Reducing your attack surface and minimising threats requires a robust, holistic and strategic approach to vulnerability management to counter increasingly sophisticated and more frequent cyberattacks. Whether you’re a CIO, IT manager or technical engineer, you probably know that vulnerability management is a vital part of any security program. But are you aware that regular vulnerability scans, in isolation, may not be enough to protect your business? Or that vulnerability management should form the foundation of your security program, rather than serve as an ad hoc, tactical operations tool?
Why develop a Vulnerability Management program?
Most organisations develop a vulnerability management program for one of three reasons:
These are all perfectly acceptable reasons for developing a vulnerability management program. Common to all three is the need to underpin the program with a well-considered strategy. The organisation should try to identify the core outcome the program is meant to achieve as program outcomes may drive tool selection and process development. A reactive, poorly thought out, or ad hoc program is unlikely to achieve the desired outcome, whether that’s improved compliance or an enhanced ability to respond to threats.
The graph below shows the importance of vulnerability management to an organisation’s security posture. As you can see, an effective vulnerability management program identifies issues closer to zeroday (red). Organisations can, and should, respond as updates become available (blue), not months later when exploits have skyrocketed (green).
The 3 Core Elements of a Vulnerability Management Strategy
In our experience, the most effective vulnerability management strategies focus on people, process and technology.
Does your team have the skills and experience to work productively?
At a minimum, every vulnerability management team should include individuals with a combination of the following traits:
- A proven ability to communicate with a range of stakeholders, including other technical staff, business users and management
- Highly developed listening and diplomacy skills
- A deep understanding of how vulnerabilities affect their specific environment
How is information categorised and prioritised?
Anyone can conduct a vulnerability scan; but being able to establish and follow processes that make scan data actionable is what really adds value to an organisation. The process needs to be repeatable and consistent, especially if there are decisions to be made concerning the urgency of remediation for identified issues.
What tools are available and how are they configured?
Vulnerability management tools aren’t just limited to scanning engines. They may also include asset databases and ticketing systems. You can also utilise them to get more information from your environment, not just vulnerability data.
This helpful advice is Best Practice #1 in our Vulnerability Management 101: 5 Best Practices for Success where you will find advice on your next steps of improving the categorisation and prioritisation of your scan data and selecting and configuring your vulnerability management tools.