NIST Cybersecurity Framework: Vulnerability Management – Not One Size Fits All
July 20th, 2017
The recent Presidential Executive Order on Cybersecurity takes clear aim at vulnerability management, “Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.”
Ok, so maybe you are thinking, “The White House is mandating a black and white solution to a gray problem” Or, “Patching those vulnerabilities can take my system off line and that is riskier than the threat of vulnerability exploitation”. Fortunately, the EO also establishes the NIST Framework for Improving Critical Infrastructure (The Cybersecurity Framework) as the roadmap for government IT risk mitigation.
Check out this on-demand webinar from cybersecurity expert, Don Maclean, ‘Addressing Executive Order on Cybersecurity Requirements to Mitigate Risk’.
The NIST Model for Vulnerability Management
The NIST model defines controls and best practices that allow agencies to thoughtfully view the subject of vulnerability management holistically. No one size fits all mandates here. NIST Cybersecurity Framework guidance recommends the following actions as part of an overall vulnerability management and risk mitigation strategy:
Asset vulnerabilities are identified and documented
Threat and vulnerability information is received from information sharing forums and sources
Threats both internal and external are identified and documented
Threats, vulnerabilities, likelihoods and impacts are used to determine risk
Risk responses are identified and prioritized
Vulnerability management plan is developed and implemented
Event Data are aggregated and correlated from multiple sources and sensors
Vulnerability scans are performed
Newly identified vulnerabilities are mitigated or documented as accepted risks
I think we can all agree, this is simply good vulnerability management hygiene. And the impact it has on mitigating risk is undeniable.
The BeyondTrust vulnerability management solution, Retina, in concert with our IT Risk Management Platform can address these requirements and more. Check out the white paper Implementing NIST Cybersecurity Framework Standards with BeyondTrust solutions to explore how our solutions can help you not only address vulnerability management needs, but also the privilege access management controls prescribed by the framework.
We explored the long-term impacts of the Presidential Executive Order on Cybersecurity and considerations for implementing the NIST framework to achieve compliance with EO directives with Cybersecurity expert Don Maclean in our recent webinar: ‘Addressing Executive Order on Cybersecurity Requirements to Mitigate Risk’.