You have a vulnerability scanner, but where’s your process?
Most organizations are rightly concerned about possible vulnerabilities in their systems, applications, networked devices, and other digital assets and infrastructure components. Identifying vulnerabilities is indeed important, and most security professionals have some kind of scanning solution in place. But what is most essential to understand is that a vulnerability scan represents just a single snapshot of your infrastructure at a fixed moment.
The fact is, your infrastructure is constantly changing and vulnerabilities may appear at any time. Attackers may appear at any time, as well. That’s why you need to build a comprehensive vulnerability management plan that ensures frequent coverage of your environment – but also includes a sustainable process for analyzing, prioritizing, and remediating vulnerabilities when they are found.
Only with a consistent, repeatable vulnerability management process that covers all assets and provides regular reporting so that informed decisions can be made quickly – shortening the window during which you are vulnerable – can you be assured your solution is providing the protection you expect.
A little help to get you started
BeyondTrust has prepared a customizable Vulnerability Management Policy Template that outlines a framework of best practice guidelines for implementing and maintaining an efficient and effective VM practice in your organization – one designed to keep up with the increasingly sophisticated attacks that target your constantly evolving infrastructure.
Below is an abbreviated look at the overall process, plus links to download PDF and Word versions of the complete Vulnerability Management Policy template.
The five phases of a continuous vulnerability management process
The following is a summary of the four key VM phases – discovery, analysis, reporting, and remediation – detailed in the BeyondTrust process template:
1.) Preparation You should start out with a solid understanding of your company’s risk profile, based on:
- the size, scope, and geographic dispersion of its infrastructure,
- the number of applications and devices on the network at all times; and,
- the relative value of all these assets.
The most critical assets – such as those containing financial data and sensitive information – must be the most closely watched. And because sophisticated threats can get through even the strongest levels of protection, identifying the appropriate contingencies and being able to remediate quickly must be built into the process in advance so it can be operationalized efficiently.
2.) Discovery In terms of discovery, the question is how often should you scan? Again, that will depend on the size and nature of your digital assets. At the very minimum, low-risk or low-value assets should be scanned once a quarter. At the opposite end of the spectrum, high-risk/high-value assets can be scanned as often as several times a day. There are other factors to consider as well; for example, because patches from vendors such as Microsoft tend to be released on the 1st and the 15th of the month, that is a good time to schedule scans of servers and sensitive hosts.
3.) Analysis The challenge here is that you might be generating an enormous amount of data through your scanning, and being able to analyze it in an efficient way is essential. This is a key capability of a robust VM solution, as there will be too much information to sift through it all manually. You need to be able to configure a solution to identify the highest-value information that each scan yields.
4.) Reporting The reporting phase is where the data becomes actionable. A strong VM solution will generate a variety of reports, focusing on such things as threat analysis, service level agreement status, regulatory compliance, and exceptions and expiration dates. Reports should be reviewed by the security team, system owners, and system administrators, who will work to create a schedule of what actions must be taken and what the priority of each action should be.
5.) Remediation This leads to the fourth phase, remediation. Depending on the asset and the vulnerability found, remediation can be done quickly and remotely, or it may require a more complex, hands-on fix that may require taking some systems offline, using redundant systems, and implementing additional components. As noted earlier, such contingencies should be identified in advance so there is no delay in eliminating the vulnerability.
Now it’s your turn: Download our customizable VM Policy Template
A limited VM effort is not much better than none at all. Take some time now to develop a consistent, repeatable plan for vulnerability management in your organization, and you’ll avoid hours of headaches later. BeyondTrust developed a free Vulnerability Management Policy template to help you get started. Here it is in PDF format. Like what you see? Request a customizable version in Microsoft Word.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.