Executive Perspectives

Hallmarks of Successful Threat & Vulnerability Management Programs

Reducing risk can seem complex – and somewhat overwhelming. Having an effective threat and vulnerability management program requires more than wanting to reduce the chances of a breach. Sometimes, companies are going to market so quickly they run out of bandwidth to measure the associated IT risk. Other times, they don’t understand the potential business impact if a critical service or business process is disrupted.

Most of the organizations we have worked with perform some type of vulnerability management. Some take a risk-based approach to identify and quickly remediate vulnerabilities that pose the most risk to the business, and others are primarily compliance-based; they run scans and remediation activities primarily to satisfy regulatory requirements. Some organizations want to move away from reactive vulnerability management processes to a more proactive and comprehensive Threat[1] and Vulnerability[2] Program to identify vulnerabilities and the threats most likely to impact critical business services.

An effective Threat and Vulnerability Management Program requires:

  • An accurate asset inventory that regularly scans assets and quickly identifies vulnerabilities;
  • Monitoring vulnerability data, especially data from vendors that are critical to keeping the business running;
  • Threat modeling to underscore which threats pose the most risk to business services; and
  • Mitigation processes to prioritize and remediate vulnerabilities across the environment.
Asset Inventory

An accurate asset inventory should include the location of the asset and details about the sensitivity level of the data that is accessed, processed or stored by the inventoried asset. To maintain an accurate asset inventory, organizations must regularly ensure it’s accurate. Vulnerability scans should be compared against the asset inventory to identify discrepancies. Scan data can be stored within a Configuration Management Database (CMDB).

The configuration management solutions that manage asset configurations and apply patches can also maintain an accurate asset inventory. Scan data can also be shared with the enterprise GRC (Governance, Risk, and Compliance) tool to quickly identify any assets that are not compliant.

Vulnerability Identification

Organizations should use various methods to identify vulnerabilities. Automated scanning should be performed using both authenticated and non-authenticated means.

  • Authenticated scans use authorized credentials – typically a dedicated higher-permission or domain administrator account – to scan the environment and identify vulnerabilities. They provide a deeper analysis of IT assets and can determine software configurations and versions. Additionally, authenticated scans can better represent a threat such as a targeted attacker that has gained access and is actively identifying and exploiting vulnerabilities.
  • Unauthenticated scans do not attempt to log in to systems to identify vulnerabilities; these types of scans can only identify limited system information like basic configurations and open ports. Unauthenticated scans represent the type of analysis that would be performed by an attacker that has not yet obtained valid credentials, but is attempting to identify and exploit vulnerabilities.
Threat Modeling

Threat modeling uses the asset inventory to determine which assets are the most valuable to the organization and which threats pose the most risk to the high-value assets. Table 1 shows a process to prioritize remediation efforts, based on the likelihood that an identified threat will exploit a vulnerability and its potential business impact.

Likelihood of Exploitation

Severity of Disruption

Minor

Moderate

Major

Severe

Highly Likely

Medium severity

High severity

Critical severity

Critical severity

Likely

Low severity

Medium severity

High severity

Critical severity

Occasional

Low severity

Medium severity

High severity

Critical severity

Not Likely

Low severity

Medium severity

High severity

Critical severity

Table 1. Example Vulnerability Risk-Rating Table

Based on the results, organizations can develop procedures to mitigate the risk to business services. These may include applying updates to patch recognized vulnerabilities and performing hardware/software configuration changes to harden endpoints and narrow the attack surface. Once the most critical vulnerabilities are identified and remediated, organizations should consider conducting advanced penetration testing, or “red teaming,” to understand how a threat actor views the attack surface. This should include developing attack scenarios that leverage existing vulnerabilities to determine how effective their detection and prevention capabilities are. If no attack scenario is detected, enterprise security tools should be tuned to alert the security operations team of attacker activity. The organization can also determine whether additional security controls would prevent an attacker from leveraging an existing vulnerability.

Program Formalization

Organizations should develop policy and procedural documentation with responsibilities and specific processes for vulnerability identification, notification, and remediation tasks. This documentation should be approved by an executive sponsor with the authority to audit and enforce it.

The policies and procedures should include:

  • Required vulnerability scan frequency and coverage
  • Roles and responsibilities for assessing the findings and determining how to mitigate the vulnerabilities
  • Processes for determining vulnerabilities’ relative risk ratings. For example, a serious vulnerability affecting a web browser on a server, from which users do not browse the web, would be ranked less serious than the vulnerability rating suggested by a scanning tool
  • Required timeframes for patching or resolving vulnerabilities, based on the vulnerabilities’ relative risk ratings
  • Exception handling – A formal process to handle vulnerabilities that management has decided to accept. Acceptance should be made at the senior level to ensure appropriate visibility and risk ownership
  • A procedure and template for requesting a finding be documented as an accepted risk(s); to include, at a minimum, the following information: 

        -    The affected system name and IP address
        -    The complete finding notification
        -    A short description of the purpose of the affected system
        -    The nature of data the system stores or processes
        -    An explanation describing the need for an accepted risk determination
        -    Integration with change management procedures
        -    Process for validating that a vulnerability has been effectively mitigated 

It is not possible to eliminate all risks; but risks should be mitigated to whatever level is acceptable for each organization based on its security maturity.

Conclusion

To recap, a successful Threat and Vulnerability Management Program includes a comprehensive, well-maintained asset inventory, vulnerability management processes that incorporate threat modeling, integration with enterprise risk management processes, and penetration testing.

By understanding the risks that vulnerabilities pose, organizations can be proactive about developing and implementing the appropriate measures. Ultimately, this program will reduce the potential impact to critical services and ensure the business survives.

[1] Threat - Object (e.g., human or code) that is capable of causing harm to an IT asset such as an attacker and/or malware
[2] Vulnerability – identified security weakness of an asset that can be exploited by a threat