Advanced Control: Vulnerability Lifecycle Management

This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-Point Guide, click here to sign up and get the entire guide for free!

This week, we'll discuss how to do more with patch management, and the benefits of a mature Vulnerability Lifecycle Management program.

Most businesses today rely on four major cybersecurity risk management controls to protect themselves: antivirus, firewalls, backups, and patch management.  We've talked about anti-virus and Advanced Endpoint Protection. Firewalls and backups are not discussed as part of this guide; while they are very important risk management controls, they haven't evolved much in the last decade and businesses should be able to cover these basic tools either with an internal IT expert or team, or a Managed Services Provider.  One area that has evolved significantly is the practice of patch and vulnerability management. Ten years ago, Microsoft had finally gotten a handle on getting patches distributed to workstations and servers for most organizations, and today many applications such as web browsers (e.g. Chrome, Firefox, etc.) and application frameworks (e.g. Java, .NET, etc.) have reached that level of capability.  This section will explain how to go from the bare minimum with patch management to a more robust vulnerability lifecycle management capability that ensures risks are identified and mitigated.

Most organizations understand how crucial Operating System patches are for Windows workstations and servers, and some even have configured application patching for things like Java, web browsers, and other applications.  While this automatic patch management capability can provide bare minimum levels of security, there is an entirely better way to make sure that systems get patched for critical to moderate vulnerabilities, and they get patched within an acceptable timeframe.

Vulnerability scanners such as Nessus and Rapid7 have been around for over a decade now; however, it's surprising how few SMBs have ever had a vulnerability scan of their environment.  Using these types of scanners inside a corporate network will uncover more than just missing patches; these scanners can tell you about weak passwords on accounts, misconfigured settings on servers and workstations, as well as applications that have weak security.  The reports that they generate are able to guide IT support teams in a prioritized manner so that they can fix the riskiest issues first and work their way down to items that don't pose immediate threats but should be resolved as part of good stewardship.

A full-fledged Vulnerability Lifecycle Management (VLM) process consists of several steps that we outline below:

Performing Frequent Scanning and Reporting on the Network

Vulnerability scans are point-in-time glimpses at the configuration and patch levels of the computers in a network.  Therefore, a good VLM process will have scheduled scans occurring frequently (monthly or weekly).  New vulnerabilities appear every day and getting an up-to-date view of the network you are protecting should be done by automatic scanning within a certain frequency.

Performing Authenticated Scanning of Hosts

Vulnerability scanners can "enumerate" each computer on your network to see what services they are running and accepting connections for, as well as read the headers on those services to see what version is running.  However, a much more powerful version of scanning for vulnerabilities involves providing the scanner with a user account so that the scanner can connect to each computer host and perform analysis on things like registry settings, applications, and sensitive data on the file system.

Logging Vulnerabilities by Priority Into A Workflow Manager

Once a vulnerability scan has been performed, the output needs to be reviewed, and should be "ticketized" by sorting all vulnerabilities by host, and a trouble ticket entered so that each computer has a list of patches and configuration settings ranked by severity (Critical, High, Moderate, Low, Informational).  Ideally, the workflow manager should be connected to an asset inventory tool so that the information about each host is also stored in a way that allows a top-down look at each host to determine what its role is and what sort of risk exists due to its configuration and patch management status.  IT support team members should then go about the remediation of each computer, again by criticality.  A server that is Internet-exposed and has Critical vulnerabilities should be fixed immediately or taken offline, depending on use case and how sensitive the data is that is being stored, processed, or communicated.  A printer that has an old version of SSH enabled but is buried deep within a corporate network would be less important.

Establish and Report on Metrics, Key Performance Indicators

After the VLM process has been established, scans have been performed, and vulnerabilities are getting fixed, it's very important to look at the metrics that your workflow manager can show you about the frequency of vulnerabilities, how fast they get fixed, and other important information. Some key questions that metrics should answer include:

• How fast are critical vulnerabilities being patched once they are announced (1) and a patch is available (2)? Most organizations should target a 30-day window from patch availability until remediation is complete for high and critical vulnerabilities.  Understanding (1) will help identify things like Zero-Day vulnerabilities while understanding (2) will help gauge the average risk of a vulnerability in the environment.
• What is the trend of vulnerability remediation across the organization, meaning how fast are total vulnerabilities going up or down?  Answering these questions will help to plan for resource requirements.  If the organization is adding new IT assets due to mergers and acquisitions, this can demonstrate why more resources are required to manage risk.
• How many critical or high vulnerabilities exist in the organization today? This is important to understand what risks are present due to vulnerabilities and unpatched systems.
  
  

In summary, enhancing your patch management process to include vulnerability scanning, a robust remediation workflow, and metrics-based decision support from data collection can do a lot more for your risk management than simply plugging holes whenever a software vendor produces a patch.

If your business or a client needs expert cybersecurity risk management that includes Vulnerability Lifecycle Management, please contact us today to schedule an engagement with Ingalls Information Security!

 

Join us next week when we discuss our bonus control. This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!