This is a post I have been thinking about for a long time. I have been working in Threat and Vulnerability Management with a lot of emphasis on continuous improvement. Together with my team we were responsible for the successful vulnerability scanning and remediation reporting of over 12,000 assets. A large number that presents a number of challenges. Since we began this project there have been multiple cycles of change and improvement. As part of these improvements I try to find best practices and advice on what to do differently, but too often the advice I read, or the videos I watch, are sales pitches with no true take home and use lessons. These lessons that I have collected here should help managing vulnerabilities at all sizes from enterprise scale environments to SME’s.
In this blog post I am going to go through the 8 most important lessons I have learned that can, and should, be applied to any organizations Vulnerability Management project;
Lesson 1; Continuously map your network.
We can’t protect assets if we don’t know they are there. Most modern security frameworks support automated tools being used to scan and keep an inventory of all the assets in your network. From enterprise tools like BMC’s ADDM to just writing a homemade script using nmap there is a way to make sure all your subnets are frequently mapped, inventoried and that any anomalous devices found are highlighted for investigation.
Lesson 2; Every asset has to have an owner, and every owner has to understand their responsibilities.
Once we have this inventory of all assets on our network we next need to assign owners and track who has access to the machine. In many cases this will be the System Administrator but in more complex organizations ownership can be split between infrastructure owner, the application owner, the business owner or some combination of the three. This presents issues in assigning remediation tickets to people. Having the correct people for assigning tickets to agreed and decided upon before there is a need, and having this documented, can alleviate challenges before they occur.
Lesson 3; Authentication is key to understanding your threat landscape.
Some vulnerabilities can be identified remotely, but most can only be identified through authenticated scanning. Having authenticated scanning setup is the only way we can get a holistic and informed view of the risks we face. This has benefits in reducing false positives, increasing confirmed findings and insuring with know what vulnerabilities an attacker could leverage after initially gaining access to a machine.
Lesson 4; Scan frequently.
In most cases we can’t scan constantly, the overhead makes such a task prohibitive. At the very least we should aim to be scanning monthly; and more frequently for specific high risk vulnerabilities as they are disclosed. Scanning as often as we can ensures we have up to date information on what has been fixed and what is outstanding.
Lesson 5; Communicate with your blue team; know what controls are in place to mitigate your risk.
If your organization is big enough keep an open flow of communication with your blue team members; this allows you to keep your understanding of systems from firewalls, IPS/IDS, antivirus, SIEM and other detective and mitigating controls up to date. While we always strive to remediate every vulnerability, in the next lesson we will start prioritizing, understanding the defences in place will help us prioritize what is most urgent to fix.
Lesson 6; Prioritize your findings; where the assets are, what they do and the information they contain.
Now collecting as much information as we can including, but not limited to;
- Network location of asset
- Sensitivity of information stored
- Criticality of application running on the asset
- Mitigating controls in place
We can start identifying which vulnerabilities on which servers are the highest risk, and thus should be remediated first. By following this approach, including looking at what could decrease the risk of compromise, we can have a truly accurate understanding of where our sysadmins need to spend their time. It ensure true high risk vulnerabilities are remediated first and lower risk or mitigated as soon as possible.
Lesson 7; Build a narrative, connecting your findings to the organizations wider security posture.
Prioritizing vulnerabilities in lesson 6, helps us manage resourcing but many times senior managers are more business focused and don’t want to invest resources beyond their risk appetite. Learning how to build a narrative to gain traction at senior management is a very important skill that i’m still learning. Some tools used here;
- Graphing a visual dashboard for tracking progress
- Highlighting how assets map to applications
- Highlight where legal requirements may come into play (SOX, GDPR etc)
Lesson 8; Don’t neglect your sysadmins. Build your relationships and reap the rewards.
Building a strong rapport with your organization’s systems administrators can go a long way to maintaining a secure environment. By staying in touch we can highlight how good security benefits them in the long run by reducing incidents and downtime we can help maintain good relations and reduce tension. Prioritizing and using authenticated scanning to reduce false positives also makes sure their time is not wasted and that they are not overworked. Finally by talking with the sysadmins formally and informally you can gain a better understanding of your organizations infrastructure which can help you make better decisions regarding risk.
ISO 27001:2013 Security category – 12.6. Technical vulnerability management
These best practices also flow into the Technical Vulnerability Management category of ISO 27001, including this for completeness with the ISO blog series.
Having a vulnerability management program in place can be very important for learning about individual vulnerabilities and the risks surrounding them. This proactive measure can allow your team to more quickly respond to new threats and put in place mitigating steps to reduce the risk of them if remediation is not immediately possible. Using vulnerability scanners for this can be an important step towards comprehensive coverage and with tools such as Nessus, Nexpose and Qualys, among others, organizations have many tools to choose from.
Similar to requiring trained staff for software installations there should be rules and restrictions in place on what software can be requested, used and installed. Restrictions should be in place to ensure staff can only have software they need to do their job installed and this should cover all levels of the organization. This will drastically reduce the risk of malware being introduced to your environment. There are two ways to go about this, blacklisting software explicitly states what software is not allowed to be installed in your environment and can be used to prevent known trojan horse application and spyware from being installed. Whitelisting software explicitly states what software can be installed and is a more restrictive option, with whitelisting only software that has been specifically tested and approved can be used.