Like death and taxes, evolving cyber threats are certain. So how do you reduce your risk and keep your organization out of the headlines?
First and foremost, be proactive. This means resolving your vulnerabilities before they can be exploited by adversaries. It also requires integrating cyber threat and vulnerability intelligence into your company’s daily network defense operations.
Transforming your existing threat defense program into a bona fide vulnerability management program doesn’t have to be complicated. In fact, we’ve compiled a six-phase, structured approach to designing, building, and implementing a vulnerability remediation program. Over the coming months we will cover each of these phases on this blog, providing expert advice and tips for successful implementation.
Successful Vulnerability Management Begins with Discovery
Building your vulnerability management program starts with identifying your internal and external asset presence and vulnerability posture. In particular, companies often don’t understand their external exposure and security flaws, which may lead to compromise. Weaknesses in externally-facing assets give attackers the upper hand. When the vulnerabilities are exploited, a common response is “I didn’t know this server, web application, etc. was part of our inventory!”
To combat this, work closely with your network operations team to understand your environment, both how it’s architected and how it’s implemented. Network topology, asset zoning, and introduction of new devices are all key focus areas. In a famous talk by Rob Joyce, former head of the NSA’s Tailored Access Operations group, he states, “You defend your network as it was architected; we attack it as it is implemented.” There are other internal teams that should be involved, but the network operations group is a great starting point.
Next, what types of externally-facing assets should be covered by your VMP? These can be anything from third-party web applications, externally-facing servers, cloud infrastructure, end-user devices, etc. Third-party web applications often require direct communication with the vendor about their implementation process and application updates, and it’s imperative those communications are monitored. If there is no clear communication channel between your organization and the vendor, this could potentially lead to a data breach as attackers are always looking for new ways to gain access into your environment.
In the end, you need to identify assets and ensure they are included in your asset inventory and network topologies and evaluated for vulnerabilities at regular intervals. Once you’ve identified your assets, use tags and/or keywords to better understand your inventory and to make it easier to work with your operations teams on remediation efforts.
Tips for Comprehensive Vulnerability Discovery
In order for everything to come together successfully, there needs to be effective communication between all teams, which include but are not limited to: vulnerability management, the IT infrastructure team, threat intelligence, and the Security Operations Center (SOC). Coordinated efforts between these groups fosters proactive insights into network changes and additional visibility into your environments. The following checklist can help you plan a robust discovery process:
- Engage resources to establish a repeatable process. Organizations that don’t have an established process for maintaining their inventory will have blind spots that leave them open to risks posed by known vulnerabilities on undocumented assets. To start, create an engagement process with all associated teams to obtain and maintain an accurate, complete inventory. Set goals and targets for increasing levels of asset awareness. Be sure that leadership from each team is involved throughout each step.
- Baseline current infrastructure capabilities. Inefficient inventory tools can hamper identifying and maintaining an organization’s network assets, especially when inventory is spread across multiple in-house or 3rd party applications. Collaborate with internal teams (Network Engineering, SOC, IT Operations) to evaluate available tool sets and capabilities within the organization. A gap assessment can help identify areas of improvement and highlight opportunities. Schedule time with leadership to discuss budgetary objectives and the importance of an accurate system inventory to reduce threat exposure.
- Customize scanning configuration of current toolsets. Insufficient coverage of current toolsets due to the limitations of scanning tools puts an undue burden on an organization’s manual resources to perform discovery when it could be effectively executed through an automated process. → Leverage a scanning tool that proactively scans your infrastructure and can integrate with other IP Address Management (IPAM)/Dynamic Host Configuration Protocol (DHCP) solutions.
Transforming security programs to be proactive takes time, resources, and skills that some teams do not currently possess. Rather than struggle through the process alone, many organizations turn to experienced consulting firms skilled in vulnerability management, such as Revolutionary Security. By utilizing a proven methodology and knowledgeable consultants to drive the process, organizations typically find the timeline to be shorter, gain stronger buy-in among stakeholders, and achieve better results than if they had ventured through the process themselves.