Two security controls, file integrity monitoring (FIM) and security configuration management (SCM), help organizations manage change. The former monitors for unauthorized changes to a system's state, whereas the latter looks for configuration changes that introduce security risk. Both components are crucial to a company's strategy for defending against digital threats. But on their own, they do not provide adequate protection against the tens of thousands of vulnerabilities discovered by researchers each year. While it's impossible to address every flaw, organizations can incorporate another security control that helps them stay on top of the interminable flow of software bugs. Vulnerability management (VM) helps organizations reduce the risk posed by vulnerabilities. Two requirements drive the need for VM. First, organizations need to reduce security risk by mitigating the highest-risk bugs in a timely manner. Second, they need to in some cases leverage VM to achieve regulatory compliance. As with SCM, there are two primary use cases for vulnerability management. The first use case, assessment, involves running a one-time scan of systems to detail the current state of vulnerabilities including their risk impact, evidence of existence, and information pertaining to remediation options. IT professionals can then use the scan's findings to prioritize vulnerabilities across assets and produce a report for stakeholders across the company. Following assessment, organizations can move to the second use case, continuous monitoring, and continuously scan for new vulnerabilities. The scans should encompass all IT assets, with personnel deciding upon the frequency of each asset's scan based upon the business value of each asset. Whenever the scans detect a new vulnerability, automated workflow processes should prioritize the flaw and deliver remediation actions to other parts of the organization. The use case of continuous monitoring raises an important question: how can organizations be sure they've built an effective VM program that covers every asset? In its guide Security Reference Architecture: A Practical Guide to Implementing Foundational Controls, Tripwire outlines a multi-step system inventory and categorization process. It all starts with under inventorying all assets connected to a network. After all, you can't protect what you don't know. Organizations can then move on to identifying critical systems and risk systems. At that point, they should review and classify all known vulnerabilities and associated threats before establishing a patch management process, a computer emergency response team (CERT), and timelines for remediation. Once the program is in operation, companies can use several metrics and criteria identified by Tripwire to review their VM solution's effectiveness across several different business categories. To learn more about how vulnerability management can help your organization reduce risk, please download Tripwire's resource here.
