Introduction

Every organization has software vulnerabilities, configuration flaws, and unrecorded IT assets. Some flaws are more dangerous from an information security point of view, some are less dangerous. But in any case, they open the way for intruders to enter the company’s internal infrastructure. Vulnerability Management (VM) can reduce the number of possible and existing cyberthreats. This is a process that consists of:

  • Regular infrastructure inventory,
  • scanning,
  • processing of scanning results,
  • Creating a plan to eliminate vulnerabilities and their subsequent elimination,
  • monitoring of the search for and remediation of vulnerabilities.

By the way, at the end of March 2021, there was an AM Live broadcast devoted to the actual questions of vulnerability management system building. Leading IS experts shared with the audience how to build a Vulnerability Management process in heterogeneous infrastructure, and how to automate the process. Quotes, insights, and polls from the audience can be found in the corresponding article.

However, you can’t start VM “off the bat.” First you have to do some preparatory work: assess the IS processes that already exist in the company, understand how well-trained the staff is, choose a tool and a way of scanning. Otherwise, VM and vulnerabilities will exist separately from each other. So how do you prepare for VM implementation in an organization?
Evaluate your company’s IS processes

The first step to effective vulnerability management is to assess the company itself and its IS processes. An organization can do this on its own or engage an external auditor.

In evaluating the IS processes, the following questions are worth answering:

  • Is there now a process for controlling all of the company’s IT assets and how effective is it?
  • Is there now a process for finding software vulnerabilities, how regular and effective is it?
  • Is there a vulnerability remediation process now, how regular and effective is it?
  • Does internal IS documentation describe vulnerability controls and is everyone familiar with these documents?

If the answers to these questions do not correspond to the real state of affairs in the company, the assessment will turn out to be incorrect and a lot of mistakes will appear when introducing or revising the vulnerability control process. For example, often a company has a VM tool, but either it is bad, or there is no specialist who can manage it effectively. Then, formally, there is vulnerability control, but actually some of the IT resources may not be covered by the scanner, or the scanning results may be interpreted incorrectly.

The results of the scan should produce a report that clearly shows how the company’s processes are organized and what weaknesses are present at the moment.

Choice of scanning tool

There are several options on the market today to implement the VM process. Some offer self-service (scanner sales) and some offer an expert service. Scanners can be hosted in the cloud or on a company’s perimeter, monitor hosts with or without agents, and use different data sources to populate their vulnerability databases. You can read more about choosing a scanning tool in our previous article.

The following questions are worth answering at this stage:

  • How is the organization’s IT infrastructure built and how specific is it?
  • Are there regional peculiarities in the work of the organization?
  • Are there a lot of remote hosts?
  • Are there in-house specialists to maintain the scanner?
  • Are there financial reserves for the purchase of their own software?
  • Who and how will run the scanner and process the results?

Evaluate and establish processes for interaction between the IS and IT teams

This is probably the most difficult stage, as it is necessary to properly organize the interaction of people. As a rule, IS specialists are responsible for information security in an organization, while IT takes care of vulnerability mitigation. It also happens that IT and IS are handled by the same team or even by the same employee. But this does not change the approach to the distribution of tasks and areas of responsibility, and sometimes it is at this stage that it turns out that the current volume of tasks cannot be handled by one person alone.

As a result, a coordinated and synchronized process of vulnerability mitigation must be formed. To do that you have to define the criteria of passing the detected vulnerabilities from the IS team to IT (i.e. to form a way and form of passing the data which is convenient for everyone).

Also, this step helps to coordinate KPI and SLA for both teams on information transfer and vulnerability mitigation (it is worth considering the knowledge gained in the second step). For example, for IS, it is important to establish requirements for the speed of vulnerability data transfer and accuracy of its criticality definition, and for IT – the speed of vulnerability closure of a given level of danger.

Implement a vulnerability monitoring process

Once you have assessed the effectiveness and availability of the processes, decided on the appropriate way to organize the vulnerability control and scanning tool, and regulated the interaction between the teams, you can start implementing vulnerability control.

One piece of advice here is not to immediately load this process with all of the functional modules available in the scanning tools. If an organization has not had continuous monitoring, it is likely that the IS and IT teams will experience communication difficulties. This can lead to conflicts and non-compliance with KPIs and SLAs.

It’s better to implement VM incrementally. You can do the full cycle of vulnerability monitoring (inventory, scan, process, control) at a slower pace, such as scanning the entire infrastructure once a quarter and business-critical segments once a month. In about a year, your teams will be able to “work together,” find and fix major vulnerabilities, understand the glaring weaknesses in their processes, and provide a plan to fix them. Subsequently, this will increase the speed and effectiveness of vulnerability control.

Additionally, you can bring in outside experts to help significantly reduce the routine work for your company’s in-house staff. For example, a service provider can be brought in to conduct inventory and scanning, to process the results. The service approach will also help managers plan work and monitor progress. For example, if the report from the service provider shows that the vulnerabilities found during the previous scan have not been closed, the manager can look at the SLAs of his employees and realize that either the IS department has no time to transfer the scan data, or IT has no time to fix the detected errors. > How to build control over vulnerabilities in the company and avoid making a wrong choice of scanner

Conclusions

When building a vulnerability control process, a company may encounter the following mistakes:

  • Overestimating current processes and their effectiveness within the organization, including because the people in charge of those processes are afraid of appearing incompetent;
  • Incorrect evaluation when choosing a scanning method and tool. This happens because specialists choose a scanner either on the basis of subjective evaluation or “as directed from above” – also without process evaluation and analysis. And if in-house employees do not have sufficient experience and competence, it is better to choose a service provider for scanning, analysis of results, etc.;
  • Lack of segregation of responsibilities between the IS and IT teams;
  • implementation of everything at once. “Let’s integrate regular monitoring of all servers, workstations and clouds, we will immediately focus on ISO 12100 and PCI DSS compliance, put patch management, and Boris will control it” – this approach is dangerous. After a month Boris will quarrel with IT, after three months he will quit, and the process will be considered ineffective and forgotten about until the first cyber incident.

Therefore, it is better to “lay the foundation” first and only after that start building the scanning process.

Similar Posts