However, remediation on assets with lower criticality should not be ignored or postponed indefinitely. Per the example of coupling and interdependencies, everything is tied to everything else, so all risks need to be addressed.
Indeed, all assets contribute to the overall operational risk, and a remediation effort should always seek to minimize the overall risk. Asset owners are responsible for the asset, its related risk and the obligation if that asset becomes compromised. Responsibility is a driving factor for the success of the vulnerability management program. Bereaved assets and vulnerabilities will be forgotten and will become a nameless risk unless there are individuals within the organization who are responsible for them.
The third step is to establish the consistency of scanning. Recurrent scanning allows the owners of the assets to track the advancement of remediation, recognize new risks and re-prioritize the remediation of vulnerabilities based on updated information. The fourth step is to establish timelines for remediation. These timelines need to take into consideration the magnitude of the effect of an attacker exploiting a known vulnerability. Security flaws with high impact should be remediated as fast as possible, and the effort should also provide for mitigation measures in case a vulnerability cannot be remediated within a defined timeline.
Remediation exclusion progressions will document the accepted risk and allow for a timeline to remediate the vulnerability. These are the basics for any security program. Hackers get in and leverage the initial breach to attack other systems, thereby ensuring even greater damage.
Vulnerability scanning is typically performed by the IT department of an organization or a third-party security service provider. You work hard at it, but you never seem to get ahead. You are responsible for the vulnerability management program within your organization.
You are not alone. Trust me. There are many people in many organizations that feel this way about their program. When I was working as the security operations prime, I helped to implement the first vulnerability scanner there.
I can assure you that there were days when I felt I would have more success pushing water uphill. Teaching for SANS over the past ten years has let me talk with a lot of students from a lot of organizations.
And for the past few years, vulnerability management has been the main focus of those discussions. Based on my experience and these conversations, I have developed the following axiom:. Say it in your best Gandalf voice, when he is on the bridge with the demon in Lord of the Rings: The Fellowship of the Ring. Why do I believe that? Vulnerability management is a continuous activity. It will never end, how can you win at it?
Just when you think you have gotten rid of all the problems in your environment, new ones appear. Just when you think you have resolved the process problems, new processes come along. There are always new people coming into the organization that need guidance on the policy suite. The model was released in poster form in May and has generated a bunch of interest. Yes, the poster does have a CISO mind map on the other side, but that is the back.
Really, it is. You can download a copy of the poster HERE. It does make a great decoration for your office walls. David Hazar hazardsec and I spent the time and effort to put together a roadmap that people could use as a reference for their organization based on our experiences and the material in our course, MGT Managing Security Vulnerabilities: Enterprise and Cloud. Getting into the meat of the model, it is broken down into five focus areas. Tasks and activities that are part of a vulnerability management program fit across these five sections.
This focus area is dedicated to what we need to make sure is in place for a successful vulnerability management program. This focus area comes down to how do we find the vulnerabilities within our organizations.
We have three sub-groupings in this section: Automated, Manual, and External. This section is all about the data: how to look at, categorize, and prioritize the identified vulnerabilities. This section has two sub-areas: Prioritization and Root Cause Analysis can you tell we have done project management before? Once we have the information in hand, this focus area comes into play. We take all the data we have and pass it along to others that need it, in a useable format.
Finally, the part where all the work gets done to fix the problems we have. Or are you trying to avoid answering those emails? But I digress. We have these focus areas built around the PIACT process that are fine and great but where are these different maturity levels you ask yes, it was your outside voice. Each of the focus sub-areas has a description for each of the five levels in the model. The levels of maturity that we defined are:. Call them A through E or Bob through George.
With a strong vulnerability management program in place, businesses can better address the risks they face not only today but well into the future. Quick Cookie Notification This site uses cookies, including for analytics, personalization, and advertising purposes. Vulnerability Management Program Framework Helping you identify, classify, remediate, and mitigate vulns—before attackers do.
What is a vulnerability management program framework? The four steps of a vulnerability management program A vulnerability scanner automates the vulnerability process, typically breaking it down into the following four steps.
Identifying vulnerabilities The first and most essential step in any vulnerability management process, of course, is to bring to light all of the vulnerabilities that may exist across your environment. Depending on the vulnerability in question, treatment usually proceeds according to one of the following three paths: Remediation : Fully fixing or patching a vulnerability so that it cannot be exploited, which is usually the most preferable option whenever possible.
This solution should be temporary, buying time for an organization to eventually remediate the vulnerability. If a vulnerability is deemed low-risk or the cost of remediating it is much greater than it would be if it were exploited, an organization may choose simply to take no action to fix the vulnerability.
Reporting vulnerabilities Improving the speed and accuracy with which you detect and treat vulnerabilities is essential to managing the risk that they represent, which is why many organizations continually assess the efficacy of their vulnerability management program. Four tips for a better vulnerability management program Conduct comprehensive scans. Your vulnerability management program should provide visibility into your entire attack surface, including the cloud, and automatically detect devices as they connect to your network for the first time.
Continually assess your vulnerabilities. Infrastructures and applications can change on a daily and even hourly basis. For this reason, you must continually scan your environment to make sure that you identify new vulnerabilities as early as possible. Many vulnerability management solutions include endpoint agents and other integrations that can provide you with a real-time view of vulnerabilities across your environment.
0コメント