Is Your Vulnerability Management Process Effective?

11.22.2016 by Mike Pokas

If your current vulnerability management process providing the value that is meaningful to your business?  A well implemented and effectively managed vulnerability management process can deliver significant value and return on your investment as a risk management tool.  In order to realize the benefits an organization must follow some simple guidelines related to the implementation and ongoing operation of the program.

Here are a few best practices related to vulnerability management.

  • Perform Engage in regular scanning of the network: A true risk assessment of your environment is only going to be as good as the data collected and used to perform the assessment.  Many organizations do not scan on a regular enough basis or only scan a subset of their environment due to a number of constraints.  Some assets may be deemed too critical to scan for fears that it will have a negative impact on availability.  In many cases the information returned on a full network scan can be overwhelming to an already overloaded IT team.  VioPoint recommends that scan be performed every 30 days and only on a predefined list of critical assets.
  • Effective Analysis: An effective approach to analysis is to identify the vulnerabilities that pose the greatest risk to the organization. The principle is to perform analysis to identify the vulnerabilities that pose the greatest risk to the organization and create a list of “quick hits” that can be quickly remediated before they can be exploited by an attacker.
  • Prioritization of Risks: Most organizations have limited IT resources and even less resources dedicated to security activities. This requires that efforts be focused on the highest risk priorities to effectively drive remediation.  We need to look at vulnerabilities in a proper context including severity rating, threat intelligence, and criticality of the business asset.  Once that analysis is complete an assessment should be made regarding the impact to the organization should the vulnerability be exploited within your system
  • Remediation of Identified Vulnerabilities: This is the final step in the vulnerability management process and many times it proves to be the most challenging.  There are significant challenges related to resource capacity as many IT groups are already overloaded or may view this as outside of their normal duties or responsibilities.  Even in an organization where remediation is an accepted part of the IT job role it may present problems if there is not an adequate staff available to perform the required remediation.

Those issues aside, there are still a number of important decisions that have to be made in the approach to remediation.  First, there needs to be a determination made whether there is a patch available for a given vulnerability or if it is even considered “patchable”. computer-1591018_1920

In some cases the asset may be obsolete and not patchable.  Another consideration needs to be that if there is no patch available or the asset is unpatchable can other security controls be depended upon to provide protection.

In a majority of organizations vulnerability management and analysis is carried out by a security team, while the Network operations team performs remediation.  It is critical that cross team communication in instituted and effective.

 

Implementing and adhering to vulnerability management best practices can help to reduce the risk to an organization.   Selecting the right tools and utilizing them correctly and effectively is crucial in creating a concise list of actionable vulnerabilities for remediation.

 

To understand more about vulnerability management, or how to protect your business from risks, please contact VioPoint at sales@viopoint.com or call at (248)373-8494.

Call Me Now! 

Picture of Mike Pokas

About Mike Pokas

Mike Pokas is the Vice President of Consulting and has 28+ years of information technology experience and education spanning a diverse range of technologies and industry verticals. For the past 10 years he has been in the information security sector. He currently holds a number of key industry accreditations including CISSP, CISM and PMP certifications.

Latest Blog Posts

Categories

see all