A foundational strategy for implementing a vulnerability management program

For an organization, it is crucial to determine the right strategy for implementing a vulnerability management program. While many industry leaders offer various solutions, selecting the best-fit option for the organization's needs is a key factor. The initial questionnaire plays a vital role in identifying and finalizing the organization's requirements, helping to choose a solution based on scalability and suitability.

This strategy is essential for identifying, prioritizing, and addressing security vulnerabilities within an organization's IT infrastructure. It should cover the entire vulnerability management workflow, from identifying vulnerabilities to mitigating associated risks. A robust vulnerability management strategy typically includes the following key components:

Asset Inventory and Classification

An organization should have a clear understanding about their IT landscape, and must maintain and classify their assets based on their criticality. The National Institute of Standards and Technology (NIST) SPECIAL PUBLICATION 1800-5 provides comprehensive solution for IT Asset Management which help an organization to track the location and configuration of networked devices and software across an enterprise. A discovery scan should also be conducted regularly to identify new assets, ensuring the asset inventory remains up to date.

Vulnerability Identification and Discovery

There are several industry-leading solutions available, such as Qualys, Tenable, InsightVM, Nexpose, and Microsoft Defender, which assist organizations in network discovery by identifying rogue or unauthorized devices, detecting new assets, and providing a detailed network map.

However, to ensure comprehensive scan coverage, it is crucial to determine and configure the appropriate scan frequency, select the right scanning policies, and decide between authenticated and unauthenticated scanning approaches.

Triaging and Reporting

Triaging is the process of identifying and eliminating false positives before reporting vulnerabilities to the relevant stakeholders for remediation. Integrating this step into the vulnerability management program is crucial, as it streamlines the remediation process, minimizes unnecessary efforts, and accelerates resolution across the organization.

It is also necessary to identify an actual risk associated with vulnerabilities. NIST 800-30r1 recommends to include 5 bare minimum parameters to identify an actual risk to provide a common expression of essential elements of an effective risk assessment.

1. Identify Threat Source and Events - Threat Intel reports stating the event of exploitation. (High Likelihood)

2. Identify Vulnerability and Predisposing conditions - CVSS vulnerability Scoring (Base & Temporal Score)

3. Determine Likelihood of occurence - EPSS / CVSS (consider both V2 and V3)- Maturity of exploitability (Temporal Score Metrics)

4. Determine Magnitude of Impact - Asset Significance, Environmental Impact & Exposure Prevalance

5. Determine Risk - Custom Risk Score basis upon all the parameters.

Dashboard for key stakeholders

Defining appropriate Key Performance Indicators (KPIs) and selecting the right metrics are essential for effectively reporting identified risks to key stakeholders. This enables them to take proactive measures to address the risks associated with open and unattended vulnerabilities.

Periodic Review, Monitoring and Validation

To ensure the effectiveness of the vulnerability management program, it is essential to periodically review asset coverage, business-as-usual (BAU) activities, and scan exclusions, along with the risk acceptance process. The governance body should involve all stakeholders and regularly validate and monitor the program's effectiveness.

Overall, A foundational strategy encompasses all the necessary elements to establish a robust, risk-based vulnerability management program. Additionally, a well-defined roadmap should be designed and followed to achieve the desired maturity level, ensuring effective vulnerability management and risk reduction program across the organization.