Best Practices for Vulnerability Management

Transcription

1 4 Steps to Reducing Risk with Vulnerability Management Best Practices Is Your Vulnerability Management Process Meaningful To Your Business? The vulnerability management process can be very useful and provide great return on investment when implemented carefully, monitored for effectiveness, and adjusted regularly. However, security professionals often report a long list of implementation, management, and operational challenges inherent in previous-generation vulnerability scanners. But new technology is transforming vulnerability management into an effective risk reduction tool and it s easier than you think. Here are four best practices to re-invent your vulnerability management process. Discover Analyze Prioritize Remediate & Track 1 Continuous Vulnerability Discovery: Fresh Data Keeps The Network Secure Most organizations today use traditional active scanning to discovery vulnerabilities, which requires a remote scan of each network-attached device. But this approach to vulnerability assessment is often constrained: Limitation of access Some assets and services are so critical that you may be hesitant to access them to scan because it may impact availability. This becomes the paradox of vulnerability assessment; the assets that need it the most are the ones we are the most reluctant to assess. Distribution of assets cloud assets or mobile devices. Information overload Vulnerability scanners drown IT security teams in data and are notorious for producing the 300-page report with a long and boring table of vulnerabilities with no network context, risk prioritization, or Not actionable vulnerability severity ranking, typically based on the Common Vulnerability Scoring System (CVSS) scoring. vulnerabilities and ignore the critical ones. Because of these constraints, most organizations only scan portions of their networks or scan in segments, which creates lengthy scan cycles. Both the frequency and scope of vulnerability management become inadequate. Risk assessments are only as good as the vulnerability data they are built upon, and fresh vulnerability data is available in every enterprise typically patch management and asset management systems to automatically and accurately deduce vulnerability data on all network nodes.

2 management using active scans only every 30 to 60 days and typically not covering the entire network, scanless vulnerability discovery provides a second source of vulnerability data that can keep your network up-to-date on the current vulnerability and risk status of your organization. Scanless vulnerability assessment augments active scans with daily updates 2 Context-Aware Analysis: Critical Risks Are Different For Every Organization Once fresh vulnerability data is available on a continuous basis, the next challenge is automating analysis of the vulnerabilities that will allow the subsequent prioritization to focus on the critical risks and not waste time chasing low-risk exposures. The idea is to create a short list of action items that can be executed quickly in order to eliminate the risk of exploitation by attackers. How can organizations determine which vulnerabilities are critical and which should be skipped? There are two approaches commonly used together for analysis: Hot Spots Analysis: Finds groups of hosts on the attack surface with a high density of severe vulnerabilities, Attack Vectors Analysis Unique technology advantage: Prioritize vulnerabilities by multiple factors 2

3 3 Prioritization: Focus Needs to Be on Vulnerabilities that Actually Pose a Odds are you have limited IT resources. This means you need efforts. Traditionally, scanner reports prioritize vulnerabilities severity ranking, typically based on the Common Vulnerability Scoring System (CVSS) scoring. But this doesn t prioritize the vulnerabilities within your network. Context-aware prioritization challenges a vulnerability s severity rating, asserting that the criticality of a vulnerability depends on several factors, including existing security controls, threat data, the business asset, and the impact of a potential attack. Looking at vulnerabilities within the context of your network has narrowed the list. But how do you prioritize from there? First, you need to determine whether the vulnerability is threatening an important system. For one global bank, an active scan reported 128,000 vulnerabilities. The security team then used contextaware analysis and prioritization and whittled that list down to 212 actionable items that needed immediate the security team was able to make risk and keep the team focused on critical activities. Or will it be considerable, taking down a critical system or extending to other assets? Today s attacks often incorporate multiple steps that cross several different network zones, and an isolated view of any of these steps could appear innocuous. Attack simulation technology automatically looks at the holistic network the attack to deploy security controls. Attack simulation technology looks at network context, asset criticality, business metrics, and existing security controls when determining the impact of a potential attack. For example, if an asset runs an application that is crucial to maintaining the business and requires continuous availability, a medium-level vulnerability that threatens to disable this asset might be a high-level risk to this particular business. 3

4 4 Remediation and Tracking: Options Must Go Beyond Patching integrated into the solution and should consider all security controls: Is there a patch available? Can you deploy a patch or is it unpatchable due to system integration issues, location, availability requirements, custom application limitations, etc.? Will system changes remediate the vulnerability? change access controls to mitigate the vulnerability? Are there other security controls available? If a patch is not available, are there other security controls that Remediation should consider all security controls, not just patching, and the availability of security controls should be part of the prioritization process. For example, when you have a list of critical vulnerabilities for your organization, you might prioritize easy-to-remediate vulnerabilities over ones that are resource intensive. This would allow you to get the most protection in the shortest amount of time. management process should enable effective communication with the relevant IT operations teams, and integrated your approach is succeeding as a whole and where and when to apply resources for improvement. Follow these best practices and implementing a meaningful vulnerability management program that actually improves your security will be easier than you think. Dashboards to monitor and track progress 4

5 Next Steps Implementing these four best practices for vulnerability management can reduce risk across your network. Find a vulnerability management solution that automates and integrates its processes to support the capabilities outlined and prioritize automatically, generating an actionable remediation list even breaking down the tasks by group (security, operations, etc.). Skybox Security provides the most powerful risk analytics for cyber security, giving IT security management and network operations the tools needed to eliminate attack vectors and safeguard business data and services. Skybox solutions provide a context-aware view of the network and risks that drives effective vulnerability and threat manage- To learn more about Skybox Security s solution for vulnerability management, you can view a product demo online, visit the Skybox Security website, or contact your local Skybox Security representative to schedule a demo at /contactus. About Skybox Security Established in 2002 and headquartered in San Jose, California, Skybox Security is a privately held company with worldwide sales and support teams that serve an international customer base of Global 2000 enterprises and large government agencies. Skybox Security customers are some of the most security-conscious organizations in the world, with missioncritical global networks and pressing regulatory compliance requirements. Today, six of the top 10 global banks and six of the 10 largest NATO members use Skybox Security for automated, integrated security management solutions that lower risk exposure and optimize security management processes /contactus Copyright 2014 Skybox Security, Inc. All rights reserved. Skybox is a trademarks of Skybox Security, Inc. All other registered or unregistered trademarks are the sole property of their respective owners. BP_VulnerabilityManagement_EN_