When we are beginning a cyber security strategy for our customers, one of the first items on the agenda is how do they manage vulnerabilities, as after all this ‘should’ be one of the simplest elements right? Get visibility and patch = simple and secure.
In the real world, we know it is not that simple, we have devices on our network that cannot be patched due to their age and importance of those devices to the operational elements of the business. As an example, we have users working away from the ‘old’ perimeter of the network so the scanners are missing those devices and we have a multitude of IoT devices being added to the wider network that tools such as SCCM isn’t going to be giving you any visibility into these devices.
I have never worked with an organisation that has zero vulnerabilities on their network and it is not something we can aspire to achieve and therefore our vulnerability management policy needs to be realistic.
For me, there is a few key items that make up my policy:
- 100% Visibility – All Devices, no matter the location
- Get Context – I need to understand the risk of the vulnerability to my organisation, are they exploitable? How difficult are they to exploit?
- Remediation Plan – How do I prioritise what to remediate first? How do I audit?
How do we achieve this?
Your organisation's devices are now ‘everywhere’. In the past we have relied on local scanners, scanning your network once a day/ week/ month. Not only did this approach miss devices that were turned off at the time of the scan, it didn’t capture devices when they were away from the network. Moving to an agent-based approach for your assets that move and scanner based for your assets that don’t move, ensures you get constant and 100% visibility of your devices vulnerabilities.
As mentioned earlier, you will never remove all vulnerabilities from your network and if we look at most scan reports it ends up looking like a ‘Christmas Lights switch on’ with hundreds of reds & ambers and this doesn’t help you prioritise or understand where your actual risk is. As a Security/IT team you need to know the actual risk and which of my vulnerabilities can be exploited? Using threat intelligence, you can gain this context, what Metasploit modules are there, what exploits are sitting on exploit databases, what is the skill level required? Once you have all this intelligence you can create a remediation plan that is effective at reducing your risk.
Using the intelligence gained, you can create a vulnerability management program that allows you to remediate the issues that are of greater risk of causing a cyber security incident. For example, which vulnerabilities could be exploited by a ‘script kiddie’, essentially someone with little skills who are just using a script they have found on the internet, these are towards the top, if not the top, in my priority list.
It is also important to continually audit, the amount of times we start a new vulnerability program with an organisation, and we hear ‘I am sure we resolved that before’. We recommend creating SLAs around resolution with automated auditing to ensure you are not faced with an incident because you believed something was remediated.
Your vulnerability management program should be one of the staple elements of your wider cyber security strategy. It is often missed because it is a big piece of work, but if you get the right visibility and the right context you can prioritise and reduce the risk to your organisation without looking at pages and pages of different colours that have no real context to you.
If you'd like to discuss this further, please do get in touch.