In Part I of this two-part post, I covered some of the best practices you should consider implementing as part of your Vulnerability Management process. In this Part 2, I will cover those elusive “next steps,” and address how to effectively leverage all of that vulnerability information you have collected in order to prioritize your remediation efforts.
A remediation timeline is essential to the success of your Vulnerability Management program. Once vulnerabilities have been identified, false positives removed and a remediation strategy assigned, it is important to ensure timelines are kept, especially where critical assets or known vulnerable assets are concerned.
These are some important aspects of the remediation process in the overall Vulnerability Management context:
- Conduct validation scans to ensure remediation efforts have been completed, and hold system and technical owners accountable to the agreed and assigned timeline(s).
- Prepare for contingencies, as risks often escalate over time as exploits are created. Ensure an escalation path exists to elevate remediation efforts to account for increased risk priority.
- Track your progress using systematic reports and ensure you monitor vulnerability aging as part of the remediation cycle.
The next phase to address is reporting. Reporting is more than just: “We had 100 High-risk vulnerabilities, 350 Medium and 1,200 Low.” Reporting is a process and a mechanism to help you automate and self-manage your Vulnerability Management process.
Determine reporting and metrics requirements based on your organizational needs, as well as industry compliance and audit requirements. This process should include the development of reporting templates to ensure accurate and immediate access to all of your risk management data.
Here are some key aspects of a best-practice Vulnerability Management reporting program:
- Develop a vulnerability aging report to allow you to track remediation efforts and timelines.
- Create granular reports to track risks down to the individual system owners (e.g., are the system owners adhering to established standards, where do improvements need to be made, etc.).
- Conduct a trend analysis as part of your executive reporting. This should be clean and simple—a quick view of risk/exposure and how well the risk management program is performing over time (trending up or down).
- Reports should be automated to ensure compliance and audit needs are being addressed while keeping your analysts focused on threat management and not report/metrics generation.
- Reports should allow for multiple views, but ultimately should all roll up together to paint a comprehensive picture of the organizational risk landscape.
A proper vulnerability management program will help you gain insight into your total risk posture, and allow you to see potential issues before they become bigger problems. By following the steps I have outlined in this two-part blog post, you will ensure that you know which systems are critical, which systems are high risks, and where you should focus your time and efforts to get the best results from remediation efforts and system patching.
Additional Program Considerations
I will leave you with a few additional security program considerations to help you with your program development.
- Consider a full defense-in-depth strategy for your security program. Include system, storage, network, application, and user security enforcement and monitoring.
- Implement a full vulnerability management lifecycle program to track, monitor and trend the vulnerability state and the vulnerability workflow on an ongoing basis.
- Identify assets, owners, and high-risk/critical systems. Ensure critical systems are documented and a plan is in place for proper remediation steps.
- Ensure your vulnerability program is a defined portion of your existing security policy. This should be a two-way document that outlines roles, responsibilities, and SLAs that should be defined for incident response, maintenance and support.
If you would like to discuss how PPS can assist you in developing a solid Vulnerability Management program for your organization, please contact our team today to discuss our process and options.