Co-authored by: Kaustubh Chaturvedi
As we know, vulnerability assessments (VAs) have been leveraged since time immemorial to identify the gaps in the overall enterprise security posture. Vulnerability assessments detect weakness or misconfiguration in systems that an attacker could possibly exploit. However, implementing such a security program is not as simple as it sounds.
With enterprises’ environments getting complex with every passing day, it leaves them with a growing number of assets and the associated backlog of unmanaged vulnerabilities which pose a daunting risk across the current hybrid landscape.
With this challenge evolved a need for an effective vulnerability management (VM) program which is quickly becoming a critical pillar for enterprise security operations. A robust VM program helps enterprises in not only detecting threats, but also in managing and reducing associated risks effectively. However, it is differentiated in its approach and coverage as compared to a pure-play vulnerability assessment.
Further sections of this blog post will focus on how this important concept of vulnerability assessments has come a long way from a basic, focused vulnerability assessment tool to a process-driven approach. This, in turn, has enabled effective risk reductions via end-to-end vulnerability management.
The cyber vulnerability management space has undergone various rounds of enhancements overtime and below is a brief description of the same:
The old era
Over two decades ago, the technology and market for VA emerged. However, it was very low on the maturity curve and solved the prevailing needs of the time:
- Purpose– Conducting one-off vulnerability scans to gain visibility into the security operation posture
- Driven by– Mostly compliance needs with very limited scanning coverage
- Coverage– Often limited to only critical servers within the enterprise
- Methodology– In order to limit impact on the balance sheets, these scans mostly used to be one-off assessments; for every scan, the vulnerability assessment tool was implemented and ripped after every such requirement
- Output– Point-in-time visibility existed with a list of vulnerabilities present within an environment without any added context
The mid era
Now higher on the maturity curve, enterprises began to realize the importance and the value that vulnerability scans bring to the table. Hence, one of the major shifts was on the frequency of running these scans but while still following an underlying siloed approach.
- Purpose– Conducting periodic vulnerability scans to gain regular visibility of the security posture, understand what changed since the last scan and remediate accordingly
- Driven by–Security operation requirements to identify assets, prevent threats, and meet compliance mandates with improved scanning coverage
- Coverage– Expansion of scope to include servers, end points, and network devices in an enterprise
- Methodology– With innovative service models, VA evolved to include regular assessment scans with reporting, and now the service provider started packaging in the people, process, and technology aspects
- Output– Point-in-time visibility with an even longer list of open vulnerabilities, with limited context, was coming from frequent scans, leaving the remediation/infra management teams overburdened and often directionless
The new age
With a quick realization of the drawbacks of the basic scan-and-report approach, enterprises have now started to move toward a more process-driven approach that makes vulnerability management a continuous and integral part of the overall security program.
- Purpose– Effective management of open vulnerabilities that leads to significant risk reduction for enterprises
- Driven by– The enterprise security office to effectively identify, categorize, prioritize, and orchestrate the remediation/mitigation of vulnerabilities present within the environment
- Coverage– Efforts aligned to look at vulnerabilities across the enterprise through a single lens and, thus, coverage expanded to include the complete hybrid infrastructure viz. servers, endpoints, containers, applications, OT/IOT assets etc.
- Methodology– Establishment of a vulnerability management program with an overarching governance layer that focuses not just on identification but effective risk reduction in a consistent and measurable manner
- Output– A prioritized list of riskiest vulnerabilities with extensive context for effective remediation backed with end-to-end program orchestration driving measurable and time-bound risk reductions
Vulnerability Assessment vs Vulnerability Management
In the above sections, we saw the evolution of vulnerability assessment from a one-time assessment to a process-driven rigorous program. Let us now also look at how VM builds further on the fundamentals of VA to deliver effective management of vulnerabilities and associated risks. To better illuminate the differences, let’s look at an analogy.
Mr. X does not fall within his ideal body weight range, is concerned about his health, and decides to take a consultation for a weight management program. The first thing he is asked is to undergo some assessments, post which he is explained the outliers from his assessment report with some suggestions that should be followed going forward with periodic health assessments.
Now for the purpose of this analogy, let’s assume Mr. X is not satisfied and decides to explore more such programs. He finds the one that made him undergo all the assessment like the previous program along with a strategy defined on how to implement the suggestions, alter the diet chart periodically to meet the customized needs, and regular program oversight over a communication channel, unless the goal is achieved.
Cyber vulnerabilities can also be approached in a similar fashion where vulnerability assessments can be considered as periodic assessments with limited program oversight. Vulnerability management, on the other hand, extends beyond VA. VM brings in the best practices and processes for management, drives the ongoing strategy, and enables operational and strategic-level program governance to ensure that the enterprises’ security goals are met.
Understanding the Vulnerability Management life cycle
Before arriving at the best-fit approach for a successful VM program implementation, it is imperative to ensure that it provides the right coverage across the entire vulnerability management life cycle.
Below depicted is an end-to-end process that a successful VM program should ideally implement and orchestrate at scale to drive enterprise-wide risk reduction. Without this aspect, one is bound to head toward an ever-mounting backlog of open vulnerabilities. Bringing in this level of granularity requires the design of a sustainable governance program. This can provide strategic oversight and bring together multi-disciplinary teams to define the success of the VM program in question.
Figure 1: End-to-End Process for Successful VM Program Implementation
The need of the hour for any enterprise is to move beyond the traditional approaches of vulnerability assessments and adopt and implement a sustainable vulnerability management program— a program that is crucial to ensure consistent, effective, and successful vulnerability reduction throughout the environment.
In the following parts of this blog series, we will dig deeper into the fundamentals of effective vulnerability management and the importance of a process-driven approach. This will also include sharing a conceptual model of a successful VM program.