How to Develop an Effective Vulnerability Management Process



Similar documents
Understanding Vulnerability Management Life Cycle Functions

Security and Identity Management Auditing Converge

Gartner Updates Its Definition of IT Infrastructure Utility

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Research. Identity and Access Management Defined

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

Selection Requirements for Business Activity Monitoring Tools

Key Issues for Identity and Access Management, 2008

Overcoming the Gap Between Business Intelligence and Decision Support

The Five Competencies of MRM 'Re-' Defined

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Use This Eight-Step Process for Identity and Access Management Audit and Compliance

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Now Is the Time for Security at the Application Level

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

Q&A: The Many Aspects of Private Cloud Computing

Toolkit: Reduce Dependence on Desk-Side Support Technicians

Real-Time Decisions Need Corporate Performance Management

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Research Agenda and Key Issues for Converged Infrastructure, 2006

Five Business Drivers of Identity and Access Management

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

NGFWs will be most effective when working in conjunction with other layers of security controls.

IT asset management (ITAM) will proliferate in midsize and large companies.

Consider Identity and Access Management as a Process, Not a Technology

Organizations Must Employ Effective Data Security Strategies

The IT Service Desk Market Is Ready for SaaS

Eight Critical Forces Shape Enterprise Data Center Strategies

Key Issues for Data Management and Integration, 2006

The Current State of Agile Method Adoption

Tactical Guideline: Minimizing Risk in Hosting Relationships

Governance Is an Essential Building Block for Enterprise Information Management

The What, Why and When of Cloud Computing

Emerging PC Life Cycle Configuration Management Vendors

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

Managing IT Risks During Cost-Cutting Periods

Best Practices for Confirming Software Inventories in Software Asset Management

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

Strategic Road Map for Network Access Control

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

Discovering the Value of Unified Communications

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Repurposing Old PCs as Thin Clients as a Way to Save Money

Risk Intelligence: Applying KM to Information Risk Management

Solution Path: Threats and Vulnerabilities

X.509 Certificate Management: Avoiding Downtime and Brand Damage

Establishing a Strategy for Database Security Is No Longer Optional

Business Intelligence Focus Shifts From Tactical to Strategic

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

Research. Mastering Master Data Management

Business Intelligence Platform Usage and Quality Dynamics, 2008

The Six Triggers for Using Data Center Infrastructure Management Tools

Cloud IaaS: Service-Level Agreements

MarketScope for IT Governance, Risk and Compliance Management, 2008

Cloud IaaS: Security Considerations

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

The Seven Building Blocks of MDM: A Framework for Success

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand

ERP, SCM and CRM: Suites Define the Packaged Application Market

Gartner Defines Enterprise Information Architecture

IT Operational Considerations for Cloud Computing

Document the IT Service Portfolio Before Creating the IT Service Catalog

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Agenda for Supply Chain Strategy and Enablers, 2012

Private Cloud Computing: An Essential Overview

How BPM Can Enhance the Eight Building Blocks of CRM

An outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

Transactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

GARTNER EXP CIO TOOLKIT: THE FIRST 100 DAYS. Executive Summary

Data in the Cloud: The Changing Nature of Managing Data Delivery

Gartner's Business Intelligence and Performance Management Framework

Gartner's View on 'Bring Your Own' in Client Computing

NAC Strategies for Supporting BYOD Environments

Successful EA Change Management Requires Five Key Elements

Transcription:

Research Publication Date: 1 March 2005 ID Number: G00124126 How to Develop an Effective Vulnerability Management Process Mark Nicolett IT organizations should develop vulnerability management processes that protect IT environments against external attack and internal threats, and ensure corporate compliance with government regulations. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

WHAT YOU NEED TO KNOW IT security organizations should implement a vulnerability management process that includes a vulnerability assessment and security configuration baseline. Mitigation activity should be prioritized based on the severity of the vulnerability, the current threat environment and the business use of the vulnerable asset. Shielding should be used to protect vulnerable assets until mitigation is completed. The root cause of vulnerabilities should be identified and eliminated through improvements in network, server and PC configuration polices, and better change management and administrative processes. ANALYSIS A major responsibility of IT security organizations is to define and operationalize security policies that protect the IT environment from external and internal threats, and also provide compliance with regulations. Effective protection of IT resources requires a combination of approaches that include: Vulnerability management Shielding at the network and system layers Network access control (see "Protect Your Resources With a Network Access Control Process") Vulnerability management is an ongoing process that establishes and maintains security policies for network and system resources; discovers, prioritizes and mitigates vulnerabilities; and eliminates their root causes (see Figure 1). Figure 1. Vulnerability Management Process Policy Define desired state (configuration, identity and access management) Monitor Policy compliance Vulnerabilities Threat environment Maintain Discover/Baseline Determine policy compliance Identify vulnerabilities Prioritize Vulnerability data, Threat data Asset classification Shield Controls/ Eliminate Root Cause Source: Gartner Research (February 2005) Mitigate High-priority vulnerabilities Publication Date: 1 March 2005/ID Number: G00124126 Page 2 of 6

The vulnerability management process consists of seven steps: Step 1: Policy The first step to improve IT security is defining the desired states for network and system configurations, resource protection and resource access. This requires the creation of policies that define secure configurations for network devices, servers, personal computers and other IT components; administrative constructs for users and application resources; and administrative processes that implement the policies. Step 2: Discovery and Baseline The next step is discovery of the network, system, desktop and data components that comprise the IT infrastructure, followed by the establishment of a security baseline. The discovery and baseline step must encompass systems that are corporate-owned and managed, and corporateowned and unmanaged, as well as external systems and applications that access the corporate network. Vulnerability Assessment: Vulnerability assessment provides a "bottom-up" baseline of the environment with respect to a database of known vulnerabilities. IT security organizations require a network-based approach that does not require management agents and can discover and evaluate vulnerabilities in managed and unmanaged systems. Many vulnerabilities are the result of configuration issues. Elimination of configuration-oriented vulnerabilities and their root causes requires a second baseline perspective compliance with security configuration standards. Security Configuration Policy Compliance: Security configuration policy compliance (SCPC) provides a "top-down" baseline of the environment with respect to security configuration policies that are organization-specific but are derived from industry-recognized best practices such as the Microsoft Security Guide, the SANS (SysAdmin, Audit, Network, Security) Institute, the Center for Internet Security, the National Institute of Standards and Technology or the National Security Agency vendor-defined interpretations of regulatory requirements, or corporate-defined configuration standards. The SCPC baseline audits the environment and discovers deviations from an organization's security configuration policies. An SCPC baseline is well-suited to the work of vulnerability remediation. The initial steps of configuration policy development force the collaboration of IT security and IT operations, and ultimately lead to the elimination of the root cause of configuration- or administration-based vulnerabilities. Policy definition and periodic audits are also important components of an organization's regulatory compliance program. Standard configurations are a prerequisite for automated-provisioning processes, and support higher levels of availability and reduced operations costs. Convergence of Vulnerability Assessment and Security Configuration Management: IT security groups that have attempted to use the output of a vulnerability assessment baseline to drive vulnerability mitigation projects within IT operations have found the data disorganized and unusable. As a result, reporting and analysis require the integration of vulnerability assessment and security configuration management data. IT security organizations should pressure vendors for analysis that cross-references vulnerabilities and configuration changes. Step 3: Prioritization When organizations baseline their environments in regard to vulnerabilities or security configuration standards, they need to do more mitigation work than time and resources will permit. Therefore, mitigation efforts need to be prioritized according to these factors: Publication Date: 1 March 2005/ID Number: G00124126 Page 3 of 6

The Nature of the Vulnerability and the State of the Current Threat Environment: As cyberattackers become more efficient at quickly exploiting software vulnerabilities, IT security managers need current information about the external threat environment. Vulnerability management products must factor near-real-time threat information into vulnerability prioritization and alert functions. The Business Use of the Vulnerable Asset Asset Inventory and Classification: Asset inventory and classification is a prerequisite for the second aspect of prioritization, which is the business use of the vulnerable asset. In general, vulnerabilities that are likely to be attacked and are present on business critical assets that are not effectively shielded should have the highest mitigation priority, but there are exceptions. When a vulnerability is widespread and subject to a worm attack, it needs to be mitigated regardless of asset use. On the other hand, if a vulnerability exposes corporate data or applications to inappropriate internal or external access, the business use of the asset becomes a major determinant of mitigation priority. The classification of assets by business use is required by both IT security and IT operations. IT security uses asset classification for business-oriented risk analysis, vulnerability mitigation prioritization and the generation of security metrics. IT operations uses asset classification in the areas of business-relevant availability, capacity, change analysis and reporting on service-level agreements. Asset classification requires a substantial amount of initial project work. Ongoing maintenance requires well-developed processes across the IT organization. The majority of vulnerability assessment, security management and operational configuration management tools build and maintain system inventory data in product-specific repositories. Organizations should establish a single source for asset classification so that maintenance costs are minimized. This strategy requires that systems and security management products support the import and export of asset classification and business service data. Step 4: Shielding and Mitigation Mitigation is the slowest, most-difficult part of vulnerability management because it requires the management of changes that are implemented across many IT operations and support areas. The IT security group is responsible for developing security administration and configuration policies, and must monitor the current state of the environment with respect to those policies; however, the network, server and desktop support organizations carry out the bulk of the mitigation work. Rapid patching alone is an inadequate response to vulnerability mitigation (see "IT Operations Must Change to Deal With Windows Attacks"). Use technologies such as firewalls, network- and host-based intrusion prevention, and network access controls to shield vulnerable assets until mitigation work has been completed. Workflow: Workflow functions are needed to organize mitigation work. There is a requirement for loose integration with operational workflow processes. There is also a requirement for embedded workflow within vulnerability management products for organizations that have not yet deployed enterprise workflow systems, and to address situations where detailed vulnerability information is too sensitive to expose within the enterprise workflow system. Automated Mitigation: Automated mitigation of vulnerabilities is possible but not commonly deployed on a wide scale. For example, it is possible to completely automate the download and installation of security patches but a completely automated approach is only common for consumer PCs. In a corporate environment, patch installation occurs only after quality assurance testing is completed, and is scheduled within a time widow that is appropriate for the applications or business functions supported by the system. We see the same situation for other types of system changes that are related to vulnerability management. In most cases, it is useful to have the vulnerability management baseline generate the system change, and stage the change so that it can be implemented at the appropriate time in the context of a change-management process. More-aggressive forms of automation are appropriate in a small number of cases. Publication Date: 1 March 2005/ID Number: G00124126 Page 4 of 6

Examples include scan and quarantine at network connect time and the automated elimination of some configuration errors or unwanted functions on corporate PCs. Vulnerability Management and Network Access Control (NAC): There is widespread demand for the capability to evaluate the security state of systems as they connect to the network, implement a network access policy and mitigate discovered vulnerabilities. Incumbent vulnerability assessment or security configuration management tools can potentially provide NAC baseline and mitigation functions in specific customer environments (see "Protect Your Resources With a Network Access Control Process"). Step 5: Controls/Eliminating Root Cause As organizations take action to eliminate the vulnerabilities that have been exposed by the security baseline, they also need to evaluate the overall pattern of vulnerabilities to identify and eliminate the root causes. Many vulnerabilities are the result of poorly formed system configuration or user administration policies, and inadequate provisioning or change management processes. Eliminating root causes requires improvements in the policies and processes that are used to provision, configure and change systems, and administer users. Step 6: Maintenance IT operations is responsible for the bulk of vulnerability remediation project work, the implementation of virtually all system maintenance and administrative changes, and the provisioning of new systems and users. An effective vulnerability management program requires that security configuration and administration policies become part of day-to-day operational tasks (see "IT Security and Operational Management Must Converge"). Step 7: Monitoring New attacks can emerge and spread rapidly, and new applications and administrative changes can introduce new vulnerabilities. The activities of system users and system administrators must also be monitored. The discovery and baseline steps need to be continuous, and all subsequent vulnerability management steps should be repeated as part of an ongoing process. Up-to-date vulnerability assessment and security configuration information is needed: To monitor the security state of the IT environment and the current status of patch management and vulnerability mitigation activities To discover unmanaged and misconfigured devices as they connect to the network As an input to IT security risk reporting As a data feed to the real-time event prioritization functions of IT security management systems IT security management technologies can also be used to monitor external threats to the IT environment and to provide additional information about specific changes that have caused lapses in security configuration or security administration policies. Technology Evolution Vulnerability assessment and security configuration policy compliance tools have been used by IT security organizations for discovery and baseline for many years. However, major changes in tool deployment and data use are driving changes in the vulnerability management market. Vulnerability assessment and security configuration management are evolving from utility functions that periodically generate reports for security personnel to security infrastructure that provides near-continuous scanning and reporting for IT security and operations. Integration and Publication Date: 1 March 2005/ID Number: G00124126 Page 5 of 6

cross-referencing of vulnerability assessment data with security configuration policy compliance data is needed to improve data use for mitigation. Improvements in asset classification and risk analysis will enable security reporting and metrics for IT and business area management. Key Issues How will enterprises manage IT configurations to eliminate vulnerabilities and implement security policies? This research is part of a set of related research pieces. See "Improve IT Security with Vulnerability Management" for an overview. REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Level 7, 40 Miller Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Latin America Headquarters Av. das Nações Unidas 12.551 9 andar WTC 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 1 March 2005/ID Number: G00124126 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information