Last week, Conrad started off our talk about vulnerability management with a great overview on what a program is and how it can impact your organization. This week, we go a little deeper and talk about actual tactics you can put in place to start building or improving your program.
Step 1: Set Smart Goals
“To better mitigate risk” is not a goal. Everyone wants to mitigate risk and that’s why your organization has a security team. In order to set a goal for your vulnerability management program, you have to first understand what assets you have that need to be protected. Start with finding the assets that are most important to your company and then see what is connected to that asset. It is no longer just about access to the application but it’s about every application, employee, contractor or device that connects to it.
Instead of coming up with a broad goal, make it SMART.
Specific: Know exactly which assets are the most important and need to be protected as well as the possible attack path (aka- the attack path a bad actor could take to get to them) to these assets.
Measurable: These can be things like 90% of all patches applied within one week of release or it can be to reduce the number of exploitable vulnerabilities in your network by 40%. If you don’t measure your goal, you can’t tell if your actions are working.
Attainable: Your goal should be challenging but also possible to achieve. If your goal isn’t attainable you will be setting your team up for failure.
Realistic: Is your goal something your team can realistically accomplish? Also, is this goal relevant to what you are doing as a team and as a company?
Time Bound: How long should it take for this goal to be completed? Setting a timetable will allow your team to stay on track and work towards a deadline rather than spending whatever “extra” time they can find on it.
Step 2: Prioritize
How many pages of scanner data did you get last week? 10? 100? It could be that this is bad data or simply that it is just too much data but either way you have to be able to prioritize what your team is working on and make sure that you are making the biggest impact possible. Scanners only give you a list of vulnerabilities but they don’t tell you which of those pose the biggest risk to your organization.
In order to truly prioritize, we go back to step 1 where we found out what was connected in our network and what the attack paths are to get to our most valuable assets. This is where a vulnerability management solution comes into play because it can help prioritize these risks for you. There are industry-wide measurements such as the MITRE and CVE scores which list the severity of the vulnerability and rank them as such. Then there is the unique makeup of your organization. Make sure to get a solution that looks at more than just the CVE score but also looks at the attack path to that vulnerability as well as other factors like:
- If an exploit exist
- The exploit’s ease or difficulty of use
- Is local access required for the exploit
- And ensures that all of that data is taken into account when prioritizing by risk to the company