Prioritization of Assets and Risk – Every vulnerability management tool will produce more work than an organization can accomplish, therefore every vulnerability management program must provide a mechanism for prioritizing the results to address the highest risk first—even if all the discovered vulnerabilities are critical.
Workflow for Remediation – Ultimately, no vulnerability management program can succeed if the process for addressing risk is broken. The right tools can support an effective workflow with open interfaces for automation, built-in ticketing systems, and accurate data, but each organization is different in how they assign ownership and responsibility.
“Before acquiring a vulnerability management tool, examine the processes in place for applying patches and upgrading to determine where they should change and where a tool can assist with automation,” said Erlin. “Use that data to inform the product evaluation process, but don’t eliminate all flexibility. The right tool will support the process, but that doesn’t mean the process won’t need to adapt or change at all.”
Ben Greenbaum, senior research manager at Symantec Security Response, adds that the most common misperception about vulnerability management is it starts and ends with patches. Simply subscribing to the vendor’s mailing list to stay up to date with the latest information is not enough.
“Many vendors withhold information about vulnerabilities until they have a patch ready (or longer) but there is always some reparative or mitigating action that can be taken in the interim,” said Greenbaum. “However, there are advanced vendor services available that can keep your IT staff abreast of the most recent vulnerability discoveries and provide actionable advice well before the vendor ever mentions the issue publicly.”
On the security side, he stresses good habits. The probability and impact of exploitation of any vulnerability can be lessened by maintaining an environment of least-possible-privilege, e.g., if connectivity to a particular service or system isn’t required from all points limit it to only those points that are required; deploy firewalls to enforce these limitations; and introduce Intrusion Prevention (IPS) and Intrusion Dection products to monitor and prevent attempts to breach the perimeter.
Finally, an obvious best practice is to apply patches as soon as possible. It’s not always possible to apply them immediately as critical systems need to be tested. This process can be sped up with either a dedicated lab or virtual environment set up to allow this testing to proceed as quickly as possible.
Collaboration Extends Beyond IT
All of the above best practices, though, could result in little progress if IT attempts to make vulnerability management an IT-Only matter. The whole idea doesn’t work if it’s silo’d into one team or department. It has to encompass operations, security, facilities and of course top management.
“Vulnerability management is an ongoing process that will affect a large area within any organization,” said Montecillo. “It takes a collaborative effort from a technological and a political standpoint.”