While vulnerability management has been around for years, it remains a top issue for organizations. And while new vulnerability management tools are deployed regularly, they haven’t stopped attackers from exploiting vulnerabilities. The reality is that vulnerability management isn’t a technology problem. It’s a people and process problem.
Deploying tools is easy, but implementing the right strategy for your organization is a significant challenge. Worse, implementing a vulnerability remediation strategy that clashes with your organizational culture will fail to be effective. Consider how these strategies might fare at your organization.
1. The Fire Brigade
Strategy: Incident response. Treat vulnerabilities as incidents and respond to them individually, remediating quickly under pressure.
Organizational Profile: Do you know someone who works better with a deadline? Some organizations are the same way. If you work where people only really respond to emergencies, then tie vulnerability management to a tight deadline.
Pros: Fixing the highest-risk vulnerabilities is better than doing nothing.
Cons: Lots of residual vulnerability risk.
- This strategy is only going to hit the high-profile vulnerabilities, leaving lots of opportunity for attackers.
- Doesn’t address root cause. An incident response strategy is unlikely to affect the underlying causes of vulnerability proliferation within an organization.
- Potential for staff burnout. People eventually get worn out responding to emergencies.
2. Building Blocks
Strategy: Asset-focused. Identify the highest-risk assets and fix them first, regardless of specific vulnerability conditions.
Organizational Profile: Do you have system owners who largely correspond to assets? Can you identify an owner for most of the “boxes” on your network? If your organization builds processes around assets, this strategy may be effective.
Pros: Iterative improvement.
- As you address high-risk assets, you’ll reduce the average asset vulnerability risk so that the highest-risk assets are consistently lower in objective vulnerability risk.
- Positive feedback loop. System owners won’t want to regularly patch vulnerabilities individually and will seek ways to reduce work by making wholesale changes, such as retiring assets more efficiently.
- Aligned to the business. By prioritizing around assets with a business value, you are generally aligning risk reduction to the business.
Cons: Inefficient use of resources.
- Addressing individual assets ignores opportunities for systemic improvement.
3. Vulcan Logic
Strategy: Vulnerability-focused. Prioritize the vulnerabilities, fix the highest priorities first. Rinse and repeat.
Organizational Profile: Do you have effective workflow systems in place already? Can you assign a task and follow it to completion easily? If your organization is a well-oiled machine, start feeding that machine vulnerabilities.
Pros: Seriously effective at reducing vulnerability risk.
- If you can prioritize and fix vulnerabilities, you’ll reduce risk.
- Iterative improvement. Fixing highest-risk vulnerabilities first continuously reduces risk over time.
Cons: Only as good as the priorities.
- You can’t fix everything at once. Pick the wrong priorities, and you leave risk hanging around to be exploited.
- Potential whack-a-mole. You can hit high-risk vulnerabilities individually but miss opportunities to make systemic changes to reduce risk.
4. The Hive
Strategy: Central analysis, distributed work. Information security performs analysis of the vulnerability scanning results and provides very directed remediation instructions to the larger organization.
Organizational Profile: Does your organization rely on a clear “tone from the top”? Is information security a centralized group in a distributed organization? If your organization operates with a clear chain of command, then focus on building the most effective analysis to reduce risk.
Pros: Systematic reduction of vulnerability risk.
- A well-executed centralized strategy can follow through on multiple steps without continuously explaining the plan to everyone.
- Consistency of risk. If the whole organization executes, then decisions can be made organization-wide. This can produce a very responsive information security practice.
Cons: Lowest common denominator execution.
- A centralized analysis may be less tuned to individual execution. The whole organization can only move as fast as its slowest parts.
- Poor analysis, poor results. A misstep in analysis at the top affects all areas, leaving room for systemic problems.
5. Board of Directors
Strategy: Distributed analysis and work, centralized tracking. Identify metrics for tracking progress overall, then allow each group within the organization the freedom to reduce vulnerability risk as they see fit.
Organizational Profile: Do the groups across your organization require autonomy? Is your organization metrics-driven? If your organization likes independence and a results-oriented approach, then focus on the metrics to drive outcomes.
- Choosing metrics that matter to the business can drive risk reduction that matters.
- With different groups executing differently, they can compete based on the metrics and drive improvement.
Cons: Bad metrics, bad results.
- If you choose metrics that don’t matter, you’ll end up with groups doing busy work rather than reducing risk.
- When groups compete, someone ends up at the bottom, which can create internal conflict.
6. Process Optimizer
Strategy: Reduce attack surface. Forget about vulnerabilities and focus on reducing the overall attack surface through aggressive implementation of least privilege and elimination of unnecessary services and systems. Measure the results with vulnerability risk metrics.
Organizational Profile: Does your organization fail to decommission systems effectively? Do people install whatever they want on their systems? If your organization’s digital clutter is its own biggest threat, then cleaning house can eliminate serious vulnerability risk.
Pros: Dramatic vulnerability risk reduction.
- Since vulnerabilities exist in applications, eliminating the unneeded applications can dramatically eliminate vulnerabilities.
- If you’ve removed an application from your environment, newly discovered vulnerabilities in that application won’t affect you.
- Focusing on configurations and reducing attack surface generally results in a better managed environment, which can drive cost-reduction, operational efficiency, and stability.
Cons: Limited duration of effectiveness and high-priority risk gap.
- Once you’ve removed unnecessary applications and hardened configurations, you’ll be left with the harder-to-address vulnerabilities in required systems.
- If you’re focused on eliminating attack surface, you might be ignoring serious vulnerabilities in critical systems.
There’s no perfect strategy for eliminating vulnerability risk. While employing the right tools helps, knowing how your organization operates is what will make the difference between an expensive product and an effective program.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.
Tim Erlin is VP of Product Management & Strategy at Tripwire. He previously managed Tripwire’s Vulnerability Management product line, including IP360 and PureCloud. Erlin’s background as a sales engineer has provided a solid grounding in the realities of the market, allowing … View Full Bio