As with any vulnerability management process, identifying and categorizing vulnerabilities is the place to start, but it’s only just that—the start. Your team needs to effectively assess and articulate the risk, then work with appropriate stakeholders to mitigate and/or remediate within an appropriate timeline.
Once you’ve collected the vulnerability data, you need to assess it against your environment and apply intelligence to the findings. A successful assessment includes three must-haves: detailed findings, appropriate research, and business risk analysis. Combined, they inform mitigation and remediation reporting which will reduce your overall risk exposure.
Here are the key components to a successful assessment:
1. Ensure detailed findings
Assess what, when, and how you’re scanning to ensure proper coverage of all your assets. Success is complete visibility! Here are some important considerations.
- Identify what you’re scanning and ensure you’re engaged with the proper teams prior to scanning (leverage information gathered during the Discovery phase).
- External visibility is important. Collaborate with stakeholders from your IT Operations and Network teams for an up-to-date list of all external-facing assets. As new devices are introduced, the vulnerability management team needs to be part of that process.
- How often are you scanning? Continuous scanning is ideal but not always practical. Review available features of your current scanning tool set. An effective alternative to daily scanning is to install agents to get live pictures of what’s installed on the host.
- Are there exclusions? Make policies to address and protect critical assets you can’t scan to ensure coverage. Having an exclusion list and conducing a quarterly review of those devices is a great first step.
Collect the right information
- Understanding your internal inventory tools is essential to gathering the data prior to scanning. Collaborate with your IT Operations teams to collect and review the data. This includes Configuration Management Databases (CMDBs), patching infrastructure (e.g., Microsoft Systems Center Configuration Manager [SCCM], Red Hat Satellite data), etc.
Understand asset criticality
- Work with your Network Architecture teams to understand your environment topology. Not all assets have the same criticality. Understanding the network will set you up for success when working with teams on remediation efforts.
Do not interrupt operations
- Internal assets aren’t all created equal. Scanning ranges should include all practical on-network assets, as well as those that might be “air-gapped” but situationally connected to the network. However, it’s common for older applications and legacy software products to hang or crash in the face of a standard vulnerability scan – and if OT assets reside on your network, this requires an exceedingly careful and thorough process to ensure that critical processes are safe and stable while being scanned (if that’s a practical option). Tailoring scan profiles to assets ensures that security is preserving and not destroying business value.
Mobile Endpoints: Organizations often fail to patch workstations of remote employees in a timely fashion. A lot of attacks start with phishing emails, and endpoint/mobile workstations are a common target. Because laptops aren’t always connected, it can be challenging if not impossible for a scanner to reach the host. Installing an agent on these endpoints to get a continuous system view will help address this issue. However, to ensure you do not interrupt/burden employee productivity, formalize a plan with IT Operations for installing agents on devices. Devices that allow for removable media and save sensitive data locally - are they missing a patch? These can also pose a large risk.
2. Conduct appropriate research
Research the discovered vulnerabilities and proposed solution(s) to ensure effectiveness and avoid service disruption or unstable operating conditions. If it’s a new, recently-published vulnerability, information will be limited as a lot of vulnerability scanning tools are still updating their knowledge bases with recent advisories. In this case, it helps to have a team that can manually assess the vulnerability and how it impacts the environment without exclusively relying on a tool to publish the information.
For these reasons, it’s important to stay up-to-date on vulnerabilities by:
- Collaborating with Security Operations Center (SOC) and Cyber Threat Intelligence (CTI) teams. In addition, leverage the Networking team to understand the impact the asset’s current location within your environment.
- Subscribing to industry blogs, vendor advisories, and intelligence alerts, including:
- Setting keyword alerts on Twitter for newly-published vulnerabilities--many security researchers post their latest discoveries on this platform.
3. Analyze risk
Scope the vulnerability remediation solution with consideration for security patches, upgrade paths, configuration changes, and layers of mitigating controls.
Apply your own logic of the vulnerability by using the CVSS scoring model against your environment. However, just because an advisory says the CVSS score is a 9.8, does not necessarily mean 9.8 is the appropriate score if the impacted asset is in an isolated network behind multiple firewalls. For this to be successful, it’s imperative you have individual(s) who understand the CVSS scoring model and can assess it against your environment. As of this publication, CVSS 3.1 provides a method for adjusting criticality based upon temporal aspects of the vulnerability and environment context of the asset – but the security professional performing the analysis needs a solid understanding of technical and business risk.