Five Steps for an Effective Vulnerability Management

Program

Spring 2019

ADVISORY

Fortress Information Security, LLC www.fortressinfosec.com

sales@fortressinfosec.com Phone: 855.FORTRESS 189 S. Orange Ave., Orlando, FL 32801

© Fortress Information Security, LLC. All rights reserved. All other brands, products, or service names are or may be trademark or service marks of their respective owners. This document, prepared by Fortress Information Security, contains confidential work product for the exclusive use of its clients. Duplication, distribution or use for anything other than its intended purpose is prohibited.

2 CONTACT US: sales@fortressinfosec.com www.fortressinfosec.com

Five Steps for an Effective Vulnerability Management Program

Overview

It seems that virtually every day, a headline announces a story about an organization that has been breached because of vulnerabilities in its information technology systems. More disturbingly, most of these breaches are caused by known vulnerabilities. Even though patches were available for weeks, months or even years, the vulnerability was left unprotected.

If organizations know that their network has vulnerabilities, why don’t they patch them immediately? The answer is simple. They face too many vulnerabilities and have too little time to fix them. The real question becomes “how do you know which vulnerabilities to patch first?” The answer is a strong vulnerability risk management (VRM) program. A robust VRM program not only uses vulnerability scanners to identify vulnerabilities, it empowers you to prioritize and orchestrate the work to fix things and improve your security posture.

Vulnerability risk management programs help identify and prioritize vulnerabilities based on historical data, the Common Vulnerability Scoring System (CVSS), threat intelligence, threat scenarios, business and technical impact and other factors. Such programs integrate closely with inventory management, patch management, threat intelligence, and risk management processes and technologies to create a superior system and process for identifying and remediating vulnerability risks. Every Vulnerability Risk Management Program should include the following:

• Regularly scheduled, full coverage vulnerability scans, followed by result reviews • Security data from risk-prioritized (threat, impact) endpoint groups • Tie into these critical systems and business processes

o Asset & Inventory Management (CMDB, ServiceNow) o Patch Management o Application Security (AppSec) o Enterprise Risk Management (GRC)

• Strong data integrations with other key business and technical systems and processes (OT, Business Units, IT, Third Party Risk, Finance, Legal)

• Workflows, remediation plans and processes built to track full vulnerability lifecycle

• Threat Intelligence, Attack Paths and Threat Modeling • Single system of record for documentation, auditing, compliance reporting • Reporting and dashboards to measure success of program, demonstrate trends,

track activity and manage operations • Dedicated Vulnerability Management SME / Senior Project Manager to coordinate

activities • Monthly / Quarterly Program Reviews

By following the five steps below, you can maximize your return on your IT security investments.

3 CONTACT US: sales@fortressinfosec.com www.fortressinfosec.com

Five Steps for an Effective Vulnerability Management Program

STEP 1:

Identify and Classify Your IT and OT Assets The most critical control for every security framework is your ability to identify and classify your information technology (IT) and operational technology (OT) assets. After all, you can’t protect your assets if you don’t know which assets you have. Thus, every vulnerability risk management system requires a good inventory system. If the systems you need to protect don’t show up or your current inventory management system is inaccurate, you will not know to patch them. So before moving too far along in implementing your vulnerability risk program, stop and evaluate the coverage of your inventory management tools. To facilitate your asset identification effort, your vulnerability risk management system should be able to ingest asset data from multiple systems of record, including vulnerability scanners, CMDB systems, LDAP, purchasing applications, IP address management and other systems. This integration allows you to create a single source of the truth for asset information that can be used by the vulnerability management system. Once you have a comprehensive view of all your assets, you should classify each asset and rate its value to your organization. Such classification makes it easier to prioritize which assets are in most need of protection. For example, a mission-critical server will be classified as a higher priority than a workstation in a low risk office. It also allows organizations to split up their work efforts. A business unit that manages its own servers won’t have to see vulnerability reporting and track remediation efforts for servers in another business unit.

STEP 2: Consolidate and Prioritize System, Application, and Other

Vulnerabilities Threat actors can quickly overwhelm security teams. The National Vulnerability Database (NVD) lists more than 93,000 known, high risk vulnerabilities that can potentially impact your systems. Since it’s impossible to address all these vulnerabilities, you need to be able to identify all the vulnerabilities that exist in your environment and then prioritize which are most critical to fix using an objective, data-driven approach. To identify vulnerabilities, the vulnerability risk management system should allow you to quickly and automatically import vulnerability data from security scanners, CMDB asset databases, asset management systems, application security scanning tools, and other methods of identifying vulnerabilities. Enhancing this information with threat intelligence feeds and attack path information from network sources can further enrich your prioritization effort. This process should feed information into a central dashboard that gives you a holistic view of the vulnerabilities across your organization.

4 CONTACT US: sales@fortressinfosec.com www.fortressinfosec.com

Five Steps for an Effective Vulnerability Management Program

The vulnerability risk management solution should then enable you to prioritize which vulnerabilities should be addressed first, based on likelihood, potential technical or business impacts or efficiencies in the remediation process. For example, you may want to prioritize vulnerabilities to systems impacting your financial systems over those that manage your custodial staff. The solution should be customizable, allowing you to select from multiple prioritization methods. The solution should also go to the next level and model attack paths and threat scenarios to help you further identify the likelihood that a vulnerability will be exploited. For example, a vulnerability that may seem to be high risk on paper, but can only access one application would not be as risky as one that is rated as medium risk but opens the door for attackers to roam throughout your network, gaining access to sensitive customer data or intellectual property. By modeling attack paths and threat scenarios, you can understand the true attack surface and make decisions designed to reduce it in an efficient and cost-effective manner.

STEP 3:

Reduce the Attack Surface for Critical Assets Once the vulnerability risk management solution has identified and prioritized vulnerabilities to be addressed, it should offer a remediation or mitigation plan to reduce the risk from vulnerabilities. This plan will generally start with patch management, determining which patches are available and applicable to your environment’s vulnerabilities. If no patches are available, the solution should minimize the risks of your environment’s vulnerabilities by performing configuration management, or security hardening. Alternatively, you may actively decide to accept or otherwise treat the risk. Understanding that people, not tools, perform vulnerability risk management, the solution should include intuitive workflows to coordinate remediation efforts performed by the vulnerability risk management team and the system owners. It should also incorporate a mechanism for tracking the activities that occur during the workflow to ensure that nothing falls through the cracks.

5 CONTACT US: sales@fortressinfosec.com www.fortressinfosec.com

Five Steps for an Effective Vulnerability Management Program

STEP 4:

Validate Attack Paths to Critical Assets Patched, Controls in Place, or Impact Reduced

Now that you have scanned, prioritized, and patched your vulnerabilities, you’re done, right? Not so fast. You need to verify that your fixes work as planned. Your vulnerability risk management system should include a combination of manual testing and automated scanning to validate that your remediations worked. In addition, you should perform penetration testing, particularly for your mission critical systems, on a periodic basis, such as once a quarter, based on risk. Penetration tests attempt to exploit the recently patched vulnerabilities to verify that all your hard work has paid off.

STEP 5: Remediate, Report, Rinse & Repeat – Leveraging VRM Dashboards,

Scores and Flexible Reporting Options

What’s the best way to communicate to management that the program is working as designed, and that security investments are delivering value? Reporting.

6 CONTACT US: sales@fortressinfosec.com www.fortressinfosec.com

Five Steps for an Effective Vulnerability Management Program

Reporting allows you to communicate with management that key performance indicators for the program are being met as a result of the efforts spent on your vulnerability risk management program. Vulnerability risk management ideally is an ongoing process. You don’t make improvements once and forget about it. You need a constant improvement loop that continually moves in a positive direction. Reporting helps demonstrate your progress in reducing vulnerabilities, lowering costs and realizing new efficiencies, and drive positive change to ensure that your security objectives are being met. You’ve likely already invested in many of the tools that drive an effective vulnerability management program, now is the time to move beyond point solutions and drive program maturity. About Fortress Information Security Using Fortress Total VRM Service Offering (using our Integrated Vulnerability Risk Operations & Analytics Platform) includes all the features above and more – allowing for informed decision-making based on the power of your organization’s risk posture and threat intelligence. In one solution, you can orchestrate your vulnerability management processes, analyze your vulnerability data, and proactively model threats and attack paths in one central place. Like Fortress’ Third Party Risk Operations & Intelligence Solution, customers can build and manage their program from the Fortress Platform – providing not only the ability to orchestrate your VRM and TPRM functions but deliver security results with the confidence that you are basing your tasks and decisions on vetted, relevant and accurate intelligence. We know that much of what we recommend above can be daunting and requires a great deal of security expertise. Often security leaders wonder whether they should work with a third party or build these capabilities in-house. Whatever you choose, our team at Fortress can offer managed services to meet your growing security needs.