NIST Cybersecurity Framework: Vulnerability Management – Not One Size Fits All

Scott Lang, Sr. Director, Product Marketing
July 20th, 2017

NIST Cyber Security Framework: Vulnerability Management

The recent Presidential Executive Order on Cybersecurity takes clear aim at vulnerability management, “Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies). Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.”

Ok, so maybe you are thinking, “The White House is mandating a black and white solution to a gray problem” Or, “Patching those vulnerabilities can take my system off line and that is riskier than the threat of vulnerability exploitation”. Fortunately, the EO also establishes the NIST Framework for Improving Critical Infrastructure (The Cybersecurity Framework) as the roadmap for government IT risk mitigation.

Check out this on-demand webinar from cybersecurity expert, Don Maclean, ‘Addressing Executive Order on Cybersecurity Requirements to Mitigate Risk’.
View now

The NIST Model for Vulnerability Management

The NIST model defines controls and best practices that allow agencies to thoughtfully view the subject of vulnerability management holistically. No one size fits all mandates here. NIST Cybersecurity Framework guidance recommends the following actions as part of an overall vulnerability management and risk mitigation strategy:

  • Asset vulnerabilities are identified and documented

  • Threat and vulnerability information is received from information sharing forums and sources

  • Threats both internal and external are identified and documented

  • Threats, vulnerabilities, likelihoods and impacts are used to determine risk

  • Risk responses are identified and prioritized

  • Vulnerability management plan is developed and implemented

  • Event Data are aggregated and correlated from multiple sources and sensors

  • Vulnerability scans are performed

  • Newly identified vulnerabilities are mitigated or documented as accepted risks

I think we can all agree, this is simply good vulnerability management hygiene. And the impact it has on mitigating risk is undeniable.

The BeyondTrust vulnerability management solution, Retina, in concert with our IT Risk Management Platform can address these requirements and more. Check out the white paper Implementing NIST Cybersecurity Framework Standards with BeyondTrust solutions to explore how our solutions can help you not only address vulnerability management needs, but also the privilege access management controls prescribed by the framework.

We explored the long-term impacts of the Presidential Executive Order on Cybersecurity and considerations for implementing the NIST framework to achieve compliance with EO directives with Cybersecurity expert Don Maclean in our recent webinar: ‘Addressing Executive Order on Cybersecurity Requirements to Mitigate Risk’.

Scott Lang, Sr. Director, Product Marketing

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.