Missing a critical vulnerability mitigation can be a nightmare, and if the unmitigated vulnerability is exploited…that could be like a dream of falling and never hitting the bottom because the impact can ripple through an organization with effects unimagined to the business and its reputation. The job of managing vulnerabilities and maintaining a secure environment is one of high stress and uncertain success.
Many environments today cope with the never ending cycle of monitoring, managing and remediating vulnerabilities through a combination of automated tools and manual processes. These manual processes are usually siloed, disjointed, and require face-to-face interactions, hindering real time responses to current threats. The process may go something like this:
- Security vulnerability is discovered
- Vendor releases a solution (patch or new software release)
- Security engineer reviews the solution for applicability to the monitored environment
- The fix is approved, tested and released into production (don’t forget backups in case it all goes sideways!)
Wash, Rinse, Repeat.
Security monitoring is the never ending task of observing network operations and virtual interactions to ensure uninterrupted business operations. Many environments employ automated tools, but in most cases the tools provide snippets of important information or snapshots of the security state; not the entire picture. Vulnerability scanners reveal missing patches. Security Incident and Event Management tools send notifications of security incidents. Intrusion detection and prevention systems send security alerts or stop attempted intrusions. But to extract meaning from these diverse sources in order to create a holistic and accurate snapshot of the business’s security posture is the difficult task of the security staff, and in some cases the result may not meet the information needs of the decision maker.
We must not forget the administrative processes that facilitate – and sometimes impede – the vulnerability management process. Stakeholders must be informed. Review boards must be engaged. Approvals must be acquired. Downtime must be scheduled. The user community must be notified. For most organizations these processes are disconnected; not integrated.
When it seems like all is in its place and working like a well-oiled machine, a zero day vulnerability is published (meaning there is no patch) or human error introduces an unanticipated breach in security. Now mitigating security measures must be implemented in a manner that do not contradict existing security measures – and protect the organization from the risk of the new vulnerability being exploited. Suddenly the well-oiled machine has a squeak and all attention must be focused on fixing the problem.
There’s got to be a better way.
What is needed is a solution that will allow the coordinated administration of all aspects of the vulnerability management process – tracking, monitoring, interpreting, notifying, patching - in a single, seamless environment. A solution that meets the various information needs of a security administrator and enables him or her to meet the security needs of the business.
Streamlining and integrating vulnerability management processes will improve the flow by removing stress points, reducing bottlenecks, and resolving conflicts. Automated and efficient processes and workflows which will increase awareness, reduce response time, eliminate redundant tasks, and most importantly reduce risk. Take a look at the article, “Why Manual Processes Become Security Risks,” Sean Convery at ServiceNow wrote that drills into this in more detail. If processes are streamlined and automated, security personnel will be able to focus on the business of managing organizational risk and maintaining operations during an attack or incident, not fighting fires.
I continue to hear from CISOs and other security leaders about the need for automating the management of vulnerabilities in their organizations. Below you’ll find a summarized CISO wish list. Do any of these sound similar to things that would be helpful in your organization?
CISO Wish List
- Automated Notifications
Getting the right people the right information in a timely manner to make critical decisions is a crucial task in managing and monitoring the security posture of an organization. The ability to build custom workflows, enabling notifications to be sent on event triggers, will facilitate timely stakeholder engagement. Workflows are scalable and flexible, able to meet the demands of any size organization.
- Asset Discovery and Administration
A comprehensive configuration management database (CMDB) will allow the effective management of IT infrastructure, software, and security notices. Integration of these elements enables centralized awareness of all devices on the network, monitoring of unauthorized activities, and immediate reaction to network and user events as required.
- Automated Remediation
An integrated vulnerability database allows the security staff to mitigate and remediate vulnerabilities from one source; no more manual retrieval of vulnerability data and vendor patches and upgrades from multiple sources. By integrating vulnerability data and intelligence feeds from several sources and parsing information into common elements, vulnerabilities can be stored, mapped, correlated and analyzed. This capability allows categorization of similar security weaknesses, revealing systemic issues that can be addressed across the enterprise. Grouping of like elements may also improve scheduling of work, reducing business impact due to required downtime for maintenance. These and other efficiencies streamline the continuous monitoring and mitigation process.
- Common Operational Picture
A centralized tool for security operations should have the capability to design custom dashboards to meet the needs of the security engineer and the CISO. Integrated displays of security information provide at-a-glance snapshots of security performance indicators, and can be used to support decision making while also providing a level of confidence in the security posture of the organization.
Ultimately, vulnerability nightmares are real, but there are ways to make sure you can turn those nightmares into pleasant dreams. Learn more about how to improve your vulnerability management process through integrated tools customized for the needs of your organization.