Vulnerability Management - Veris Group

Creating More Effective – and Strategic – Solutions

Vulnerability Management:

Creating a Process for Results

Kyle Snavely
Veris Group, LLC

Summary

Organizations increasingly rely on vulnerability scanning to identify risks and follow up with

remediation of those risks. However, in the absence of a complete Vulnerability Management

program, organizations may fail to gain a complete and accurate assessment of their

vulnerabilities. Likewise, organizations without clear WHY VULNERABILITY
processes for communicating the associated tasks and MANAGEMENT?
data of the scans may also fail to adequately execute
patches, or they may not track and archive the  Ensure protection of critical data
information required for regulatory compliance.  Meet compliance regulations
 Reduce risk or minimize impact by
A Vulnerability Management program designed for
results takes into consideration the configuration, addressing vulnerabilities in a timely
coordination, and communication necessary to manner
successfully protect critical data and reduce the risks to  Prepare to meet future security needs
of a growing organization

the organization.

What is Vulnerability Management?

Vulnerability scanning is increasingly common in organizations across industries, particularly
those who must adhere to federal, industry, or other regulations regarding cybersecurity. The
scans themselves are designed to discover risks throughout the organization’s networks;
however, scanning in the absence of a complete Vulnerability Management program can
actually do as much harm as good.

Scans produce data, but that data presents its own set of questions, including:

 What updates and patches are available to the systems in the enterprise?

 Which devices were included in the scans?

 Which vulnerabilities should be remediated first?

 Who is responsible for the remediation?

These questions, albeit not an exhaustive list, confirm the many critical components of
security that a comprehensive vulnerability management program addresses.

SANS Institute, an established cybersecurity training organization, calls a continuous
vulnerability assessment and remediation process one of the top “20 Critical Security
Controls.” As much as the author emphasizes the need for vulnerability scanning, SANS
further points out that if the scans are not properly maintained and regulated, attackers use

Creating More Effective – and Strategic – Solutions

the scans as “a point of exploitation.” While this may be an extreme example, it supports a
very important point: Vulnerability Management is about much more than scanning.

Challenges of Vulnerability Management “It is important to carefully control
authenticated vulnerability scans and the
For many organizations, it is challenging enough associated administrator account. Attackers will
to implement scanning, let alone a complex take over one machine with local privileges,
Vulnerability Management program. Designing and wait for an authenticated scan to occur
and implementing an effective program involves against the machine.
many steps and decision points.
When the scanner logs in with domain admin
The challenges begin in the planning phase, which privileges, the attacker either grabs the token
usually assumes the existence of a thorough and of the logged-in scanning tool, or sniffs the
accurate device inventory. This is a large challenge response and cracks it. Either way,
assumption to make, since many organizations do the attacker then can pivot anywhere else in
not accurately maintain an inventory of all the organization as domain administrator.”
enterprise assets.
-SANS1

Tool selection and configuration is a challenge at this stage as well, and it can impact the
success of the Vulnerability Management program by freeing up resources with automated
processes.

VM STAKEHOLDERS The challenges continue throughout the actual
scanning process as all of the various
• CEO stakeholders attempt to discern who is responsible
• IT Director for what actions, and what the priority of a
• Systems Administrators reported vulnerability is. Once a patch is executed,
• Vulnerability Management the stakeholders rely on a system to track, check,
and revisit the patches, as well as log the various
Coordinator firmware updates.
• Technical Team Supervisor
• Security Analysts Veris Group has identified three critical
• Network Engineers components to consider for organizations seeking
to implement a successful and cost-effective
Vulnerability Management program.

Figure 1: VM Stakeholders

The Three Cs of a Successful Vulnerability Management Program

A Vulnerability Management program allows the organization to plan for the scans, but also
for the people and the processes that lead to the success of the program. By configuring the
tools, resources, and reporting mechanisms ahead of time, the program is ready to handle
the data that the scans produce. However, through the proper coordination of staffing and
definition of roles and responsibilities, the organization can ensure that the data results in the

Creating More Effective – and Strategic – Solutions

correct solution in a timely manner. Finally, by communicating the status, reports, releases,
and policies associated with the program, the stakeholders ensure that the data results in a
secure and compliant organization.

Configuration

o Tools

Detection is the most important task of vulnerability management. Identifying the risks
allows the organization to be able to correct the deficiency, produce an accurate report
for a compliance audit, and reduce the level of risk.

However, it is important to select the right tool for the organization. Some tools, including
the commercial detectors Tenable Nessus, Rapid7 Nexpose, and eEye Retina with REM
server integration, have the ability to scale up depending on the size of the enterprise.
Other tools will work better in smaller environment. The tool should also be able to output
in the specific reporting format required for compliance purposes.

The key to selecting a patch management suite is for the software to support the majority

of the applications in the environment with the least amount of overhead. Patching

solutions (e.g., Microsoft SCCM and Altiris Patch Management) should also be strong in

their ability to produce status reports and to automate patch deployment. The tools

should help the organization determine the manual and automated processes, which are

also dependent upon the type of

platforms involved. If a tool does

not support a particular platform, CONFIGURATION
remediation on that platform

becomes a manual process. •Tools

Knowing this ratio will help inform •Resources
the resource needs. •Reports

Properly configured remediation

and audit tools reduce the time

and effort needed to manually COMMUNICATION COORDINATION
remediate and track enterprise
vulnerabilities. •Remediation Status •Staffing
•Monthly & Mid- •Roles &
o Resources Cycle Reports Responsibilities
•Policy
Appropriate staffing is required

for a successful program.

Resource allocation must include Figure 1: The Three Cs of VM

the overall management of the

vulnerability program management, including auditing, as well as technical allocations.

The assigned resources must have the correct skillset to effectively interpret and

remediate the findings in a timely manner.

Creating More Effective – and Strategic – Solutions

Support for the program must also come from the organization’s management as a
whole. The buy in of this key stakeholder ensures that the technical resources are
allocated the time necessary to manage the program and patches.

o Reports

Without a system to organize and interpret the data in the many reports of a Vulnerability
Management program, their value becomes moot. An effective program relies on an
executive dashboard design to track trends and to provide a current snapshot of the
enterprise vulnerability status. This dashboard allows the Vulnerability Management
coordinator to chart available data points, thereby providing a different way to visualize
the data. This dashboard makes it easier for the coordinator to spot trends and identify
areas for improvement. In combination with this dashboard, reporting from the detection
and patching tools delivers the most accurate picture of an organization's current risk
level.

The monthly baseline enterprise scans create an ongoing and regularly occurring report
of the enterprise status. When properly configured, these reports are generated by the
tool itself and split according to device groupings. From there, the reports either trigger an
automated response from the system or signal for personnel to be deployed for the patch.
Additional scans produce reports that indicate the success of the patch.

Mid-cycle vulnerability releases also have a “Effective security requires continuous
role in the report configuration. After a mid- automated monitoring of agency networks
cycle alert and subsequent remediation, the for security problems, immediate access to
next scheduled scan will confirm that the work the National Vulnerabilities Database to be
is complete. able to identify problems, and immediate
mitigation of problems when they are
Once remediation, either resulting from scan found.”
reports or mid-cycle alerts, is complete, an -CSIS, 20122

important aspect of configuring the reports is to

prepare a process to format and archive the reports for tracking and auditability purposes.

Who is responsible for completing these tasks is a connection between this component

and that of Coordination.

Coordination

o Staffing

Appropriate staffing is essential for an effective Vulnerability Management program. The
various stakeholders must identify a Vulnerability Management coordinator to oversee the
regularly occurring processes and to become familiar with the enterprise inventory. This
person is not simply a technical resource; the coordinator will also facilitate the processes
that help maintain the integrity of the Vulnerability Management program. For example,
there may be instances where a vendor is unwilling to bring device software into
compliance. The coordinator will need to think through a response and action plan ahead
of time to be prepared for such a situation. The coordinator is also responsible for
maintaining the executive dashboard, inventory process, report archives, and auditing
documents.

On the technical side, the responding staff must be trained in the selected tool. They

Creating More Effective – and Strategic – Solutions

should not only be able to administer the required patches, but they should have a solid
understanding of the automated processes as well. These staffing resources also
continuously update the device inventory and carefully maintain records and tracking of
remediation action, device updates, and device retirement. Even if all of these
requirements are in place, the Vulnerability Management program will not be effective if
an adequate number of resources are not applied to the program.

o Roles & Responsibilities

Among the Vulnerability Management stakeholders, there are various different roles and
responsibilities. In a program that requires structure and consistency in order to be
successful, it is important to define these roles (and clearly communicate them, which
links the "Coordination" component with the "Communication" component) and the duties
and tasks associated with each. Even a simple Vulnerability Management program
benefits from a regularly updated project plan that describes the various roles and maps
them to the scanning, reporting, and maintenance schedule.

Particularly in an organization where the resources allocated to the Vulnerability
Management program have other responsibilities, ensuring that their assigned tasks for
Vulnerability Management are clearly defined will support the consistency of the program.
For example, certain resources may be assigned to handle the scans and associated
automated tasks while other are responsible for facilitating vendor-released patches. The
coordinator may choose to be responsible for assigning risks or facilitating that task with
senior leadership. The coordinator may also maintain the executive dashboard and
analyze the monthly scanning reports.

Communication

o Remediation Status

Once the program has provided an organization an assessment of its current risk level,
the coordinator can begin to close any vulnerabilities that the detection tools identified by
implementing the selected patching tools. The communication of the remediation status
occurs via the Vulnerability Management dashboard. This centralized location for
communicating status allows all stakeholders to track which stage the remediation is in
the process from detection to risk determination and patching to the next successful scan.

Timely and accurate communication of remediation status is especially important to
checking the success of the patch, whether manual or automated, by the suspense date.

o Monthly Reports and Mid-Cycle Releases

A complete picture of the Vulnerability Management program includes data from the
monthly reports and mid-cycle releases. The various steps of the reports and releases,
explained in greater detail below, create the information that directs the next steps in the
Vulnerability Management program. Once again, timely and accurate communication and
tracking of the data in the reports and releases is critical to the success of the entire
program.

Creating More Effective – and Strategic – Solutions

o Policy

The Vulnerability Management program relies on policies to ensure that the configuration,
coordination, and communication steps above occur as planned. Well-thought out
policies plan for user errors and vendor issues. However, policies themselves do not
effect change. Effectively communicating the policies and subsequent policy updates will
ensure that the Vulnerability Management program runs according to plan. Enforcing
such policies will also aide in preparation for compliance monitoring for various regulatory
programs that require a Vulnerability Management program to be in place in an
organization.

Vulnerability Management in Practice

The components of the Vulnerability Management program base the most critical decisions
on the data from monthly baseline enterprise scans and mid-cycle vulnerability releases.

Monthly Baseline Enterprise Scans

In the monthly scans, the executive dashboard is populated with data as the program moves

through the following steps:

Enterprise Baseline Grouped Device Analysis of Next A baseline of the
Report Steps enterprise is created by
the detection tool based
• Automated Response on the audits or
• Manual Response

signatures available at

that point in time.

Validation Scan Analysis Final Scan A report is generated
through the tool and is
Archiving split in such a way where
devices are grouped and
assigned based upon the
device type,
geographical location, or
a combination of the two.

The report is sent to the responsible personnel for action. If there are automated tools to aid
with remediation they are used to reduce the amount of time required to patch. If no tools are
deployed in the enterprise or if the automated tools cannot fully patch by the suspense date,
personnel are required to manually patch. After a predetermined amount of time, a validation
scan is run against the devices which were determined to be vulnerable during the first
baseline scan. Results are again passed on to the groups for action.

A final scan is performed after another predetermined time period. Any vulnerabilities must
be patched as soon as possible. If for some reason a vulnerability cannot be remediated, the

Creating More Effective – and Strategic – Solutions

subject matter expert must create a document which describes why the vulnerability cannot
be remediated and a plan of action to reduce risk along with estimated dates remediation can
occur.

The VM coordinator formats and archives the reporting for tracking and auditability purposes.
If any plan of action documents are open, the coordinator checks in with the responsible
teams for status updates and to ensure that the plan is still accurate.

Mid-Cycle Vulnerability Release

For all products running in the enterprise, the vulnerability management coordinator should
receive alerts either from the vendor or through a third party service which provides
information on the latest identified issues.

Vendor Risk Assignment Analysis of Next When a new
Vulnerability Alert Steps vulnerability alert is
Next Scheduled received for software or
Dashboard Scan • Suspense Date (or POA) hardware, the
Updated • Assests Affected vulnerability
management
Archiving Audit Confirmation coordinator assigns a
risk level and suspense
date requirements to the
alert for reporting and
remediation. The alert is
then disseminated to
appropriate team
members for action.

The team member responds with the number of assets affected and a plan of
action if the time required to remediate will surpass the suspense date for tracking purposes.

The Vulnerability Management coordinator ensures that the executive dashboard is updated
with the numbers.

The next scheduled scan with the most current audit file will confirm the work has been
successfully completed and the open items can be closed out in the tracker.

If the subject matter expert is aware of any issues which would cause delays in remediation
of a mid-cycle vulnerability, the team member creates a plan of action similar to the
document referenced above.

Creating More Effective – and Strategic – Solutions

Closing Summary
Vulnerability scans are only one component in a successful Vulnerability Management
program. The various steps that occur in the monthly scans and mid-cycle releases must
occur within a framework that accounts for the myriad other activities associated with
identifying, remediating, and tracking the risks in any organization. Specifically, balancing the
configuration of tools, resources, and reports, the coordination of staffing, roles, and
responsibilities, and the communication of remediation status, reports, and policies is a
careful and deliberate process requiring the support of leadership and the dedication of a
team of qualified individuals. A high quality Vulnerability Management program is required for
compliance purposes, but it also is an indicator of the integrity of the organization as one who
actively protects its critical data.

 Kyle Snavely is a cybersecurity

associate at Veris Group, LLC, a Vienna,
VA-based cybersecurity firm and
accredited FedRAMP 3PAO.

 Veris Group, LLC

Attn: Vulnerability Management
8229 Boone Blvd., Suite 750
Vienna, VA 22182
(703) 760-9160
 [email protected]

1 SANS Institute (March 2013). The Critical Security Controls 4.1. http://www.sans.org/critical-security-controls
2 Reeder, F., Chenok, D., Evans, K., Lewis, J., and Paller, A. (October 2012). Updating U.S. Federal Cybersecurity Policy and
Guidance. http://csis.org/files/publication/121019_Reeder_A130_Web.pdf

8229 BOONE BLVD., SUITE 750 | VIENNA, VA 22182 | P: (703) 760-9160 F: (703) 760-9164 | [email protected] | www.verisgroup.com