Learn From the Best: Vulnerability Management Best Practices from the Best in the Business

October 11, 2018 Ayala Goldstein

Vulnerability Management Best Practices

According to Skybox Security’s mid-year 2018 Report on Vulnerability and Threat Trends,  

2018 is on track to exceed the record-breaking published vulnerability rates of 2017. Combined with the headline-grabbing breaches and attacks of the past few years, vulnerability management has become a top concern for software organizations.

While vulnerability management has been a mandatory practice for development and security teams for quite a while, professionals and stakeholders are getting wise to the fact that vulnerability management is much more than running a quarterly vulnerability scan and submitting a remediation management plan.

Vulnerability Management Best Practices: Staying A Step Ahead of Security Vulnerabilities

Typically, a vulnerability management program includes three components: identification, prioritization, and remediation. Each one of the practices is constantly evolving to address new software environments and security threats.

Developers, security experts, and stakeholders have to keep up with vulnerability management best practices if they want to stay on top of their security game, and who better to weigh in than some of the top industry analysts and providers of vulnerability management solutions.

Asset Management: Know Your Systems Inside and Out

The first phase in a vulnerability management process is identification. But even before that, you need to know what compromises your organization's software. Today’s organizations have to track a wide and complex attack surface, on top of the traditional network infrastructure that they have always scanned.

Amit Yoran, Chairman and CEO of Tenable Network Security calls this an elastic attack surface, spanning across an enterprise environment that is dynamic, borderless, and highly connected. Yoran’s list of the elastic attack surface’s major components includes cloud instances, mobile devices, IoT devices, containers, and web applications, in addition to traditional enterprise assets, which are now dynamic and interconnected. So basically everything.

Achieving visibility over all of the layers and components of the elastic attack surface requires organizations to venture beyond traditional scanning tools, and adopt new solutions and processes to continuously track this dynamic landscape, ensuring no component is left behind.

Open Source Vulnerability Management

Open source components are another integral part of the software development environment, helping development teams keep up with the current pace of the software development lifecycle. As such, it needs to be properly managed.

WhiteSource’s Open Source Vulnerability Management Report surveyed over 650 developers and found that they rate security as their top challenge when dealing with open source components. This is no big surprise considering that the report’s research results also found that open source vulnerabilities rose by over 60% in 2017 as compared to 2016.

Software Composition Analysis tools provide development and security teams the open source vulnerability management capabilities that they need by continuously tracking, detecting, and alerting admins on any vulnerable open source components in their software.

Threat Intelligence: Listening In

According to a recent Gartner report recommending that organizations implement a risk-based approach to vulnerability management, threat intelligence is an also extremely useful asset for security and development teams when attempting to prioritize remediation.

Other experts agree. Senior Forrester Research analyst Josh Zelonis recently explained that in vulnerability management, it’s helpful to use threat intelligence not just to detect threats, but to also preemptively patch using threat landscape trends as a guide. This way you have an idea of what the attackers are likely to target, giving your team the heads up to prioritize hardening ops in the areas that are likely to need it most.

Be Wise: Prioritize

In the olden days, vulnerability management plans focused mainly on identification and detection. Today, as the number of security vulnerabilities continues to rise to new heights, there is no way organizations can address every single vulnerability that they are alerted on.

This is where prioritization comes into the vulnerability management process. Threat intelligence data take part in making decisions about how an organization should prioritize its vulnerability management, as well as other factors and tools.

While many organizations base their prioritization of vulnerability management on CVSS scores, one of the major insights that came up in Nopsec’s 2018 State of Vulnerability Risk Management report was that “a surprisingly high portion of vulnerabilities incorporated into malware or exploit kits are ranked low or medium severity.” the report goes on to state that “counter to commonly-accepted practices, focusing only on high-severity vulnerabilities and setting a ‘cut-off’ point for lower scored issues, is not a safe or effective strategy.”

Threat Intel Lead Rebekah Brown, of Rapid7 discussed another misconception about security vulnerabilities, noting that “It’s also important to recognize that threats aren’t black and white. There is a spectrum of threats and the impact can vary from company to company.”  

Perhaps the Gartner report says it best, stating that, “A vulnerability is only as bad as the threat exploiting it and the impact on the organization. Security and risk management leaders should rate vulnerabilities on the basis of risk in order to improve vulnerability management program effectiveness”.

All experts agree that a prioritization strategy must be put in place as part of a vulnerability management program in order to ensure that organizations are attending to the most critical security issues threatening their systems.

Metrics: For Good Measure

With CXOs showing more and more interest in your vulnerability management program, vulnerabilities rising at an alarming rate, and production time frames getting tighter, keeping and setting the right SLAs and keeping an eye on vulnerability management metrics is a recommended best practice.  

Metrics including time to detection, remediation and patch management, asset tracking, and application inventory are a great start. These metrics will also help you with other processes like prioritization, or tasks like presenting data to the board. Once you know what to measure and assess, you can focus on the issues that require improvement, and allocate the resources needed so that you can keep management happy, your systems safe, and your production pace on track.

Morey Haber, CTO at BeyondTrust, offers a fun tip for motivating development and security teams to keep within the SLAs. He suggests leveraging the metrics to create fun competitions between teams where “the team that minimizes the risks the fastest wins.”

Competitions could include remediation and mitigation cycles, patch deployments, lowering critical scores, or anything else you can measure. Haber recommends allowing prizes for the winning teams, saying that, "you will be surprised how fast many long-standing risks actually get corrected.”

Vulnerability Management Best Practices: DevSecOps It Up

Vulnerability management has come a long way. Luckily, rising awareness of the danger of security threats has stakeholders willing to invest in a solid vulnerability management program. It has also made room for many vulnerability management providers to thrive and innovate in this landscape, offering their expertise on the best practices in this swiftly evolving field.

One vulnerability management best practice that all of the experts agree on is adopting a DevSecOps approach that incorporates tools for tracking, detection, remediation, and patching.

These new tools allow development and security teams to track their software ecosystem and make the right decisions for their organizations based on real-time data. Teams can automate vulnerability detection, remediation, and patching, prioritizing their tasks based on the data that is most relevant to them.

Hopefully, by following these industry best practices, organizations can better ensure that their environments remain secure while production remains on schedule.

 
Previous Article
Apache Struts Vulnerabilities vs Spring Vulnerabilities — One of these popular open source projects might be riskier than the other
Apache Struts Vulnerabilities vs Spring Vulnerabilities — One of these popular open source projects might be riskier than the other

Next Article
Top 5 New Open Source Security Vulnerabilities in September 2018
Top 5 New Open Source Security Vulnerabilities in September 2018