Five Common Vulnerability Management Mistakes to Avoid

Ed Bellis    July 21, 2015

Vulnerability Management is often undersourced and undertooled, and yet stands at the epicenter of protecting the organization from a breach. Bringing to bear best practices can mean the difference between success and failure, but what does “best practices” mean and what evidence exists that supports them? In the trenches as former CISO of Orbitz as well as my work with dozens of enterprise customers here at Risk I/O, here are the mistakes that I’ve seen the most successful InfoSec teams avoid.

1. Remediate All the Things 

This may be the hardest things for security teams to understand: vulnerability management is not a numbers game. You get no prizes for fixing as many vulnerabilities as possible–in fact, you expend precious energy and resources fixing the wrong things.

Prioritization is key. Which are the vulnerabilities that truly pose a clear and present danger to your infrastructure, based on your assets?  Hint: relying on a static CVSS score–which has no relevant context for the actual threats to your specific organization and environment—won’t give you the full picture.

Your development team will thank you for having a clear strategy for knowing what to remediate and when—and then strategically allowing them to ignore the several thousand vulns that won’t actually make a material difference.

Vulnerability Prioritization

2. Rely Too Much on a Single Tool (*cough* Excel *cough*)

If prioritization is the name of the game, Excel can’t be the core of your strategy. Why? Because attacks are increasingly automated, which means you won’t be able to keep up with the sheer tsunami of attacks and exploits using manual methods. It’s impossible.

Find the right tools and platforms that can help your prioritization efforts be as automated and scalable as the techniques employed by your adversaries.

3. Don’t Mix the Right Potion (vulns + threats + 0 days)

What are the ingredients for automated prioritization? This is another area where Excel fails, because Excel will help you crunch the numbers but it won’t get to the heart of the issue, which is the need for context. How do you get context? Using vulnerability data as a base, you’ll need to add threat intelligence. But be selective about your data sources. When adding threat intelligence to vulnerability and asset data, you want to be heavy on the “how” and light on the “who.”  What vulnerabilities are being exploited and how? And if you have access to zero-day vulnerabilities, you’ll want a way to correlate that with your assets.

This gets to understanding your assets–where they are located, how they are accessed, and how important they are. This is all critical context you need to have when prioritizing issues. Remember—you don’t want to remediate all the things. Just the ones that matter.

4. Ignore Your Risk Landscape

Other teams track their progress on a regular cadence, carefully evaluating where they were last quarter versus this quarter. I’ve seen InfoSec teams do this as well, but often only in terms of tracking the sheer quantity of vulnerabilities they’re reducing. This is playing the numbers game (and doing it badly).

What matters is your team’s work set against a larger risk landscape.  What is your organization’s risk, and where was it two quarters ago, and what has been the reduction or increase over time? Which assets are most affected, and how can you minimize that risk with the least amount of effort (meaning, which vulnerabilities can you remediate that will make the most impact?)

Shifting from a vulnerability mindset to a risk-assessment mindset is absolutely critical.

5. Scanning Too Much/Not Enough

Once a month scanning “checks a box” but it won’t help you deal with active Internet breaches and same-day threats. You may be worried about the mountain of data that more frequent scanning will produce, but this risk can be minimized by having the right team designations and prioritization process in place—in part automated—as I discussed above.

 

Summary

Having a set of best practices can create great dividends for InfoSec teams who have to do a lot with a little. And don’t forget the most important tip—be sure to celebrate your successes. Don’t hold back on the beer.

Leave a Reply

Your email address will not be published. Required fields are marked *