Vulnerability management simplified: The core essentials

In light of today’s evolving threat landscape and high-profile cybersecurity breaches, organizations are facing growing pressure to strengthen their security foundations. These incidents highlight the urgent need for proactive strategies to address vulnerabilities in applications, infrastructure and data. CISOs and security teams can take action now to prepare for potential threats, focusing on a few essential priorities. 

Strengthening foundational security measures to reduce exposure and improve resilience

It all starts with assets. What are you protecting? Asset management is one of the most fundamental and critical enterprise requirements of a strong vulnerability management program. How can you protect what you don’t know about? Most organizations I have worked with over my career struggle to define or understand their asset inventory with any level of confidence. As a result, this leads to unknown or end of life applications and infrastructure on the network exposing vulnerabilities leaving the virtual doors and windows to your organization open for a potential malicious insider or adversary to take advantage of.

While I’m not suggesting the security team should own and maintain the enterprise asset management program, they certainly are a key stakeholder and should be consulted to provide key requirements. For example, a strong asset management program should at a minimum, include key attributes such as location, internal/external facing, versions, owner, and associated risk level which feeds into assigning criticality of that asset. These key asset attributes along with a criticality label allow the organization to not only prioritize and appropriately define controls but also help save remediation time and money in those critical moments during a breach or critical vulnerability event. Know your assets!

Preparing for inevitable breaches with strong recovery plans and scenario planning

In the digital world we now live in, it is not a matter of if, but rather when an organization will have to respond to a breach. The more you are prepared and demonstrate your ability to quickly respond and recover, it will go a long way with maintaining the trust of your customer base as well as external regulatory bodies. Organizations should look no further than our military institutions for guidance and model behavior of how to be prepared for any event. Rest assured, they are not sitting around waiting for an attack and figuring it out on the fly. Just as they understand their adversaries and how they behave, they regularly run through exercises to practice responding to every potential scenario.

At a minimum, organizations should be regularly conducting table top exercises based on relevant and timely threats and events. As an example, given the very rampant and routine occurrences of ransomware attacks, organizations should routinely be walking through their incident response playbooks of how to respond. Do we pay or not pay threat actors? Do we have reliable recovery plans and data backup? How quickly can we recover? These are just a few of the questions that you should be looking to have answers to prior to a real-world incident. It is critical to adhere to the playbook and procedures as they are written throughout the tabletop exercise to ensure they are accurate and effective. As a result of the exercise, any noted deficiencies during the exercise should be addressed and the playbooks and procedures need to be updated. As the organization incident response capabilities mature, the scenarios and exercises should increase in size and complexity. You will only get out what you put into these. Exercise. Exercise. Exercise.

Clarifying roles and responsibilities during incidents to ensure seamless coordination

The dreaded incident call comes in on a Friday evening at 6 p.m. the night before a holiday weekend. For those who have worked in the incident response space, this is the way it always happens. It’s now time to put all that time and effort that have gone into developing playbooks and running through exercises into real world action. Just as important as the technical procedures to contain and eradicate the situation, are the clearly defined roles and responsibilities to ensure seamless coordination. Make no mistake, there will always be some level of chaos no matter how prepared you are. However, strong coordination and communication during an incident will keep the chaos to a minimum and allow the team to stay focused on controlling and eradicating the incident.  

It is noteworthy that strong incident response plans define roles and responsibilities well outside of the technology areas. For example, internal and external legal counsel, public relations and local, state and federal law enforcement and possibly your regulators. In an ideal situation, standing up the incident command center and executing the communication plan should be second nature and go a long way to managing the chaos and avoid creating incidents within the incident. Know your role!

Aligning risk tolerance across the organization to enable faster, more effective responses

We now know our assets. We have well written incident response plans that include clearly defined roles and responsibilities. How do we now prioritize our response and recovery activities in the heat of the moment? This is where an organization’s defined risk tolerance combined with well documented asset management including criticality ratings pays off. Not all assets are created equal. The systems used to publish and display the menu of the day in the cafeteria is obviously not as critical as the systems and infrastructure that run our core customer facing portal and applications. Sound risk management and asset management practices are also pivotal to an effective vulnerability management program. It allows the vulnerability management teams to monitor, report and prioritize remediation activities using a risk-based lens.  

While important to focus on maintaining our critical assets, in the mindset of a threat actor, a vulnerability is a vulnerability. The low hanging fruit for an adversary are those end-of-life applications and devices that cannot be patched and remain connected to our network. These applications and devices expose critical vulnerabilities allowing easy access to an adversary to exploit and move laterally across our networks and applications. This is a reminder that we can focus on our most critical assets, but bad asset and vulnerability management hygiene can undermine the best laid plans and programs. Going back to managing the chaos during an incident, knowing our critical assets and infrastructure will also allow the incident response teams to prioritize and focus on critical systems first. This can potentially be a life saver and minimize critical data loss and customer impact. Risk management can be complicated. However, complexity kills. Do your best to keep it simple!