Manage your vulnerabilities

Part of the actions in the effort to keep the environment safe of threats is to have a good visibility over the weak spots, implementing an efficient vulnerability management process is a good way to bring visibility and create awareness. For those not used with the IT security world, we can use the analogy with a house where its owner goes for inspections regularly. He walks through the entire perimeter looking for cracks, broken doors, checking the lockers, testing the resistance of the windows and other potential entry points. After a thorough analysis from the external and internal aspects of the house, he keeps a list of all the problems found and prioritize the most critical issues. The vulnerability management process works in a similar manager and companies can manage it using different approaches, technologies and processes. What we propose in this article is some tips on how to start your own vulnerability management and how to get insights from data generated by the analysis.

 Getting started

A good starting point before you implement this process is getting a reference from ISO 27002 supporting orientations. It contains a list of best practices and steps to take in order to get a traditional vulnerability management service up to speed. In a nutshell the relevant points are:

Make an Asset inventory – Effective vulnerability management depends on your knowledge of relevant information about your information assets, like software manufacturer, software version, where the software is installed, and who is responsible for each piece of software. A well maintained asset inventory is key for a successful vulnerability management process.

Define responsibilities –  Vulnerability management requires many different activities to be done (e.g., Run scans, risk assessment, correction, etc.), so it is important to clearly define who is doing what to ensure suitable tracking of assets and actions.

Define reference sources – Manufacturer sites, specialized forums, and special interest groups should be in your list of sources of information to be consulted about news related to vulnerabilities and correction measures. The scanning tools used to run the tests usually make the correlation from what is found with the group of reference.

Define your process – Independent of the urgency to deal with vulnerability, it is important to treat it in a structured manner. Change management or incident response procedures should be considered to treat vulnerabilities. The times to respond and fix vulnerabilities will also dictate the efficiency of your process; these vulnerabilities can be potentially dangerous when connected to critical systems. Don´t forget that before implementing any remediation, the appropriate tests most be conducted in order to provide visibility on side effects or undesired outages in legacy applications.

Make records and re-assess – Maintaining incident records of what happened and what procedures were done is vital to learn from the incident and prevent further events, or at least to minimize their impacts, as well as to improve the vulnerability management process itself. In addition, be sure to conduct periodic evaluations, so you can implement improvements, or make corrections, as soon as possible.

Improving your vulnerability management process

There are other relevant actions that can contribute with your vulnerability management process and make it more robust. The traditional VM processes are focused, most of the cases, in running a scanning tool, consolidating the report, prepare action plans, implement remediation and re-assess. Additionally to that a strong Security Policy defining the minimum standards accepted for servers, data base, applications and other assets is certainly one of the key points to improve your VM process.  These policies can be added to the standard scanning and provide visibility over problems that are not easily discovered in the basic vulnerability management process.

Real life

When we look at the real situations that different companies, it can be quite difficult to implement all recommended actions, remediation and fixes pointed by a vulnerability scanning report.  Cross referencing the vulnerabilities found with critical systems will help you to guide the actions, whenever the fixes are not possible, consider alternatives and mitigations control.  Keep a rigorous control of any risk accepted and check if the right awareness about the potential materialization of this risk. The risks accepted must be reviewed periodically and well known by the stakeholders.

What about the Cloud and IoT?

Nowadays it is very common to see companies moving their IT infrastructure to cloud providers like Azure, AWS and others.  These assets can also be vulnerable  and the concept of vulnerability management applies same way as the on premise platforms. The good news is that service providers also realized that you can hire these as a service. There are always the possibility to go to a hybrid mode, using your on premise processes and tools to assess the state of your assets in the cloud, as well as applying for a customized process using the tools from your cloud provider.

In the IoT field, things are little more complex – Make sure you choose devices and technologies that provide a minimum security framework. With the popularity of IoT devices not all vendors adopted and implemented the security best practices embedded to their products. You can use the vulnerability scanners to discover what is plugged to your network and how vulnerable they are, the remediation of these vulnerabilities will depend on the technology implemented for each particular IoT device.

 Getting Insights

The volume of information generated by the vulnerability management process is huge and also valuable. You can use this information to cross reference with your threat intelligence feeds and get visibility over likelihood of attacks to un-protected systems. Another good way to get valuable insights is matching the cases of system unavailability to information from vulnerable assets, this way you can correlate the chances of an potential outages been related to security attacks, especially for environments and systems with low security monitoring maturity. The historical number of vulnerability also shows you the capability to fix problems and implement systems with right security standards.

In summary, the vulnerability management process is crucial for protection of the environment and also a rich source for analytics and threat intelligence.