Steps for Successful Vulnerability Management: Lessons from the Pitch
When I was younger, I played a variety of team sports and enjoyed competing against opponents with my teammates. Winning was always a matter of applying sound tactics and strategy, attacking and defending well and using a blend of skill, talent and luck. Now that I’m older, I watch more than I play, and I’m able to appreciate the many lessons team sports teach, especially at the professional level. With sports, we can tackle technical topics in a relatable way. In this post, I take on vulnerability management (VM). The key word here being “management,” an active and continuous approach to dealing with risk. Like the dynamic action on a ball field, vulnerability management is something that is always changing and rarely predictable. It also requires active participation.
There is an aphorism in sports that defense wins championships. While there is some debate about this in the sporting world, defending the enterprise against a data breach is a required business practice. Continuous vulnerability management remains Number 3 in the CIS critical security controls; it contributes to the defense that wins business.
To understand vulnerability management, it helps to have a common definition of vulnerability. A misconception about this term is that it is monolithic and binary. How often have we heard someone say “We need to patch a vulnerability”? This framing is dangerous as it assumes a vulnerability is a singular thing that can be fixed and forgotten. Shifting the focus to what it is we want to protect rather than any specific weakness changes the question to “how vulnerable are we?” In other words, “how likely is it that a threat can cause harm to my critical asset?” Soccer offers a good analogy: the critical asset is the goal, and the threat is the opposing team attempting to score. The goal is always vulnerable to attack; it is less vulnerable when there are defenders and a goal keeper and more vulnerable when those people are absent (which doesn’t mean an attacker can exploit that vulnerability, it’s just more likely).
Managing vulnerabilities is the process of decreasing the likelihood a threat can cause damage. SANS has developed a simple framework which outlines the steps for successful vulnerability management: Prepare, Identify, Analyze/Assess, Communicate and Treat (PIACT).
In sports, preparation is vital practicing, fitness conditioning, studying tactics and strategy are all part of creating a winning team. Vulnerability management is the same Identify key assets to protect, determine their level of importance, develop a plan to evaluate their weaknesses and know how to respond when weaknesses are found.
Like a successful sports team, a business team will need to come together to identify critical assets, determine their risk tolerance and determine a plan to identify and treat vulnerabilities. The players are IT and security professionals, systems owners and executive leadership. With a full team effort, assets can be appropriately classified, and patching and remediation plans won’t conflict with business objectives. The team itself is part of the risk management process.
Identification is the first step of enacting the plan. A football coach needs to know which players are ready for the game, which are injured and which match up well against an opponent. Similarly, a VM team will be looking to identify which assets need protecting and begin to prioritize them. Which assets have critical uptime requirements? Which hold the most valuable data? Which sit in exposed locations?
Every place critical data is stored or valuable processes occur need to be identified. This includes cloud, servers and even mobile devices. Access paths to those assets also need to be evaluated as potential points of exposure.
One way to automate this process is asset discovery. Running a scan to find all the devices with IPs on your network is one way to reconcile (or create) your asset inventory (CIS control number one). This can also become an integral part of the next phase, which is to analyze and assess the environment.
Analyze / Assess
Elite sports teams utilize advanced techniques to analyze the fitness and health of the athletes. I heard a story of a Tour de France cyclist who had every aspect of his day managed during the race when to eat, what to eat, how much, when to drink and when to…everything else. The nutritionists and specialists had studied the cyclist during training to the point that they knew exactly what he needed and when to produce the fastest ride.
That same level of rigor needs to be applied to our most critical IT assets when evaluating risk. Understanding what controls are currently in place, what controls need to be implemented and what impact an exploited weakness would have can certainly help determine an asset’s security posture. The assessment results in a prioritization and a recommendation for how to proceed.
Performing a risk assessment can be as simple as running a vulnerability scan or as complex as evaluating all the controls affecting the asset. The deeper the analysis, the more complete the view, so doing as much as is reasonable is recommended. A good start would be to evaluate access controls and who has access and to then run an authenticated vulnerability scan with something like Tripwire IP360 and a CIS configuration benchmark with Tripwire Enterprise. This will provide a good start for evaluating the technical control in place.
It’s tempting to jump right into treat phase at this time, and that would be a mistake. Before taking on the remediation, it’s important to communicate the analysis to the appropriate parties. The assessment phase results in recommendations, prioritization and potential impacts for each asset. Because this entails work from various groups, possible expenditure for tools and changes in processes, the assessment team needs to present the results to IT operations, system owners and executive staff. Risk is a business decision, and how to address it is balanced against other strategic goals. Additionally, developing a means to communicate risk posture over time will help fund future efforts and give executive leadership a scorecard to understand the effects of ongoing initiatives.
In the sporting world, I think of this like the starting line-up. The specialists and trainers have watched practice all week, and now the manager needs to choose who starts, who is on the bench and who doesn’t make it all. All teams have more players than can start, so just like managing IT assets, the head coach needs to decide who gets priority and who doesn’t. Which brings us to game day.
Ultimately, this is the goal of vulnerability management. Reduce the risk by treating the weaknesses. And like vulnerability management itself, this is a continuous process, not a single event. This may mean putting in patching processes and policy, updating practices such as change control and running regular scans and assessments to ensure the appropriate controls are in place are functioning well. And then starting the cycle over again.
Train, play, compete week in and week out all season and maybe win a championship. And when the season is over, another season is right around the corner. With vulnerability management, it’s no different – stay one step ahead of the adversary and play to win.
Looking for Help in Vulnerability Management?
Tripwire can be part of your vulnerability management team. With Tripwire ExpertOps, we can provide you with the tools and expertise to jump start your vulnerability management program. If you need the skills and would like someone else to manage administer your security toolset, it’s the perfect choice. For those who have the skills and would like to manage it themselves, Tripwire has a suite of vulnerability management, file integrity management, secure configuration management and malware detection tools as well as professional services and penetration testing services for commercial and industrial systems. Tripwire is ready to be part of your security team!