Cyber Playbook: How to Build a Strong Vulnerability Management Program

November 18, 2021

Contributed by Robert Herjavec, CEO & Founder

A strong Vulnerability Management program is essential to a comprehensive and proactive cybersecurity program. It allows organizations to identify potential security gaps including access points that threat actors can leverage to gain entry into corporate networks and then prioritize these vulnerabilities for remediation.

However, building a robust vulnerability management program can be complex and isn’t without its challenges ! Vulnerability management programs that aren’t optimized to achieve the desired results based on your enterprise’s unique cybersecurity needs can be wasteful of your team’s time and effort, not to mention your investment.

A strong Vulnerability Management program relies on 5 key components:

  • Asset & Vulnerability Discovery
  • Vulnerability & Risk Prioritization
  • Patch Management
  • Remediation & Exception Tracking
  • Actionable Metrics

Each component comes with its own unique challenges - here are some general considerations that IT teams should keep in mind throughout the program-building process.

Asset and Vulnerability Discovery

Asset Discovery

One of the most common issues in a vulnerability management program lies in Asset Discovery. Many organizations (especially those in manufacturing, healthcare, and critical infrastructure) have operational technology environments that simply never - or rarely- get scanned and end up being “out of scope”. 

As an example, in a healthcare setting, this commonly occurs with the medical device VLANS, which often gets an “off-limits” status for scanning and can create a risk that ends up being somewhat “invisible” to the organization. In this scenario, leverage a non-scanning device discovery (network-based) or behavioral analytics to determine what the normal behavior of a device is and monitor for a variance. Picture it this way (pun intended)- if a network-enabled security camera always acts like a security camera, that’s expected. If that device begins acting like something else, say a wireless access point, it is a good sign that the device needs to be investigated.

To address this lack of visibility into infrastructure and assets, I suggest broadening your scope ! Security teams should work closely with infrastructure and operations teams and all application and asset owners to ensure blind spots are identified and addressed.

At the end of the day, visibility is key, and organizations need to know where they have technology deployed, even in scenarios where remediation might not be possible or easy. It’s important to always understand the “surface area” of your organization.

Vulnerability Discovery

Scanning is critical for a vulnerability management program. While there are subtle differences in the leading scanners, all use the NIST CVE Data and will generate some form of score based on the Common Vulnerability Scoring System (CVSS). 

Since tuning a scanner requires effort, ensure that your scanning solution:

  • Has a proven track record in your specific industry
  • Can demonstrate the ability to do custom scanning profiles for different parts of the organization
  • Keeps up to date on the CVE Database

Scanning regularly and at a time that is optimal for the remediation cycle is also key. Time the scanning based on your organization’s risk tolerance, compliance mandates, and the number of other asset classes.

Ask your existing or prospective VM service partner these critical questions:

  • How often do you update scanning engines to account for new CVE entries? 
  • How do you validate updates? 
  • How do you ensure CVE entries that were marked as “exempt” from scanning remain exempt when new updates are applied? 
  • What’s your roll-back process? 
  • Can you adjust scan intervals? 
  • Can you modify reporting intervals?

Vulnerability & Risk Prioritization

This component works best with a risk-based approach to vulnerability management. Most organizations have a threshold for the time taken to patch based on the Common Vulnerability Scoring System (CVSS) score of the vulnerability. However, emphasis should be placed on prioritizing which of the high and critical vulnerabilities are most likely to compromise your environment. The key question with managing vulnerabilities should be around data enrichment. What can your service provider do that will enhance the raw vulnerability data in order to effect precise risk-based decision making?

Ask Yourself: 

  • What is the number of vulnerabilities that meet the crux of being critical or exploitable, on essential assets, and exposed? How old are the vulnerabilities that meet these criteria? 
  • What’s my policy state for my prioritized segments and how “out of compliance” am I? This question is important since even if thousands of new vulnerabilities emerge, you aren’t measuring what you cannot control. However, if a new vulnerability emerges and it’s not patched according to your policy, that’s an indicator that something may not be working in your program.

Take a strategy that optimizes your team's efforts and ensure they are addressing vulnerabilities that are relevant, exploitable, and are a significant business risk.

Patch Management

The biggest challenge in Patch Management is that the patching policy often competes in priority with other IT or business initiatives. The security team may end up being a “drag force” in moving the business forward. Three components help alleviate this drag force:

  1. Risk-Based Vulnerability Management as defined earlier helps reduce the noise and provides IT more precision on what to patch and how critical the patch is.
  2. Patch management gets easier when the vulnerability management platform is integrated with the ITSM platform for creating tickets and tracking progress. Ask your vulnerability management vendor how they plan to integrate with your existing ITSM platform.  
  3. Understanding that patch management is not the only treatment available for addressing vulnerabilities. Other approaches that may be less ideal from a pure security perspective can enable business operations while still addressing the vulnerability. This includes leveraging compensating controls and risk acceptance, configuration changes and system hardening, and network segmentation, to mitigate the risk of vulnerabilities.

Remediation and Exception Tracking

Some well-run vulnerability management programs have provisions for self-service scanning, especially in environments where there’s an application development organization that’s spitting out code faster than the normal scanning interval would be able to keep up with. If this scenario applies to your organization, ask your existing or prospective service providers what provisions they have for on-demand scanning. It can be valuable for validating whether or not a vulnerability has been patched.

Actionable Metrics

Implementing the right metrics will help you make better decisions for your vulnerability management program and your security-driven business operations. Meaningful and quantitative metrics can justify and quantify your actions, decisions, and resource utilization while also helping you identify your vulnerability management program's shortcomings.

Gartner's Shilpi Handa recommends focussing on operational and executive metrics that measure performance, prompt actions, and convey the value delivered by the vulnerability management capability. This could include:

  • Average days to patch critical systems with critical patches
  • Percentage of vulnerabilities that were unable to be patched
  • Number of security incidents caused by exploited vulnerabilities
  • Investments to support faster or slower patch times

Taking an action-oriented approach to communicating your metrics will help gauge progress and give a clear path to deal with a status that isn’t ideal.

Next, your team should develop a strategy to communicate these metrics to the appropriate audiences. Strong vulnerability management program metrics are useless when not properly communicated. Consider your audience and their key objectives. When conveying the value of your vulnerability management program, executive and board-level teams will respond best to metrics that show the program's business value. For operations teams, showing the metrics are actionable helps them see what is being done right and where improvements could be made.

Vulnerability Management can feel complicated and tedious, but it is a critical security process and there are many ways to optimize your enterprise vulnerability management program to achieve your specific desired results. Start with the points I've listed above and then begin adding in components that meet your enterprise's unique cybersecurity needs.

To learn how Herjavec Group can help you implement a Vulnerability Management program, please connect with a security specialist here.

The team at Herjavec Group is made up of best-in-class, global talent and some of the most highly respected professionals in cybersecurity. With decades of experience and lessons learned, we want to share our insights with you. From the HG Playbook is a blog series where our diverse, specialized thought leaders will discuss all things cybersecurity. Every month one of HG’s experts will provide advice and insights based on their extensive experience in the infosec industry. Make sure to subscribe below and feel free to connect with us about topics and questions you would like to see covered.

Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn