A strong vulnerability management program underpins a successful security strategy overall. After all, you can’t defend weak points you don’t know are there.
It is predicted that 2023 will see an average of 1,900 critical Common Vulnerabilities and Exposures (CVEs) a month, up 13% from last year. This is due to increased interconnectedness, the addition of more tools, IoT devices and SaaS services, and the increased risk of human error. With so many ways to inadvertently let hackers into a network, vulnerability management needs to be an area of cybersecurity strength, not weakness, for any organization.
The Center for Internet Security specifically lists a vulnerability management program as one of its Critical Security Controls. And most, if not all, regulatory policies list having a strong vulnerability management program as one of the first elements in an enterprise information security program.
This post will outline the five stages of maturity based on the Capability Maturity Model (CMM) and provide a frameworks-based outline for a vulnerability management model that will work.
What is the Capability Maturity Model?
The CMM is a model that helps develop and refine a process in an incremental and definable method. More information on the model can be found here. The five stages of the CMM are:
- Stage 1: Initial
- Stage 2: Managed
- Stage 3: Defined
- Stage 4: Quantitatively Managed
- Stage 5: Optimizing
To read the full whitepaper, check out this link.
Stage 1: Initial Stage of a Vulnerability Management Program
The Initial stage of a vulnerability management program generally has few processes and procedures and is done by an external third party.
- Vulnerability scans are done by a third-party vendor as part of a penetration test or external scan. These scans are typically done from one to four times per year at the request of an auditor or a regulatory requirement.
- The vendor who does the audit will provide a report of the vulnerabilities within the organization.
- The organization will then typically remediate any Critical or High risks to ensure that they remain compliant.
- The remaining information gets filed away once a passing grade has been given.
We’re past the point where security cannot just be treated as a compliance checkbox. Attacks are spinning out at incredibly fast rates, with 10,000 new strains of ransomware discovered in the first half of last year alone. Checking the box means efforts stop as soon as basic remediations are met. Ongoing, zero-trust platform management means having vulnerability scanning on a continuous cycle.
Stage 2: Managed Stage of a Vulnerability Management Program
In the Managed stage of a vulnerability management program, the vulnerability scanning is brought in-house. This allows for more constant, continuous scans on a more sustainable level as internal teams are trained.
- The organization defines a set of procedures for vulnerability scanning.
- They purchase a vulnerability management solution and begin to scan on a weekly or monthly basis.
- Unauthenticated vulnerability scans are run, and the security administrators begin to see vulnerabilities from an exterior perspective.
Many organizations in this stage are working with a limited budget, either due to lack of support or simply stretched resources. Often this can result in purchasing a basic solution or going with a free OS vulnerability scanner (which can be susceptible to unchecked vulnerabilities of its own). It’s important to get alignment and top-down support before running full speed ahead on this stage.
Accuracy and Prioritization of Vulnerability Reporting
While lower-end solutions do provide a basic scan, they are limited in the reliability of their data collection, business context and automation. More sophisticated tools are needed for a reliable, ongoing vulnerability management program. Prioritization is key for taking action on scan results once discovered.
Lower-end solutions are problematic in a couple of ways. Take the accuracy and prioritization of your vulnerability reporting, for example. If you begin to send reports to your system administrators with a slew of false positives, you will immediately lose their trust. They, like everyone else these days, are very busy and want to make sure they are maximizing their time effectively. A reliable and accurate report is critical to ensuring that remediation can occur in a timely manner.
The second problem is that even if you verify that the vulnerabilities are in fact vulnerable, how do you prioritize which ones to fix first? Most solutions offer a High, Medium, Low or a 1-10 score. Additionally, an industry standard such as CVSS is leveraged as a common communication mechanism to set priorities. Solutions like Tripwire IP360 provide risk scoring so you can focus on what matters most.
Without a way to prioritize, a critical vulnerability may get exploited while a less important one is patched.
Stage 3: Defined Stage of a Vulnerability Management Program
In the Defined stage of a vulnerability management program, the processes and procedures are at the point where they are well-characterized and are understood throughout the organization.
- The information security team has the support of their executive management and the trust of their system administrators. The information security team has proven that the vulnerability management solution they chose is reliable and safe for scanning on the organization’s network.
- Authenticated vulnerability scans are run on a minimum weekly basis, as recommended by the Center for Internet Security, with audience-specific reports being delivered to various levels in the organization. This goes like clockwork.
- The system administrators receive specific vulnerability reports, while management receives vulnerability risk trending reports.
- Vulnerability management state data is shared with the rest of the information security ecosystem to provide actionable intelligence for the information security team. For example, if an exploit is detected on the external firewall, a quick correlation can be run in the Security Incident and Event Management (SIEM) tool to identify which systems are vulnerable to that exploit.
At this point, the different players are acting as a team.
Stage 4: Quantitatively Managed Stage of a Vulnerability Management Program
In the Quantitatively Managed stage of a vulnerability management program, the specific attributes of the program are quantifiable, and metrics are provided to the management team.
The following are some vulnerability metrics that every organization should be tracking:
- What percentage of the organization’s business systems have not been recently scanned?
- What is the average vulnerability score of each of the organization’s business systems?
- What is the total vulnerability score of each of the organization’s business systems?
- How long does it take to deploy operating system software updates to a business system?
- How long does it take to deploy application software updates?
These metrics can be viewed holistically as an organization or broken down by the various business units to see which business units are reducing their risk and which are lagging behind.
Stage 5: Optimizing Stage of a Vulnerability Management Program
In the Optimizing stage of a vulnerability management program, the metrics defined in the previous stage are targeted for improvement.
This will ensure that the vulnerability management program continuously reduces the attack surface of the organization, which was the purpose for which it was intended.
At this point, the Information Security team should work with the management team to set attainable targets for the vulnerability management program given the business’ current state. Once those targets are met consistently, new and more aggressive targets can be set with the goal of continuous process improvement.
Ensuring the ongoing maturation of your vulnerability management program is a key to reducing the attack surface of your organization. The less attackers have to work with, the less attacks. Keep in mind, cybercriminals are opportunists. If another network is easier to hack – more attack surface, more low-hanging vulnerabilities, less continuous scanning, patching and oversight – they'll move to greener pastures and leave well-fortified networks behind.
Fortra’s Tripwire Vulnerability Management provides:
- Vulnerability scanning and detection
- Agent-based and agentless monitoring
- Scanning that doesn’t disrupt business operations
- Prioritization of vulnerabilities on a granular level
- Data analysis and reporting dashboards
Learn more about Tripwire's vulnerability and risk management solutions, here.