In the first article in this series, we discussed Building a Vulnerability Management program, and in this second installment, we will examine how to create a Manageable and Sustainable Vulnerability Management program for large enterprises.
The large organization’s vulnerability management team has a unique problem related to vulnerability remediation backlog. The vulnerability management program can provide the list of vulnerabilities, remediation solutions, etc. but the remediation backlog is ever increasing. The problem is more severe for application security vulnerabilities. The question is how to create a manageable and sustainable vulnerability management program.
One of the answers to the above question is in developing Threat Modelling. This is true though it’s a very detailed and elaborate process. The threat modeling can lead to the proactive architectural decisions to reduce threats and useful tools in the early development cycle. To prevent threats from taking advantage of system flaws, administrators can use threat-modeling methods to implement defensive measures. The various threat models provide a view of threat and some are focused on risk or privacy concerns. The examples include Process for Attack Simulation and Threat Analysis (PASTA), STRIDE and Associated Derivations, LINDDUN, Attack Trees, CVSS, etc.
For e-InnoSec team to resolve the issue of backlog had to look at different approaches as there is no such strategy that fits for all. The very first step the team took is defining and understanding the problem. The team studied the problem not just from the technology or resources perspective but identified the people, process, technology considerations. The team also focused on governance, reporting, and decision-making process including asset ownership.
We realized that deploying tools was easy but implementing the right strategy was a major challenge. The organization run different vulnerability scanners regularly, evaluated the scores, and implemented recommended solutions still the list of remediation backlog kept increasing. The attackers don’t stop, and threats continue to add. Essentially the problem is not just technology but people and processes too. It’ very important to have the right remediation strategy for the organization.
Below are the high-level considerations but you can reach out to the e-InnoSec team to obtain more information on the approach, tools used to support the process, etc.
1. Governance – The right process, policies, and RACI metrics. The very important among this is accurate asset ownership data. One of the major reasons for the backlog is lack of asset ownership and decision making.
2. Response strategy – Organizations need to figure out the best way to respond. The approach could be treating certain types of vulnerabilities as emergencies and establishing high response priorities. The approach has it’s pros and cons.
3. Asset-based approach – The risk-based asset classification is key to success. Identify the high-risk asset and prioritize fixing the vulnerabilities for high-risk assets. There are certain tools available to identify high-risk assets. This inventory of assets is also critical for compliance with numerous industry regulations.
4. Prioritization of vulnerabilities – This will work only if the workflow system is effective and the task assigned will be completed in time. This will definitely reduce the risk faster.
5. Chain of command and centralized analysis – Centralized command will work better to manage the vulnerabilities if there is a clear chain of command. The organization needs to be very responsive.
6. Tracking and Communication – If an organization is able to track the different stages of the vulnerabilities remediation process and communicate better within teams then having KPI and metrics will assist in reducing risk.
7. Manage or reduce attack surface – The software attack surface is comprised of the software environment and its interfaces. These are the applications and tools available to authorized (and unauthorized) users. The software surface is calculated across a lot of different kinds of code, including applications, email services, configurations, compliance policy, databases, executables, DLLs, web pages, mobile apps, and device OS, etc. This is a very important step in managing vulnerabilities and requires a team effort. Eliminating applications not needed, managing access controls and configurations, etc. will reduce the risk.
Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors. For a large enterprise, unknown assets often exist by the hundreds and are typically easy for even novice hackers and threat groups to find. Once you have an accurate, detailed inventory of external assets in your digital footprint, it is far easier to understand, prioritize, and implement mitigation techniques to ensure that all of your external assets are protected.