What is Security Vulnerability Management?
Security vulnerability management is the current evolutionary step of vulnerability assessment systems that began in the early 1990’s with the advent of the network security scanner S.A.T.A.N. (Security Administrator’s Tool for Analyzing Networks) followed by the 1st commercial vulnerability scanner from ISS. While early tools mainly found vulnerabilities and produced lengthy reports, today’s best in class solutions deliver comprehensive discovery and support the entire security vulnerability management lifecycle.
A vulnerability can occur anywhere in the IT environment, and can be the result of many different root causes. Security vulnerability management solutions gather comprehensive endpoint and network intelligence and apply advanced analytics to identify and prioritize the vulnerabilities that pose the most risk to critical systems. The result is actionable data that enables IT security teams to focus on the tasks that will most quickly and effectively reduce overall network risk with the fewest possible resources.
Security vulnerability management is a closed-loop workflow that generally includes identifying networked systems and associated applications, auditing (scanning) the systems and applications for vulnerabilities, and remediating the vulnerabilities. Any IT infrastructure components may present existing or new security concerns and weaknesses – i.e. vulnerabilities. It may be product/component faults or it may be inadequate configuration. Malicious code or unauthorized individuals may exploit those vulnerabilities to cause damage, such as disclosure of credit card data. Vulnerability management is the process of identifying those vulnerabilities and reacting appropriately to mitigate the risk.
What are the drivers for Vulnerability Management?
The main drivers for implementing a security vulnerability management program are avoidance of:
- Compromised data confidentiality, integrity, availability
- Compromised system availability
- Directly caused by incident
- Required during incident containment, root cause analysis, and remediation
- Productivity loss
- Employee idle time due to system unavailability
- Lost transactions
- Costs to identify and repair incident cause
- Liability towards 3rd parties
- Business partners, customers
- 3rd parties suffering attacks originating from compromised IT components
- Compromised public image and brand reputation
Successful security vulnerability management programs can reduce or eliminate the consequences of incidents.
What are the potential consequences?
The potential consequences of a non-existent or inadequate security vulnerability management capability are:
- Continue to be vulnerable to new and existing security threats such as viruses, worms, trojan horses, and the latest buzzword – APT – advanced persistent threats
- Inability to accurately measure susceptibility to current and new threats
- System uptime and availability could be jeopardized
- Potential cost savings by the reduction or elimination of vulnerabilities will not be realized
- Integrity and privacy of data could be at stake
- Potential image loss and liability damages if restricted data (PCI, PII, PHI) is exposed and/or abused
- Difficulty in demonstrating regulatory compliance since it is a requirement of PCI DSS
What are the steps in the Security Vulnerability Management program?
Typically, when people hear Security Vulnerability Management, they think about vulnerability scanning tools such as Nessus or Qualys. Vulnerability scanning is only one important process in the entire program. The major processes in the program are:
- Asset Identification – Successful asset management starts with understanding what you have. This process provides complete visibility into the entire hardware and software asset inventory, including version information, which helps determine applicability of threats in the environment. Defining the scope of the networks where assets are located is also a critical component.
- Threat Intelligence – Monitoring both internal and external sources for threat information is critical to provide a complete view. From the internal perspective, log management and SIEM solutions provide alerting on on-going intrusion attempts and malicious code attacks. Externally, vendors and industry alerting resources must be monitored and matched against the full breadth of IT assets in the inventory to identify potential threats.
- Risk Evaluation – A cross-functional team must evaluate the threat information including the vendor risk ranking combined with any existing workarounds and security solutions to determine the threat criticality, remediation responsibility, and associated deadline for remediation.
- Remediation – The responsible system or application administration team must develop the remediation plan and follow the existing enterprise change management process. The remediation steps typically are patching or shielding and compensating controls such as network segmentation and system configuration changes.
- Vulnerability Scanning – The vulnerability scanning system must be properly configured to scan all networks under target as determined in the Asset Identification process. In a proactive IT environment, vulnerability scanning can provide remediation confirmation. In a reactive environment, it can provide a list of systems vulnerable that need to be remediated. Another side benefit of vulnerability scanning is identification and version tracking of systems and applications to complement or validate the results available from the Asset Identification process. Vulnerability scanning can also provide reports that allow management to evaluate the effectiveness of patching and the potential security risk posture when vulnerabilities occur.
What are the key criteria to measure the maturity of the Security Vulnerability Management program?
Some key measurement criteria for determining the maturity of the SVM program are:
- Does the organization have a comprehensive IT asset inventory in place for networks, systems, and applications? Are there owners defined?
- Does the organization have internal network segmentation implemented? Do they have a mature DMZ and business partner connectivity perimeter security architecture in place?
- Does the organization have well-defined security configuration guidelines and installation checklists implemented?
- Does the organization have an enterprise patching solution in place?
- Does the organization have separate development or testing systems and a formalized process to install and test patches integrated with their change management process?
- Does the organization have individuals identified across most IT departments who have been assigned the responsibility to participate in the Security Vulnerability Management program?
Stay tuned for SVM Part 2 which discusses the top 5 reasons why a security vulnerability management program fails.