Most organizations have more vulnerabilities than can be fixed at current resource levels. Halfway through 2018 the NVD is on pace to match the historic 20,000 published CVEs in 2017.
A perfect storm of circumstances can make it difficult for your threat and vulnerability management program to maintain a good security posture. Multiple scanners are required to get full coverage, which in turn piles on the work. The sheer quantity of patches, configuration changes, and code changes is daunting. Automated patch management solutions are limited by the risk of downtime, so human intervention is required for many configuration and code changes.
The growth of the cybercrime industry requires companies to accelerate the vulnerability fix cycle. Exploits come out ever faster, as malicious actors take advantage of known vulnerabilities that organizations have not yet fixed.
Organizations that prioritize vulnerabilities based on risk will maximize security resources. There’s no perfect intelligence on new exploits, and lessening the risk doesn’t mean the risk is gone. However, risk-based approaches to threat and vulnerability management offer the best path forward when vulnerabilities pile up and resources are limited.
Keeping up with a blizzard of vulnerabilities and exploits requires closing the remediation gap, or the time to remediation. The fundamental challenge lies in expedient remediation for every fix. Your organization will want to get through a litany of remediation workflows quickly to minimize effort. Nonetheless, every vulnerability requires decision and possible subsequent effort.
Five Phases of the Vulnerability Management Process
We recommend your organization implement the following five-phase vulnerability management process in managing the vulnerability life cycle:
- Correlation & enrichment
In addition, these five goals help document each phase of the vulnerability management lifecycle:
- Identify the key stakeholders and systems involved
- Determine what policies have bearing in each phase
- Define the inflection points where a decision must be made
- Define the junctures where communication must occur
- Establish output destinations for the data flow
Move a Mountain of Vulnerabilities
Processes that look good on paper may break down in the face of real world challenges. In your organization, different departments may own responsibility for remediation, and they each may use separate systems. Uptime may be prioritized quietly over patch management without notification of exception requests. Code changes need to be vetted in the software development life cycle (SDLC) before being released into production. Configuration changes need to be evaluated for potential impact to running systems.
Implementation of a complete vulnerability management process is a challenge that is made easier by security orchestration tools – a topic for a future post. Defining a complete security orchestration process will help you move mountains.