Security in Obscurity

Finding Ways to Successfully Implement Vulnerability Management

Enterprise Security Magazine, March 2019

This article was originally published in the March 2019 Vulnerability Management Services Special of Enterprise Security Magazine. A copy of the publication and article can be found here.

---

The importance of and need for a well-defined and properly implemented vulnerability management program continues to increase as the technology we utilize and the industry driving it changes. New arenas such as cloud computing and distributed workforces with BYOD policies contribute new challenges in how the enterprise addresses security and vulnerability management. Additionally, the growing demand for security-focused talent raises a business’ expectations for higher performance from security teams, typically with reduced headcounts than in years previous. Thus, maximizing your vulnerability management program greatly benefits your security posture.

The essentials of vulnerability management fall into a few key categories. This begins with reflecting upon your environment to discover assets and vulnerabilities associated with those assets. Typically, vulnerability scanning tools are leveraged to track these items. Once items of concern have been identified it is important to establish reliable reporting of these assets and the vulnerabilities discovered.

Reporting on your findings will not only help you track security gaps in your environment but also prioritize the most concerning vulnerabilities representing the most risk for your business. The prioritization of these vulnerabilities and their associated assets will transition into a plan directed toward remediation of vulnerabilities. The continuous cycle of the discovery and remediation processes will comprise your vulnerability management program. Focusing on the vulnerability management process should be considered a key component of your security program. Justification for this can be found in a number of security frameworks and globally accepted best practices, such as CIS Control #3 as highlighted by the Center for Internet Security (CIS).

During my time with Edelman Financial Engines I have seen the company scale from three corporate offices to over 180 locations across the continental United States and providing personalized investment advice to over 1.1 million clients. From a technology standpoint, as a FinTech company, I have witnessed a dramatic shift from physical data centers to a significant footprint in both Amazon and Microsoft clouds. My focus during these shifts has been how to secure the enterprise while meeting the business' changing needs as the company scales. Addressing vulnerability management has been integral to my security strategy.

Outside of the fundamentals, I have found that there are a few important pieces to implementing vulnerability management successfully in the enterprise that can give you a leg up in ensuring that your program is repeatable and successful. Of these, the most important is to establish true business and leadership buy-in. Without the support of the business, everything from budgets to headcount to support for your program, will be a significant challenge. I find that the best way to garner business support is by tying the goals and needs of your vulnerability management back to the business objectives and goals. Information security is but one of the many competing priorities that business leaders must manage. Rather than pushing your executives to value and speak in security terms, you should find ways to relate security to what they value, the business or core function of your organization.

Once you have buy-in, you want to ensure that you set up meaningful reporting to track your vulnerabilities and your successes with vulnerability management. As mentioned earlier, reporting is a key way for security staff to respond to potential gaps in security. There is however another driving force around actionable reporting. That is in providing your leadership an executive level view of vulnerability management and more specifically, remediation, to track your successes. Executive-focused reports are important because they essentially reward the leaders for buying in and supporting vulnerability management. Highlighting the progress and success will show them the focus on time and money allocated to your vulnerability management initiative is well spent.

Finally, I have found that the industry shift to cloud computing and taking advantage of Software as a Service (SAAS) solutions can significantly aid in the execution of a vulnerability management program. The real value in leveraging these SAAS solutions as it relates to a vulnerability management program is the potential to offset a large amount of risk associated with vulnerabilities in your on-prem assets. As highlighted previously, after vulnerabilities have been identified, reported and prioritized all must be remediated, usually through software patching. Managing the patching of infrastructure can be very time consuming and can potentially be the longest arc of your vulnerability management cycle. By shifting more of your infrastructure toward SAAS solutions it reduces the risk your business is directly incurring, related to ensuring infrastructure is properly patched and the time remediation takes in your vulnerability management cycle.

Does offsetting the risk of trading your current infrastructure for cloud software services mean you remove all risk? I do not think it does. You will potentially incur some new risks previously not experienced. They may include a lack of control of your environment, particularly in regard to how the SAAS solution has implemented vulnerability management. Additionally, you may need to rely heavily on a third party to remediate the software vulnerabilities (no longer in your environment) in a timely manner. Well-defined Service Level Agreements (SLAs) are key here and should be factored into your procurement process. However, the lift that SAAS solutions can have on your vulnerability management program should at least warrant a review of the potential risk to your unique enterprise.

Now more than ever a well-executed vulnerability management program should be considered a core aspect of your security program. Placing an emphasis on leveraging rising technology trends such as SAAS solutions as a replacement for your current infrastructure will ensure that the program stays relevant and reflective of your business' changing environment and use cases. Maintaining focus on actionable reporting and stakeholder buy-in from your business leaders will help further your vulnerability management objectives, in turn achieving success.