There's little doubt that effectively remediating vulnerabilities is an important part of a comprehensive information security strategy. Vulnerabilities in desktops, servers, laptops and infrastructure are commonly involved in intrusions and incidents. For example, the Chthonic malware designed to steal banking details, exploits a known Microsoft Office vulnerability (CVE-2014-1761). While there's a lot to say about the malware itself, patching the vulnerability can prevent it from being successful at infecting a host. It's easy to say that vulnerability remediation is important. It's easy, relatively speaking, to deploy tools to find vulnerabilities as well, but implementing a successful strategy for reducing vulnerability risk in your specific organization is a significant challenge. Individual organizations have distinct cultures, and there's no single strategy that works for every organization. Implementing a culturally inappropriate strategy for vulnerability remediation simply fails to be effective at reducing risk. With that in mind, here are six different strategies for reducing vulnerability risk. If you're responsible for information security or vulnerability management at your organization, consider which of these strategies might be most effective. This isn't about unachievable perfection. It's about the most effective strategy right now.
1. The Fire Brigade
Strategy: Incident Response. Treat vulnerabilities as incidents and respond to them individually, remediating quickly under pressure.
Organizational Profile: Have you ever met someone who really only works well with a tight deadline? Some organizations are the same way. If you work in a culture where routine processes are hard to execute and people only really respond to emergencies, then the best way to get something done is to tie it to a tight deadline.
Pros:
- Fixing the highest risk vulnerabilities is better than doing nothing.
Cons:
- Lots of residual vulnerability risk. By definition, this strategy is only going to hit the high profile vulnerabilities, leaving lots of opportunity for attackers behind.
- Doesn't address root cause. An incident response strategy is unlikely to affect the underlying causes of vulnerability proliferation within an organization.
- Potential for staff burnout. This is probably already a problem for this type of organization, but people eventually get burned out responding to emergencies.
2. Building Blocks
Strategy: Asset Focused. Identify the highest risk assets and fix them first, regardless of specific vulnerability conditions. Rinse and repeat.
Organizational Profile: Do you have system owners who largely correspond to assets or asset types? Can you identify an owner for most of the 'boxes' on your network? If your organization has processes and procedures built around assets, then this strategy may be very effective.
Pros:
- Iterative improvement. As you address high risk assets, you'll continuously reduce the average asset vulnerability risk so that the highest risk assets are consistently lower in objective vulnerability risk.
- Positive feedback loop. System owners won't want to patch individual vulnerabilities all the time and will naturally seek ways to avoid the work by making wholesale changes to reduce vulnerability risk, such as retiring assets and applications more efficiently.
Cons:
- Inefficient use of resources. Addressing individual assets ignores opportunities for systemic improvement. For example, 10 different system owners patching Java on 50 different systems without recognizing that there might be a better way to address Java holistically.
3. Vulcan Logic
Strategy: Vulnerability Focused. Prioritize the vulnerabilities, fix the highest priorities first. Rinse and repeat.
Organizational Profile: Do you have effective workflow systems in place already? Can you assign a task and follow it to completion easily? If your organization operates like a well-oiled machine, then start feeding the machine vulnerabilities.
Pros:
- Seriously effective at reducing vulnerability risk. If you can prioritize and fix vulnerabilities, you'll reduce risk, period.
- Iterative Improvement. If you fix the highest risk vulnerabilities first, you'll continuously reduce vulnerability risk over time.
Cons:
- Only as good as the priorities. You can't fix everything at once, so you'll have to prioritize. Pick the wrong priorities, and you leave risk hanging around to be exploited.
- Potential whack-a-mole. You might be really good at hitting each high risk vulnerability individually, but miss opportunities to make systemic changes to reduce vulnerability risk.
4. The Hive
Strategy: Central Analysis, Distributed Work. Information security performs analysis of the vulnerability scanning results and provides very directed remediation instructions to the larger organization.
Organizational Profile: Does your organization rely on a clear 'tone from the top' to execute effectively? Is Information Security a centralized group in a distributed organization? If your organization operates with a clear chain of command and centralized 'orders,' then focus on building the most effective analysis to reduce risk.
Pros:
- Systematic reduction of vulnerability risk. A centralized strategy that's well executed can follow through on multiple steps without continuously explaining the plan to everyone involved.
- Consistency of risk. If the whole organization executes, then decisions can be made at the level of the whole organization. Done well, this can produce a very responsive information security practice.
Cons:
- Lowest common denominator execution. A centralized analysis many be less tuned to individual execution. The whole organization can only move as fast as its slowest parts.
- Poor analysis, poor results. A misstep in analysis at the top affects all areas, leaving room for systemic problems in the cases of bad analysis.
5. Board of Directors
Strategy: Distributed Analysis and Work, Centralized Tracking. Identify metrics for tracking progress overall, then allow each group within the organization the freedom to reduce vulnerability risk as they see fit.
Organizational Profile: Do the groups across your organization require autonomy in how they work? Do you work in a metrics-focused organization? If your organization likes independence and a results-oriented approach, then focus on the metrics and drive outcomes.
Pros:
- Business-Focused. Choosing metrics that matter to the business can drive for vulnerability risk reductions that matters, rather than
- With different groups executing differently, they can compete based on the metrics and drive improvement.
Cons:
- Bad metrics, bad results. If you choose metrics that don't matter, and there are a lot of them, you'll end up with groups doing busy work rather than reducing risk.
- When groups compete, someone ends up at the bottom. In many organizations, this isn't an issue, but it can create internal conflict.
6. Process Optimizer
Strategy: Reduce Attack Surface. Forget about vulnerabilities and focus on reducing the overall attack surface through aggressive implementation of least privilege and elimination of unnecessary services and systems. Measure the results with vulnerability risk metrics.
Organizational Profile: Does your organization fail to decommission systems effectively? Do people install whatever they want on their systems? If your organization's digital clutter is its own biggest threat, then cleaning house can eliminate serious vulnerability risk.
Pros:
- Dramatic vulnerability risk reduction. Since vulnerabilities exist in applications, eliminating the unneeded applications can dramatically eliminate vulnerabilities.
- Prevent future vulnerabilities. If you've removed an application from your environment, then newly discovered vulnerabilities in that application won't affect you.
- Side-benefits of a well managed environment. Focusing on configurations and reducing attack surface will generally result in a more understood and managed environment, which can have benefits to the business around cost-reduction, operational efficiency, and stability.
Cons:
- Limited duration of effectiveness. Once you've removed most of the unnecessary applications and hardened configurations, you'll be left with the harder to address vulnerabilities in systems you still require.
- High priority risk gap. If you're focused on eliminating attack surface, you might be ignoring serious vulnerabilities in critical systems in the mean time.
As you can see, there are a variety of strategies for reducing vulnerability risk. There's no silver-bullet that will work perfectly across all organizations. While employing the right tools can help, knowing how your organization operates is what will make the difference between an expensive product and an effective program.
Resources:
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required]. Image header courtesy of ShutterStock.com.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.