Best Practices for Vulnerability Management: The Key to Managing Risk

New virus on the scene? Mad rush to deploy anti-virus software. Spyware appears. Better get some anti-spyware tools. Network intrusions. Let’s add a firewall. These reactive approaches may plug the holes, but it isn’t risk management. That’s where vulnerability management comes in.

“Anti-spyware and antivirus tools address specific threats,” said Michael Montecillo, an analyst at Enterprise Management Associates. “Companies are constantly adding new technology to address the latest threat. Vulnerability management looks at the overall amount of risk in an environment. The only reason you get affected by malware is if there is a weakness in your infrastructure that can be exploited. So, the idea is to minimize risk by eliminating the areas where you are vulnerable.”

He cites credit card processing, as an example. There is a move ongoing to have vulnerability management applications made mandatory due to the massive consequences occasioned by malware-induced disruption and confidential credit care information ending up in the wrong hands. While other industries don’t yet have legislative pressure to adopt this technology, it is probably a sign of things to come.

The whole point is to be continuously evaluating the infrastructure for possible threats and taking action proactively. Test after test must be conducted to ensure there are no cracks in the network. As a best practice, Montecillo recommends implementing any new applications within a test environment. By validating that the new application has a base level of security before adding it to a production environment, problems can be minimized if not eliminated all together.

“It’s expensive to fix things once you go live,” said Montecillo. “It is better to test for vulnerabilities and fix them before broadly implementing a new application or production environment.”

Vendor View

While there is plenty of process involved in vulnerability management, Montecillo doesn’t recommend that organizations attempt to reinvent the wheel. There are many tools that can act as a catalyst for vulnerability best practices. They won’t all necessarily function in your environment so product demos and free trials should be used to find the one that works best in your environment. As well as the big boys such as CA and Symantec, vulnerability management tools are on offer from startups such as nCircle, Qualys, eEYE.

“These tools identify the environment and do the vulnerability assessment for you,” said Montecillo. “They simplify the process, create a reporting methodology and allow you to conduct assessments in a repeatable way. I’d recommend that companies look for a process that is quick, repeatable and doesn’t take up a lot of resources.”

nCircle defines vulnerability management as the continual process of measuring and managing the risk presented by flaws in software and configuration within an organization. The process generally includes comprehensive discovery and profiling of network assets, assessment of each asset for applications and vulnerabilities within those applications, prioritization of the assets and vulnerabilities, and finally workflow for remediation of the prioritized conditions.

“Many tools provide some piece of the vulnerability management process, assessing only network vulnerabilities, Web application vulnerabilities, or configuration,” said Tim Erlin, principal product manager at nCircle. “It’s important to remember that all of these can present risk in an environment, and leaving any one out leaves the vulnerability management puzzle missing pieces.”

Erlin’s best practices for vulnerability management are as follows:

Comprehensive Discovery and Profiling – You can only accurately assess risk given a comprehensive inventory of what exists in the organization. Since the network is generally not a static entity, a continuous and comprehensive discovery process is a requirement.