How Mature is Your Vulnerability Management Program?

Security vulnerabilities are one of the most common problems in cybersecurity today, as they may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior. According to the statistics from the Common Vulnerabilities and Exposures list, 12,174 new vulnerabilities were uncovered in 2019—over 13 times as many as were discovered in 1999, when the database first came into existence. This number doesn’t even account for those that are yet to be found—it’s difficult to estimate how many security vulnerabilities are currently in the wild and being exploited on a daily basis.

Regardless of the exact number, these vulnerabilities are a worldwide challenge that can easily feel overwhelming. Many organizations feel behind in vulnerability management, and it’s no surprise why. The pressure to be operationally efficient and do more with less in a constantly evolving and growing threat landscape makes it seem impossible to catch up. In this blog, we’ll go over the different levels of the threat and vulnerability management maturity model, and ways to realistically progress and improve your organization’s security.

The Threat and Vulnerability Maturity Model

A formal threat and vulnerability management program is a critical component of a robust information security program, combining an understanding of the organization’s assets, information technology infrastructure, and systemic vulnerabilities into a coherent whole.

The Threat and Vulnerability Maturity Model is a combination of asset analysis, vulnerability scanning, patch management, process implementation, and metrics that enable the step by step implementation of a threat and vulnerability management program. It consists of six levels, with each progressively leading to an understanding of how you may be attacked and exploited, as well as effective methods of countering adversaries.

Level 0: Non-Existent

More companies than we would like to admit find themselves with no real strategy for tackling vulnerabilities. Some companies haven’t considered their risk, and others may think they’re too small for anything but manual patching. But unless your organization is extremely small—think low double digits at the most—implementing patches on an ad hoc basis is not sufficient or structured enough to ensure you’re fully aware and patching all of the different security weaknesses in your network.

Luckily, the way to advance out of a non-existent program is straightforward. Organizations will need to acquire a vulnerability assessment solution to run on a regular basis. Ideally, your scanner should cover web and network vectors, as well as scanning for device misconfigurations.

Level 1: Scanning

While a vulnerability scanner can help build the foundation of a vulnerability management program, it also introduces a new set of considerations. A scan will illuminate all potential security weaknesses. But the influx of new information can make it difficult to know where to begin with remediation. A scan may provide data, but it doesn’t provide guidance for what to do with this data.  

In order to progress to the next level, you’ll need to begin shaping a strategy for how to handle these vulnerabilities effectively. A key part of an effective security strategy is looking at industry best practices and compliance. Nearly every industry today has regulatory requirements and security mandates that organizations in that sector must comply with.

Level 2: Assessment and Compliance

The shift from level 1 to level 2 is quite a large adjustment—going from a security approach of taking problems as they come to a structured strategy with regular assessments and processes. However, adhering to compliance and best practices help by providing both context and logic for any subsequent actions.

Your organization can use compliance requirements as a framework around which to build out your vulnerability management program. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to any organization in the retail industry, and requires scans to be run on a quarterly basis, and whenever significant changes occur in the network. Additionally, it requires patching to take place within one month of the patch release. Pen tests can be used to validate vulnerability and patch management. 

While this is a good start, basing actions on compliance alone does not fully consider threat potential. The next big hurdle is advancing prioritization to determine what issues require the most urgent focus. Moving into the next level requires additional context in order to determine the best order of action.

Level 3: Analysis and Prioritization

Once you’ve reached this level, prioritization isn’t based on compliance standards, but is instead determined by risk. Known vulnerabilities are ranked based on the Common Vulnerability Scoring System (CVSS) to distinguish how severe they are on a scale of 0-10, with 10 denoting the highest risk of impacting the system. The results of a vulnerabilities scan typically note the corresponding severity score. However, these scores do not account for the circumstances of each individual IT environment.

Penetration tests add more business context by verifying threat potential, ranking the danger of vulnerabilities based on which could actually be leveraged to gain access within your environment. Fleshed out processes integrate ticketing systems and other tools in order ensure prompt and effective remediation, and further pen tests are run to validate them.

However, while this level incorporates prioritization based on risk, it tends to focus on single units, prioritizing based on if an attacker could use a vulnerability to gain access in a single step. Advancing to the next level identifies attack paths, assessing not just how attackers gain entry, but how they target valuable data.   

Level 4: Attack Management

Once at this level, you’re no longer looking at vulnerabilities and patching as separate entities, but instead as a complete ecosystem. Prior to this level, organizations may have become accustomed to simply identifying the number of vulnerabilities scanned and patched across endpoints, network devices, applications, and systems, which does not assess risk holistically.

Attack management uses scan and penetration testing data to identify how a threat actor could move through the system, using different vulnerabilities to gain access to business critical assets. Prioritization is based specifically on risk to these assets. For example, vulnerabilities with low CVSS scores may not initially look that impactful, but further analysis could show that it can be leveraged and used as a “pivot point” to reach other vulnerabilities or resources.

Level 5: Business-Risk Management

Ultimately, this is the level that all organizations should strive for: a fully developed management program that takes the entire environment into account, analyzing data from vulnerability scans and pen tests, examining metrics in order to identify trends, using enhanced processes and remediation techniques. However, it’s important not to grow idle. In order to stay at level five, incorporating red team engagements or third-party pen testers may be used to continue to validate your program.

No matter what level you may be at, vulnerability management is an ongoing, evolving process. As long as you regularly evaluate your program and remain flexible to adapt to new challenges, you’ll continue to successfully grow or maintain maturity.