Vulnerability Management: A guide for buyer

Finding and fixing these vulnerabilities before the attackers can take advantage of them is a proactive defensive measure that is an essential part of any security program.

Rapid7 Jan 18th 2018 A-A+

Exploiting weaknesses in browsers, operating systems, and other third-party software to infect end user systems is a common initial step for security attacks and breaches. Finding and fixing these vulnerabilities before the attackers can take advantage of them is a proactive defensive measure that is an essential part of any security program.

Vulnerability management (VM) is the process of identifying, assessing, and remediating vulnerabilities based on the risk they pose to your organization. With increasingly complex IT environments, vulnerability scans can produce an overwhelming amount of information. Filtering through results to find the true risks that matters to your business can be a challenging and time-consuming task. A good VM solution does more than just scanning, it also helps you prioritize vulnerabilities to drive effective risk reduction.

Effective VM Program; four essential components:

Prepare: Start by defining the scope of your VM program, including what you will scan, how, and how often. You also need to identify what are the most important assets, who owns these assets, and where they are located.

Assess: Scan your network for vulnerabilities, insecure device and software configurations (or “misconfigurations”), compliance with internal and external security policies, and other mitigating controls in place.

Remediate: Prioritize vulnerabilities for remediation based on information about the threat landscape and how critical the asset is to the business, and then communicate the effort required to the person doing the remediation.

Track Progress: Finally, you need to know how you’re doing to improve the effectiveness of your VM program. You can do this by establishing a baseline, setting metrics for success, and tracking progress towards your goals

Key Components

Solution architecture: The solution architecture lays the groundwork for your VM program and can affect your ability to optimize scanning performance and quickly scale your deployment.

  • Flexible Deployment: Every organization’s systems and network infrastructure are different; your VM solution should provide flexible deployment options and full control over scanning. The ability to optimize your VM solution for your organization’s specific needs is critical for increasing the speed and accuracy of your assessments.
  • Distributed Scanning: Managing scans from a central location and aggregating scan data increases your VM program’s efficiency and reduces impact on your network. A distributed architecture includes a central console for managing operations, reporting, and administration, with multiple remotely deployed scan engines to cover the entire IT environment.
  • Internal & External Scanning: Internal scanning assesses the security of your network from inside the firewall; external scanning is performed remotely from the outside. Using both internal and external scanning gives you a complete view of your organization’s risks.
  • Endpoint Monitoring: As more organizations have focused on securing their servers, attackers have adapted by targeting users and endpoints. Endpoints and users are a difficult area of the network to manage, especially for companies with remote workers or contractors who rarely connect to the network. A VM solution should continuously monitor these devices even when they are off the network, typically through the use of agents, which need to be easy to install and lightweight so as not to take up much network bandwidth.
  • Scalability: As your environment grows, your VM solution also needs to grow, quickly and easily. Ideally, you should be able to increase capacity by adding scan engines to your existing deployment at little or no additional cost.

Scanning: Vulnerability scanning is an important technology for identifying risks in your environment, but an effective security program requires a comprehensive solution that does more list vulnerabilities.

  • Discovery: You need to know what assets you have before you can assess and manage the risk they pose. Scanning your entire network to discover and inventory all assets, including their OS, applications, and services, is foundational to an effective VM program.
  • Unified Vulnerability & Configuration Assessment: Finding assets, vulnerabilities, and misconfigurations in a single assessment scan minimizes impact on your network, gives faster scan times, and reduces management overhead. The solution should provide unified user interface and reporting for vulnerability and configuration assessments for a complete view of your security risk and compliance posture.
  • Authenticated Scans: Deep scanning using credentials to authenticate into assets gives you greater visibility into risks and provides additional information such as device configurations. Look for a solution that supports authenticated scans with a wide range of OS, database, network, and application layer credentials.
  • Virtual & Cloud Environments: Virtualization and cloud technologies enable organizations to spin up assets on demand, but pose a challenge as many solutions don’t differentiate scanning of real and virtual assets. The solution should be able to dynamically discover and assess the risk of virtual and cloud assets to secure these environments.
  • Network Changes: Most organizations perform monthly or quarterly vulnerability scanning; however, modern networks change minute to minute, with new devices joining the network and new vulnerabilities being released outside of regularly scheduled windows. An effective VM tool will be able to detect new devices and vulnerabilities between your scheduled scans, with minimal false positives.
  • Scanning Frequency: Changes in your network are occurring frequently. By establishing a regular scan schedule, you can ensure that security risks are found and fixed in a timely manner.

Prioritization and remediation: A common challenge among security teams is determining which vulnerability and assets to focus on first and establishing an effective workflow to address them as soon as possible.

  • Risk Scoring: With vulnerabilities in an organization reaching thousands or even millions, you need an advanced risk scoring algorithm to determine which systems to fix first. Simply using the industry standard CVSS is not sufficient for effective prioritization. The risk score should incorporate threat metrics such as exposure to exploits and malware kits, and how long the vulnerability has been available.
  • Business Context: An effective vulnerability prioritization approach requires additional information about your assets, such as where it’s located, what is its role, who owns it, and its relative importance. The solution should also be able to automatically modify risk score based on an asset’s criticality.
  • Vulnerability Validation: Combining scanning with penetration testing allows you to validate whether the identified vulnerabilities pose actual risk to your organization. The integration between VM and penetration testing solutions should be automated and data should flow seamlessly between the two.
  • Remediation Planning: After you find and prioritize risks, someone needs to fix them. For an efficient remediation workflow, use reporting that allows you to create a plan for the top steps to reduce overall risk. This should include the actions required in language that the person performing the remediation will understand, time required for completion, and related patches, downloads, and references.
  • Remediation Assignment: Who performs remediation can depend on where the asset’s located, its role and who owns it. A delay between finding the risk and assigning remediation tasks means the asset is unprotected for longer. Remediation plans should be automatically sent to the asset owner according to the business context.

Reporting: Vulnerability scans can product an overwhelming amount of information so it’s important to be able to identify what’s really important, and present it in a clear, concise and actionable format.

  • Consolidated Reporting: By aggregating data collected from every scan engine to consolidate for reporting, you can centrally manage the prioritization and remediation workflow, as well as analyze security risk and compliance trends.
  • Report Templates & Customization: Out-of-the-box report templates should be available to meet a variety of users’ needs, such as executive level reports to show the risk posture across the organization and IT operations level reports to detail remediation steps. The templates should be fully customizable and support a variety of formats.
  • Report Scheduling & Distribution: The faster reports are sent, the quicker vulnerabilities are fixed. The solution should allow reports to be generated and distributed ad hoc, automatically after every scan, or on a regular schedule, allowing you to specify who the reports are delivered to via email, as well as who can access them via the interface.
  • Asset and Vulnerability Filtering: Which systems may be affected by a new “zero-day” vulnerability? Asset and vulnerability filtering can be used to answer complex security questions and quickly gain insight into risks across your organization. Be able to filter vulnerabilities in reports by both severity and categories based on platform, software, protocol, vulnerability type, and service affected.
  • Asset Groups: Assets in the solution should be able to be grouped by technical attributes such as the operating system installed, or user-defined attributes such as location, owner and criticality. Look for a solution that provides the ability to dynamically update these groups based on newly discovered assets.
  • Dashboards: Vulnerability data provides a lot of information about risks present within your network, but visualizing and acting on that information can be a challenge. Dashboards help technical and non-technical team members understand at a glance how vulnerabilities are affecting security. Effective dashboards are easily customize-able and query-able, and update as information is identified.

Compliance and configuration assessment: Insecure configurations and missing controls are a leading source of risk, which is why some VM solutions also provide the ability to scan for configurations, controls, and policy compliance.

  • Compliance Assessment: Vulnerability assessment is a key requirement for many security standards and regulations, for example Payment Card Industry Data Security Standards (PCI DSS). Pre-built scanning and reporting templates makes the process of showing compliance with such policies easy and efficient.
  • Configuration Assessment: Ensuring your systems are configured securely according to industry benchmarks and best practices is a critical component in a unified security assessment solution. Configuration and compliance assessments should be performed at the same time as vulnerability scanning with the results presented in a unified interface.
  • Controls Assessment: Most organizations invest significant amounts of time and resources into putting mitigating controls in place to defend against the real and current threats they face. Look for a VM solution that goes beyond compliance to monitor the effectiveness of your controls.

Administration

  • Role-Based Access: Different groups of users within your organization may need different levels of access to scan data. The solution’s role-based access controls (RBACs) should support pre-defined roles, the ability to modify or add new roles, and the set permissions for functionality such as modifying scan configuration, asset grouping, reporting, and other administrative functions.
  • Exceptions Management: Occasionally you’ll come across a vulnerability that either cannot be fixed or is considered an acceptable risk to the business.
  • Application Updates : Regular application updates ensure that you can take advantage of the latest features and performance enhancements. Choose between automatic and manual updates, with a process for updating the application in offline environments.
  • Coverage Updates: To keep up with a constantly changing threat landscape, you’ll need a VM solution that provides frequent updates for new vulnerability checks.

Integration

  • Virtual and cloud environments: You can integrate your VM solution with virtual and cloud platforms such as VMware and Amazon Web Services (AWS) to enable dynamic discovery and assessment of assets in these environments. Look for a vendor that is officially certified by the virtual or cloud platform provider, and offers pre-built integration for quick and easy setup with reduced management overhead.
  • IT Security Solutions: Many VM solutions provide pre-built integrations with other security solutions in your environment, such as network topology tools, IDS/IPS, IT GRC and SIEM products. These integrations can provide centralized reporting and management, and the ability to correlate additional contextual information about an asset to increase alert accuracy and reduce false positives.                                      
  • Enterprise Ticketing System: If your organization already uses a ticketing system like ServiceNow, then integration allows you to leverage your existing service request workflow for vulnerability remediation. This enables your IT operations team to quickly resolve or escalate issues, and the business to track their progress.
  • Custom Integrations: In some situations, you may need to develop a new integration or make enhancements to an existing integration for your organization’s specific requirements. Your VM solution should provide access to a two-way public API with all major functionality available through the interface.

Vendor

  • Market Analysis: Choose a vendor that is well-known and proven in the industry. Market research organizations and industry publications like Gartner and SC Magazine provide analysis and comparisons of VM solutions. Look for a vendor who is consistently rated an industry leader in the last few years.
  • Company Focus: For a best-of-breed solution, choose a vendor that is committed to VM as a core product offering and not just as an acquisition for their portfolio. They should be continuously investing in innovations in this space and be able to articulate their product roadmap and vision for future developments.
  • Customer Satisfaction: Not all customer supports are created equal. Look for vendors that offer a 24x7 two-tier support model to ensure that your issues are resolved by the first person you talk to as much as possible. Ask to talk to or get references from the vendor’s other customers with businesses similar to yours.
  • Training & Certification: Formal product training and certification can help you get the most out of the product, reduce time spent troubleshooting, and drive greater productivity. Certifications also help your organization identify prospective employees who are able to get up and running with your VM solution sooner.
  • Managed Services: Professional managed services can help you maximize your return on investment by tweaking your deployment, scan configuration, processes and reporting to meet best practices. They can also help you build custom scripts, interfaces and integrations for your organization’s specific requirements.