Must-Have Metrics for Vulnerability Management: Part I

Ed Bellis    March 29, 2016

In this series of blog posts, we’ll cover the must-have metrics for vulnerability management.

The rising cadence of automated attacks means that security teams need to strive to make their own practices as precise and metric-driven as possible. Pouring through spreadsheets and creating 500-page PDFs is no longer enough to ensure that critical vulnerabilities are remediated in time. But what’s the best way to ensure that the right metrics are applied to the practice of vulnerability management—a security function that has occasionally been seen as directionless in the past?

Here are a few key areas where you’ll need to apply Must-Haves Metrics for Vulnerability Management:

Know Your Assets: Do you know where all your assets and applications are? What is your current assessment coverage? How do you discover new assets?

Know Your Business: Are you performing threat modeling? What threats exist to your business? Are you a target?

Know Your Risk: Where are your security weaknesses and vulnerabilities, and which ones are the most likely to be exploited? How do you determine likelihood and impact?

Know Your Resources: What can you get done with the resources you have? Are you accounting for budget, time, and people?

Know Your Direction: Are you getting better or worse over time? Given the other “must haves” above, what is an achievable goal for risk reduction?

The reality is, the old methods of vulnerability management—using spreadsheets and counting vulnerabilities—still have their place. But for a new world of rising threats and attacks, a new set of metrics is necessary in order to keep pace with the rising cadence of critical vulnerabilities.

Must-Have #1: Know Your Assets

Before you can even begin to asses your security risk or posture, you first need to know what you have. This includes all of your assets—whether in the data center, on your corporate network, as part of remote access, or as part of your applications.

Of course, that’s easier said that done; knowing where ALL of your assets are for any sizeable organization is a daunting task. Identifying 100% of your assets is often dismissed by practitioners as something only vendors say is possible (who’ve never had to do it themselves).

Rather than writing this off as an impossible task, though, treat this objective as a metric with specific goals and progress tracking. There’s a certain Rumsfieldian aspect to asset tracking in that there are “known knowns, known unknowns, and unknown unknowns” on your networks and managed by your organization.

In order to manage and measure this metric, you’ll need an automated discovery process. Starting from the outside in, you’ll need to understand your DNS and WHOIS records. What IP address ranges and domains do you own? What ports, applications, and services are running on them? What is your process for discovering new assets, services, DNS records—and is the process automated? How do you feed these assets into your assessment and scanning processes,

Some useful metrics here include:

  1. External scanner coverage (known assets/scanned assets)
  2. Internal scanner coverage (known assets/scanned assets)
  3. Time to discover (lower is better)

More metrics to come in the next post…

Leave a Reply

Your email address will not be published. Required fields are marked *