Hard Truths About Vulnerability Management
During the Harden phase of the Harden, Detect, and Respond process, a company focuses on finding weaknesses in its systems, people, software, and more. These weaknesses are known as vulnerabilities, which an attacker will attempt to discover and exploit. After exploitation, an attacker can perform nefarious actions that may lead to the compromise and takeover of a device or account. One of the key cycles of Harden is the vulnerability management phase.
Finding vulnerabilities in a network environment and remediating those vulnerabilities reduces the potential for compromise during an attack. As hackers take the path of least resistance, the most severe vulnerabilities are often targeted and chained together to gain control. Therefore, it's critical to establish a consistent process for the identification and remediation of vulnerabilities. This is no small task, and the enterprise will certainly face the following challenges.
Enterprise Vulnerability Management Challenges
Vulnerability management…
- Is a continuous process where there is no finish line.
- Is unique to the enterprise software stack and will require intimate knowledge of how to update each piece of software.
- Requires dedicated staff with knowledge of the software stack and has the capabilities to implement patches and updates.
- Implementing patches and updates may negatively impact production systems and user experience.
- Patching and updating often require test environments prior to deployment to avoid these disruptions.
- Some patching can be automated, some require user engagement, and some require technical knowledge with additional manual remediation efforts.
In addition to these direct challenges, there are big-picture industry-wide challenges that further complicate things. Recently, the National Institute of Standards has been in the news regarding its delay in publishing vulnerabilities into the national vulnerability database. This means enterprises relying on these databases have been forced to search for alternate sources to keep their software packages integral.
These problems will never cease. There is no finish line, but the following can support an enterprise's vulnerability management efforts.
- Assign vulnerability responsibility to staff or team
- Empower the team with time, resources, and software to assist in remediation
- Identify critical infrastructure that requires special attention, testing, and validation prior to implementing a patch or update
- Test patches or updates against these critical resources in a test environment
- Prioritize exploitable vulnerabilities in critical areas of the attack surface
Vulnerability management is one process in the Harden phase of Harden, Detect, and Respond. It's a critical piece in negating cyber-attacks and is empirical to the success of a cybersecurity program. A vulnerability management program must be capable of identifying vulnerabilities and must have an established process for remediation through the implementation of software patches and updates.