January 13, 2015
Download our ungated guide to high-quality penetration testing.
This is another great piece of thought leadership. The transition from the Microsoft controversy to a practical "how-to" on vulnerability management is very effective.
I’ve reformatted this into a blog post structure with clear phase breakdowns and a spot for a visual aid to help your readers follow the four-step process.
I had a completely different article typed up for today. However, after catching up on the morning news and seeing the surge of controversy regarding Coordinated Vulnerability Disclosure (CVD) from Microsoft, I decided to pivot. I want to help our community understand exactly what this means for your organization.
Vulnerability management is a crucial part of an organization's security posture. But beyond the buzzwords, let’s talk about the why.
Coordinated Vulnerability Disclosure (CVD) is a method for security researchers to disclose vulnerabilities in coordination with vendors. The goal is to prevent exploit code from being utilized "in the wild" before a security patch is ready.
In this arena, there is a constant battle:
It is the essential “chicken and egg” problem. We need researchers to find and release vulnerabilities so scan vendors can create signatures and we can defend our networks. Yet, the industry still struggles with what a truly "good" vulnerability management program looks like.
A successful program can be visualized through four distinct, cyclical areas: Baseline, Assess, Resolve, and Lifecycle.
During the Baseline phase, organizations must prioritize identifying their "technological debt." Believe it or not, most organizations do not know where all their assets are, what their purpose is, or the risk they pose.
Secondary to asset identification is policy development, specifically regarding the onboarding and decommissioning of systems. I’ve seen organizations "decommission" systems but leave the network cable attached. During a penetration test, I’ll compromise a machine the organization swears isn't on the network, only to find out it was never actually unplugged.
The Assess phase serves as the organization’s "eyes" into its threat footprint. Ideally, you should assess your network threats at least once a month.
The beauty of a vulnerability management program is that it is incredibly affordable compared to services like full penetration tests. When utilized effectively, this data becomes a powerful indicator of how a future penetration test might result.
Believe it or not, this is where most organizations struggle the hardest. You must develop a plan to remediate or mitigate anything identified in the Assess phase. Otherwise, what is the point?
A common stumbling block is the misconception that everything must be patched immediately. Organizations should instead make informed risk decisions. By prioritizing assets (from Phase 1) based on business impact and using threat data (from Phase 2), you can decide when and how to remediate or mitigate effectively.
The Lifecycle phase is about building a culture of good security practices. We want to identify how a system became vulnerable in the first place:
Evaluating how we got here allows us to change habits and foster a more productive security mindset.
In the end, your organization should employ a robust and cyclical vulnerability management program. It should provide you with the information needed to assess threat and risk across every asset in the enterprise. This constant flow of information is the key to making the strategic, dynamic changes necessary to protect your network.
Security news, tips, webinars, and more straight to your inbox.
