How do you look at vulnerability management? We’ve seen several blogs on this topic in the past month and even a webinar with one of our security consultants but the truth is that everyone looks at this issue differently. From scanning and assessments to prioritization and patching, vulnerability management is a lot of different things but it is not and never should be seen as:
- Just a list of random vulnerabilities in your network
- A list based on CVSS score ranking
- A list of individual, independent vulnerabilities
- A once or twice a year process
True vulnerability management takes all of these issues, and more, into account when planning and protecting against exploits and breaches. Today, I want to share with you three new ways to look at vulnerability management that you might not have thought about before and that might just help make a difference in your process.
- Vulnerability Management Plans Unique to your Organization
Once you have amassed all of the scanner data and have a list of all known vulnerabilities in your network, what is your next step? For most people, it is to rank them by their CVSS score and start patching. First let me say, this is not a bad plan. However, this score does not tell the whole story of the damage these vulnerabilities could have in your network and it shouldn’t be the only way that you rank these weaknesses. Each organization has a unique set of applications, devices, servers and more. They also have a unique history of cyber-security. All of this should be taken into account when you are ranking your vulnerabilities because they all contribute to the uniqueness that is your network. By taking the extra step to dig into these liabilities, you will have a better idea of how each of them can impact you.
- Attack Paths
When you are prioritizing your vulnerabilities, think about how they work both individually and with each other within the context of your overall infrastructure. Bad actors are no longer looking at hacking with one tool, they are looking at an attack path full of vulnerabilities, exploits, and whatever tools they need to combine in order to get to your sensitive data. While the CVSS score of one vulnerability may look too low to worry about on its own, do you know what would happen if it was exploited and used to breach your network? It may look like a low priority now, but if it gives access for an attacker to pivot into another, more crucial application and work their way through your network it becomes a much higher priority for your team to patch. Remember- attackers are not the same and neither are their methods. Make sure you are also using every available tool to stop them. CVSS scores alone are not enough, but how those vulnerabilities interrelate across the attack path to the critical data store ensures more effective vulnerability prioritization.
- Continuous Penetration-Testing and Vulnerability Assessments
I know that some regulations state that you only need one penetration test per year and only have to conduct vulnerability assessments on a bi-annual basis. However, I’m here to tell you that this cadence is not enough. Cyber-security has made its way all the way up to the boardroom and your executives want to know your processes are performing. The only way to properly measure anything is to compare your results to a baseline and testing only once or twice a year is not enough information to constitute that baseline, therefore, it is not enough to tell you how you are doing.
Even more than baseline reporting, you need to know what is in your network at all times and testing only a few times of a year will only give you a small snapshot in time. Continuously monitoring your network will not only give you an up-to-date assessment but it will show you patterns that reveal possible areas of compromise above and beyond individual vulnerabilities. Changes happen at a rapid pace, especially in cybersecurity, and continuous monitoring, patching and testing is the only way to know that you are truly reducing the attack surface of your network.
Are you already doing these three things? Most people are not and some people haven’t even thought of things this way. I encourage you to continue to look at cyber-security and vulnerability management in new ways just as the bad actors are. The only way to stay ahead of them is to “Think Like an Attacker.”