Why You Need a Vulnerability Management Program

by | Mar 17, 2023 | Blogs

Defining Vulnerability Management

Vulnerability Management is a cybersecurity operation to check for vulnerabilities that exist within the current technology stack of drivers, operation systems, and applications so that risk treatment can be conducted.

You need a vulnerability management program to accurately identify risk.

Two ways of determining cybersecurity initiatives:

  1. What everyone else is doing
  2. What your risk priorities are

If you want a cybersecurity strategy that is not based on what everyone else is doing (Option A), but instead, really gets to the heart of identifying and reducing prioritized risks (Option B), then you need a way of defining, identifying, measuring, and prioritizing risk.

This is where vulnerability management plays a key role.

Defining Risk

There are many ways of defining ‘Risk’. As the cybersecurity industry matures, we continue to get closer to a definition that we all agree on. Without defining this word, ‘Risk’, it will continue to be thrown out like Tootsie Rolls at a parade – cheap, tasteless, and without intention. (Sorry to any of you Tootsie Roll fans).

To build a mature cybersecurity program with intention, we need to anchor our program on a foundation in which the foundation components are defined.

I offer my formula for defining risk as:

Risk = Data (value) x Threat x Vulnerability

This formula is straight forward, makes sense, and can be easily used in a qualitative matrix. It has stood the test of time for me, but I’m always willing to change it if I learn of one that works better (without having a degree in computational mathematics).

This formula requires three inputs;

  1. Data (value)
  2. Threats
  3. Vulnerability

Although this article is focused on why you need a vulnerability management program, and how that program will support the vulnerability data we need to complete this risk formula, thus maturing to a risk-based cybersecurity program, I will lightly touch on the other two and intend on publishing specific articles to address each one.

Data (value)

Data (value) is answering the question, ‘what is your most valuable data?” This question should be answered by the business, not by the cybersecurity resource. I recommend using the data from these answers to propose a ‘Data Classification Policy’ that lists what data within the organization is;

  • Restricted
  • Sensitive
  • Public

By investing the time into Data Classification, you can get executive acceptance on what data the business classifies as restricted allows you to begin the exercise of;

  • Identifying where that data is, creating a data map.
  • Measure how much volume of the data you have (either by record count, or by disk volume).
  • Identify the users that have access to this restricted data and assign them a higher user risk classification.
  • Identify the assets that store, process, communicate this data and assign them a higher risk ranking.

Threats

Threat is looking at the cyber landscape and answering the question, what types of attacks are companies like ours (based on geography, size, revenue, culture, and industry) getting hit with?

I have found this threat data is best communicated and organized on a four-quadrant matrix with one axis being impact, and another axis being likelihood. Then plot out all the threats that are currently relevant onto the matrix. I call this a ‘Threat Matrix’.

Now, based on that high level information, you’ll have two of the three components you need to finish your risk equation.

It’s important to note that risk changes. It is dynamic in nature, just like the stock market. You’ll have to pick a cadence of updating this risk equation based on the resources you have and the cybersecurity maturity you want to attain. At a minimum is should be once a year, and at the high-end scale you’ll have automation to update this by the minute.

Vulnerabilities

Here is where vulnerability management plays a critical role. This brings us back to the original question, why do you need a vulnerability management program?

The simple answer, is you need a vulnerability management program to identify cybersecurity risk.

The deeper value is that by building a ‘vulnerability management program’ vs. a vulnerability scanning process, is that you address the full life-cycle of vulnerabilities.

Asset Inventory

It starts with having clarity on your asset inventory. We, at Asher Security leverage Qualys as the platform of choice. Qualys has a suite called ‘CyberSecurity Asset Management’ or referred to as ‘CSAM’ for short. It provides us, as cybersecurity experts, a way to ensure – let me say that again – ENSURE – we know what assets we have. As you’ve heard before, you can’t protect what you don’t know about. CSAM allows us to do that. We combine three disciplines;

  1. Authoritative IP list / platform / database from technology manager.
  2. Qualys active asset scanning the IP ranges, identifying and comparing anything not in the existing IT asset database
  3. Qualys Passive agent that identifies sources and destinations that are not listed in our IT asset manager.

Credentialed Scanning

Set up and assign credentials to your vulnerability scanning agents to give the ability to get visibility they need to see the vulnerabilities a logged in user would see. We call this ‘credentialed scanning’.

The other way, is not providing credentials and see what a hacker will see without login credential access. This is not ideal, and will greatly limit the vulnerability data you received. In addition, it’s a poor practice to assume a malicious attacker will have access to your network, but not have any user identity access. The majority of attacks today are hackers gaining access to users accounts first, then pivoting the network and resources. The benefit here is if you have implemented the principle of least privileged, but you identify a ‘privilege escalation vulnerability’ on a server, you can identify ant prioritize the risk treatment.

Schedule

The basic way of scanning is grouping assets into ‘asset groups’ and scheduling the vulnerability during a time window on a recuring basis (either weekly, bi-weekly, or monthly). The new and improved way is agent based. This technology provides real-time vulnerability data and is called ‘continuous’. If you decide to run a schedule, decide if you want to do it pre-patch, or post-patch schedule for technology you’re scanning.

Ownership

The greatest benefit of a good vulnerability management program is assigning risk ownership.

The old way was cybersecurity taking responsibility for vulnerability scanning, and owned the responsibility for remediating all the risks.

The new way is integration of the vulnerability platform into a CMDB where asset owner information can be queried and tickets can be crated. The tickets can then be assigned to the asset owner, instead of the responsibility of cybersecurity.

The next way, coming as we speak, is the roles of vulnerability management and patch management are being combined. Patching is expected. The risk cannot sustain waiting for the reports to be disseminated and reviewed, and questioned by the business. It’s going to be immediate. Instead of the business being asked to patch, they are going to be burdened with fixing the asset if a patch takes it down.

Prioritization

The final benefits of a vulnerability management program is prioritization.

There are several ways to prioritize. My two favorite ways are;

  • Severity
  • Frequency

Severity means prioritizing the vulnerabilities based on their severity score, either CVSS or using the Qualys score. This is impacted by criticality, available exploits, and activity in the wild.

Frequency means what vulnerabilities are most widespread and prevalent across the environment. Patching a single vulnerability can result in a great risk reduction companywide.

The other way to prioritize brings us back to risk-based cybersecurity program. In this situation we want to prioritize vulnerabilities that have a high-risk ranking. Again, they have a high risk ranking because the assets the vulnerabilities exist on are storing or processing valuable data. So, by addressing these vulnerabilities, we get the greatest risk reduction.

Another way to prioritize vulnerabilities is based on the threat profile you created. If you know ransomware is one of highest (impact and likelihood matrix) threats, then prioritize the vulnerabilities that could lead to a ransomware attack. This can be based on what the ransomware flavor of the week is taking advantage of, or the age of vulnerabilities (older than six months gets higher priority), or technology (impacts a certain version of Windows).

Conclusion

Investing the time, money, and resources into building a holistic vulnerability management program (vs. vulnerability scanning) will strengthen your asset inventory management, your patch life-cycle, help you prioritize and reduce risk, and strengthen the way you communicate your cybersecurity program by contributing this key data into your risk equation.

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!