Cybercriminals aren’t slowing down, hacking 30,000 sites a day, according to Web Arx Security. In fact, a University of Maryland study clocked a new attack somewhere on the web every 39 seconds — that’s 2,244 daily cyberattacks. “The Hidden Costs of Cybercrime,” a joint report from the Center for Strategic and International Studies and McAfee, estimated monetary losses from cybercrime at $945 billion.
These and other rising security threats mean stop-gap measures or past practices — like quarterly or biannual vulnerability scans — don’t provide the necessary level of defense. While most organizations perform some type of vulnerability scan, the sheer number of potential threats those scans reveal can leave organizations feeling overwhelmed and unclear about how to proceed.
Identifying and scanning is an important aspect of vulnerability management, but it’s just one piece of the puzzle. Organizations failing to see the full vulnerability picture tend to struggle unless they embrace a holistic approach with their vulnerability management program (VMP).
Vulnerability management solutions enable organizations to make strategic security decisions by providing a comprehensive view of all technology vulnerabilities across modern attack surfaces, including active directory, operational technology and the cloud.
The process involves identifying, assessing, managing, and reporting on a wide range of potential threats and vulnerabilities. Companies can use custom or pre-built reports to evaluate and prioritize which vulnerabilities to address first. Vulnerability data collected includes:
● Background information
● Impacted assets
● Exploitability details
A holistic approach offers a much broader spectrum of protection against possible attacks, threats and asset vulnerabilities by eliminating gaps and overlaps. It can seek out hidden vulnerabilities that are difficult to find even as threats become increasingly sophisticated and exploitative.
Critical components for holistic VMPs
To implement a holistic VMP — and create a barrier against threat actors finding and attacking vulnerabilities — first requires that we identify the elements comprising it.
Critical to a VMP’s success, understanding and knowing network architecture is a key component for performing vulnerability scanning. By increasing their scope of asset inventories and classifications, companies can fine-tune the type and frequency of their scans and create protocols for mitigating any vulnerabilities they discover.
Growing asset awareness over time also increases organizations’ abilities to more efficiently and effectively conduct other functions, including compliance and risk management. In time, increased asset awareness also helps determine how best to leverage a program’s threat intelligence to implement more targeted, agile testing/assessments.
This governance helps organizations understand issues blocking greater efficiency or effectiveness in vulnerability management. It’s used to establish, provide higher-level visibility, facilitate alignment with a company’s mission and priorities, and communicate key performance indicators (KPI), service level agreements (SLA) and key risk indicators (KRI) to key decision-makers, including executive leadership. With this governance framework, organizations can identify which assessment, testing or risk management process/techniques might need modification to increase their effectiveness.
Most organizations already use testing and assessments. But some don’t take them far enough. Risk management professionals (or whoever’s in charge of risk management) should link different testing forms to both the risk management functions and the vulnerability governance. The tests should include defined criteria to achieve SLAs, and their effectiveness be measured by specific vulnerability management metrics.
Risk management is a broad umbrella that encompasses threat management/intelligence and incident management. Leveraging results from testing and assessments plus holistic risk management generates a robust risk profile detailing all potential threat exposure and cyberattacks.
The final, integral piece of a VMP, change management, helps GRC professionals manage patches and inform and guide configuration management. This functional area enables organizations to establish communication across individual silos and ensure all stakeholders receive updates and possible impacts of changes.
Best practices for implementing a holistic VMP
Any asset connected to a company’s overall business continuity, architecture or nearly anything with an IP address is fair game for attack. And vulnerability management isn’t just important from a risk management perspective. Many cybersecurity frameworks — HIPAA, NIST and PCI DSS, for example — require it as part of their compliance alignment.
For the best approach to implementing an effective, holistic VMP, companies should:
● Establish a program with buy-in from the executive leadership and clearly defined goals, objectives and scope.
● Identify assets, including customer support, accounting/billing, customer data, proprietary information databanks and other mission-critical systems, plus compliance requirements.
● Choose the right, scalable technology to support and grow as the organization’s needs evolve.
● Identify the business and technical owners and create a consistent, clear communication channel to discuss assets and provide updates/recommendations about associated risks.
● Train employees on the VMP and opt for a democratized, rather than siloed, approach that empowers more employees to buy into, understand and use the program.
● Define scanning frequencies and create SOP to generate and distribute reports to the correct people in a reasonable amount of time.
● Develop remediation processes and activities beyond applying patches — whether it’s hardening default configurations, restricting privileged access or network re-architecting.
● Create sustainable, repeatable processes that maintain the VMP’s effectiveness.
Ultimately, the failure to implement a holistic vulnerability management program leaves businesses open to evolving cybersecurity threats. The right vulnerability management application provides companies with a comprehensive perspective of the organization’s entire attack surfaces. By transforming data into meaningful insights to develop security strategies, companies — and their stakeholders — gain a strong defense against the cyberattack landscape and peace of mind.