The more your organization understands about your adversaries and potential security threats, the safer your critical assets will be. Makes sense, right? Then why are so many organizations’ vulnerability management programs still barely treading water? We have a few thoughts on this and some ideas you can start implementing. The Threat & Vulnerability Management Maturity Model consists of several levels that illustrate where you are in growing your vulnerability management program.
Most programs are around Level 1 or 2 and are suffering from peak data overload and unlikely to be able to effectively counter adversaries. Which level are you? If you’re unsure, you can take our quiz, or if you already know where you may need some improvement, keep reading. Here are a few suggested steps to help mature your vulnerability management program. Move it on up.
Level 0: There’s nowhere to go but up.
While you may not be scanning for vulnerabilities yet, implementing a vulnerability scanner in your environment may be a good idea. Also, it’s a good idea to start adding a process and framework around what you patch and when you patch. Right now, you might be just patching on “patch Tuesday,” which is OK but won’t cut it as your infrastructure changes and grows.
Step # 1: Get a vulnerability assessment solution and create repeatable processes to patch operating systems and applications.
Level 1: Baby steps.
Your program is still immature, yet slowly emerging. Without analytics, workflows or processes in place, you might start to wonder what to do with all this data. You most likely have a vulnerability scanner in place, ideally covering both web and network vectors in addition to scanning for device misconfigurations. You may be missing the necessary processes, policies, and workflow that can help drive and grow your program. Start thinking about the frequency of your vulnerability scans and how to start prioritizing this data.
Step #2: Adopt compliance frameworks, create and report metrics, implement basic vulnerability prioritization (via Common Vulnerability Scoring System CVSS) and conduct penetration testing on high-risk assets.
Level 2: Time to buy a life jacket – you are drowning in data.
You’re developing a solid vulnerability assessment program, structured mostly around compliance regulations. You could use some business context to help identify any critical assets. Your scanners are feeding data from multiple vectors on a fairly regular basis. Now that the scanners are doing their job, start thinking about advanced prioritization methods to help relieve your data overload problems and develop processes for patching.
Step #3: Implement risk-based vulnerability and patching processes that will take you beyond a compliance-focused program. Your new metrics and policies will focus on security improvement, while you start consolidating scan results and employing more advanced, critical-asset focused prioritization strategies. Consider penetration testing to validate patched vulnerabilities.
Stay tuned. On WEDNESDAY, I’ll discuss Levels 3 through 5. In the meantime, check out our free eBook on vulnerability management best practices.