program. Surely, it is as a preparatory work prior to the execution of the formalized process.
Excellium recommends performing due diligence to assess which prerequisites have been reached for executing and managing an efficient vulnerability management program. This audit has two objectives; to define the workload for the various activities and to analyze the gap between the “as is” situation and the “to be” target.
According to the findings of the due diligence, stakeholders must work on a set of topics:
- focusing on the contextualization,
- the setup of objectives of the vulnerability management program and an improvement of the processes and procedures.
Vulnerability Management Service operations
The run of the Vulnerability Management usually starts with a first set of scans. We first need to initiate the lifecycle to know where we start from (“as is” situation). In the beginning phase, the effort must focus on the provision of relevant information. It will help have an appropriate view of the vulnerabilities for the organization. Once the first results obtained and analysed, we can launch the remediation action plan.
As presented in the release note: “How to beat your vulnerabilities? Time to fight back!”, Excellium recommends a Vulnerability Management approach in 6 steps.
- Discover Your Network Environment – ensure every network device and software application residing in the network is inventoried.
- Prioritize Your Network Assets – identify, visualize, and organize the network assets into Business Units and Asset Groups. Define the “mission-critical” assets by their importance to the business operations based on the risk analysis previously established.
- Assess Network Security Vulnerabilities – scanners safely and accurately detect security vulnerabilities across the entire network in a highly automated manner.
- Report Threats with Powerful Analysis – using Common Vulnerability Scoring System (CVSS) and the criticality of the assets agreed in the strategy definition. Reports provide both a detailed technical analysis (with a description for each vulnerability including security threat, consequences if the vulnerability is exploited, and the recommended solution to fix the vulnerability including links to the appropriate patches) and an executive-level summary.
- Remediate Your Network Vulnerabilities – prioritize actions to fix vulnerabilities according to the business risk.
- Verify effectiveness – each vulnerability is tracked in the system until it is verifiably fixed.
Once launched, each vulnerability will be tracked and mapped with the business risk context.
“This risk-based approach for a Vulnerability Management permits to optimize patching effort to be risk efficient “
Monitoring KPI and extend capabilities must continuously improve vulnerability management.
Excellium Vulnerability Management Service: a solution to outsource your Vulnerability Management as an extension of your team
Excellium has built a service offer to help organizations keep control of vulnerabilities through Vulnerability Management establishment and operations activities.
It is hard to fully outsource the vulnerability management lifecycle to a service provider. Indeed, some activities require a strong knowledge about the business context, the assets, the potential impacts of the vulnerabilities and the strategy of the company. Above all, some decisions cannot fall under a service provider’s responsibility. For this reason, Excellium fosters the implementation of “core services”, which Excellium’s staff can deliver, while some steps remain under the customer’s responsibility.
Did you like the article? Discover how Qualys and Excellium help you beat vulnerabilities.
Do not miss our next episode coming out soon.