Vulnerability management

Vulnerability management (VM) is now so important to today’s enterprises that it is hard to believe it was once seen as an optional part of the security landscape.

Tweet

It is usually defined as the process by which an organisation identifies, classifies, ranks and responds to software vulnerabilities across its entire base of servers, endpoints, and applications, guided by process-driven policies. These can be software flaws but also equipment misconfigurations, open ports or an insecure legacy system.

Another way to explain the concept it is to say that vulnerability management is about spotting security holes in software and systems before an attacker does, reacting to the security risk they pose in a pre-emptive way.

These days, pre-emption is fundamental. Spotting flaws before they are exploited is obviously vastly more efficient than trying to close them afterwards. The catch is that at any one time, most organisations will be faced with a large number of vulnerabilities, both ones they are aware of and ones they are not. Therefore, the ‘management’ element of ‘vulnerability management’ is about helping organisations prioritise and focus their efforts towards the ones that present the biggest risk with serving up loads of false positives.

Attackers

Software vulnerabilities have become a particular security risk because they offer a way to bypass almost any security layer, including anti-virus, firewalling, and intrusion prevention. Although most are internal (inside networked systems), they can also public facing (web and e-commerce systems) or external (the cloud).

For attackers, they are like a simple short-cut in which they will choose a given common vulnerability and simply search for networks that show signs of being susceptible to an exploit. Targeted attacks are a variation on this approach in which a single network is probed for multiple vulnerabilities until a way in is found. Once they find one – and all the available evidence suggests they do in many cases – they treat the exploited system as a ‘breachhead’ to expand behind conventional security layers in a way that is often undetectable.

Countering this is not easy and the reason is complexity: even constrained organisations will run huge numbers of applications and equipment, some part of formal patch-management processes and some not. An additional problem is that these environments now include mobile operating systems and apps as well as ‘shadow IT applications and Bring Your Own Device (BYOD) computers.

A weak vulnerability management platform is one that will tell admins they have a given number of problems while a good one will tell them which ones to fix first and on what basis. Another approach is to use compliance as the guide – if a regime demands that a vulnerability is closed that is where the effort should be directed first.

But assessing the subtle differences between the large number of vulnerability management platforms on the market doesn’t make it easy to work out which ones sit in the latter category.

All Systems - whether in-house or cloud-based - will offer several basic levels:

Discovery

The first element of any system is building a record of the vulnerable assets across endpoints, network, web, virtual and cloud infrastructure. This will also classify them according to their configuration status, patch state, and whether they meet compliance requirements or not. This part of the system needs to refreshed on an ongoing basis.

These tools can operate internally or be based on cloud and SaaS-based vulnerability assessment. The latter is useful to get an attacker’s or pen-tester’s view of systems and is effective at investigating flaws in web applications and plug-ins, a notorious area of weakness.

An issue to be aware of is that ‘no gaps’ scanning will probably require authentication at some point which makes integration with a credential-management engine useful.

Prioritisation

Vulnerability scans will turn up a lot of data which is useless without prioritisation. The factors that raise flags will vary by organisation but known software exploits or remote zero-day flaws are an obvious starting place.

Vulnerability platforms will usually offer some kind of risk and compliance score. Because the number of flaws might be large, a helpful facility is to classify known software flaws using their Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS), industry databases used to track the nature and severity of an issue.

Integration with as many external exploit databases (e.g. Metasploit) gives added reassurance because it confirms which flaws are being targeted.

Reporting

Reporting options can be an art as much as a science because they must sometimes serve so many masters. Options include the effect of a vulnerability or set of vulnerabilities on different compliance regimes. A summary of the top flaws will be always be important as will the ability to summarise the current state for non-technical staff.

Response

Having identified the most pressing vulnerabilities, the next stage is to fix them as soon as possible. Comprehensive systems will integrate with patching platforms to help test and automate this task across Microsoft System Configuration Manager (SCCM) and Windows Server Update Service (WSUS) and third-party applications. Ideally, the collection and application of updates shouldn’t require manual intervention unless that is required by policy.

The response time should be modelled on the behaviour of attackers not an arbitrary period of time. It is often said that defenders take too long to fix known flaws but how long is too long? At the very least it is essential that the time-to-remediate shortens over time.

Threat intelligence

A more recent development is the integration of VM systems with third-party feeds that supply information on threat actors, for example new attacks using specific vulnerabilities or combinations of threat. Because the volume of data in play here can be huge, analysis and prioritisation and analysis is a priority.

Conclusion

Vulnerability management has become a bit of a hydra for many organisations, increasingly encompassing cloud systems as well as those on networks. Resources are limited and It time short. VM systems that automate many of the most arduous processes are now an essential part of security management but the potential to become mired in the technology’s complexities, lack of integration with other management systems means that the potential for miscalculation remains huge. It remains a disturbing possibility that some organisations are running VM systems that appear to be doing their job but no longer are.