Q and A with Graham Brooks, Senior Security Solutions Architect, Syxsense.
What is vulnerability management?
Vulnerability management is the process of mitigating configuration or code issues which could allow an attacker to exploit an environment. It can be deployed as on-premises software, delivered as SaaS, or as a managed services that is known as Vulnerability Management as a Service
What are the benefits of using Vulnerability Management as a Service (VMaaS) compared to installing your own software and running it internally?
VMaaS improves on traditional vulnerability management practices by placing an agent on managed assets. Traditional vulnerability management tools cannot review or remediate issues beyond the traditional business network perimeter. VMaaS circumvents this dependency by allowing assets to be monitored and managed regardless of network topography.
What steps make up the vulnerability management lifecycle?
Vulnerability management can be broken into five steps, four of which should be fully automated:
- Scan for Vulnerabilities: This can either be a specific new priority threat, or remedial baseline scanning. This should be a fully automated and frequently deployed process.
- Report on Found Vulnerabilities. Deliver a report to the Security Operations Center (SOC) team, showing the currently exploitable vulnerabilities affecting the environment. This should be a fully automated and frequently deployed process.
- Deploy Remediations. At the foundational level, remediations can be service configurations, deployed patches, port blacklisting, and many other operational tasks. Remediating vulnerabilities should be an automated process, but it must be automated with oversight. As with all environment changes, remediations can cause unforeseen system behaviors. Therefore, this process should be automated only after a peer-review and change control meeting.
- Validate Remediations. Many forget that they need to rescan environments after deploying remediations. Sometimes a remediation might not effectively resolve the issue as intended. This process should be fully automated and occur directly after the remediation deployment.
- Report on Resolved Vulnerabilities. A report should be delivered to the SOC team showing actions taken on any vulnerabilities that have been removed (and validated) within the environment. This process should be fully automated.
The process outlined above should be performed on an ongoing basis and should not be limited to a once-per-month basis, as is currently common among traditional on-prem vulnerability management tools. Many of these tools perform monthly vulnerability reports simply because each step is manually performed, and the SOC team does not have the man hours required to implement a more aggressive cadence. Adding automation into a VMaaS platform completely changes the narrative.
What are some key vulnerability management best practices?
Frequency is key. Furthermore, don’t simply resolve vulnerabilities that are listed as critical or high priority. Perform an association analysis to see if a concert of lower priority vulnerabilities can be used to exploit your environment. Most threat actors use more than one vulnerability in their kill chain, so make sure you aren’t just hitting the most prominent vulnerabilities in your attack surface.
Beyond managing the severity of vulnerabilities, also consider developing a trend analysis process. What you measure you improve. Using trend analysis, you can see if you are improving your security practice over time, and see what improvements need to be made.
How should businesses measure vulnerability risk?
There are two primary sources of truth any SOC team needs to use when reviewing vulnerabilities:
- What does the industry say about this vulnerability? Is this vulnerability being used by threat actors? Is it easy to implement? Does it provide lots of access to sensitive resources? These questions are addressed within the Mitre Corporations CVSS scoring system.
- You also need to understand how a vulnerability interacts with your environment. For example, Log4J was terrible for many companies that use Java based applications. But, if your company does not use Java in production, the institutional risk associated with Log4J is significantly lower for your company than for the industry at large.
The best way to measure vulnerability risk is via combination of 1 and 2.
What does Syxsense offer in vulnerability management?
Syxsense can perform every aspect of the vulnerability life cycle as discussed above on all compute devices such as laptops, desktops, servers, and smartphones. Syxsense Enterprise offers patch management, vulnerability scanning, IT management, and end-to-end vulnerability management. This includes integrated remediation features as well as mobile device management (MDM). Everything is now combined into one console via Syxsense Enterprise. Key differentiators include the ability to automate discovery and remediation workflows, as well as patch supersedence, patch rollback, and its ability to encompass any mobile devices, PCs, laptops, and servers.
