Steve Schlarman

Vulnerability Risk Management: Lets not boil the Ocean

Blog Post created by Steve Schlarman Employee on Nov 11, 2013

In my last blog, I discussed the importance of Vulnerability Risk Management.  Security professionals know for an IT security organization to protect a company against today’s threats, processes, tools, procedures and enablers must be implemented to create a holistic strategy.   The idea of a multidimensional program with a continuous cycle that flows from prevention to detection to response and a feedback loop to ensure that threats are proactively managed is the dream of all CISOs.   To wield the power of a proactive and responsive organization CISOs must balance investment across many different needs.  While no organization can prevent every threat or patch every vulnerability, the goal should be to identify and prevent as much as possible, effectively detect and respond to active threats, learn from events and incidents, and improve going forward.   That is why Vulnerability Risk Management is a key part of a security management strategy.  But when you look at this problem, it can seem almost inconceivable that a large infrastructure – that keeps expanding and expanding – can be put in check.   So an important thing to keep in mind is to Not Boil the Ocean.


Vulnerability Management has several layers of problems but let’s focus on just these main three challenges:


1)   Security needs to ensure that the right devices are being scanned and the right vulnerabilities are being identified.  The Device and Vulnerability universes are extremely large and the need to be very diligent about this process is becoming more and more important given the changing threats we see today. Prioritization becomes a fundamental need to deal with the growing number of systems and rapidly changing threat landscape.

2)   IT already has lots going on and pages and pages of vulnerabilities with no prioritization and little guidance doesn’t help.  They have to sift through lots of information just to hit the key issues. They have too much data and need a more streamlined, managed process to keep up.

3)   Not all vulnerabilities and servers are the same.  Some vulnerabilities are more dangerous than others, some devices are more important than others.  We also don’t live in a perfect world.  Patches can fail for lots of different reasons – from a technical issue, a process issue, the server doesn’t reboot properly, the server was offline – pick a reason.   Companies can end up with all of these issues that need to be watched closer or aren’t accounted for and impact the true risk. Both IT and Security need an escalation mechanism to raise the visibility of critical issues related to vulnerabilities.


This sure places a lot of work on the shoulders of the IT and security administrators.  And it isn’t just them that are interested in how well this process is working.  First, the CISO wants to know if this process performing the way it should be  Are we managing the vulnerabilities and protecting the right assets?  Second, the Enterprise Risk function wants to know where IT security risks fall into the big picture.  How vulnerable is the company to security threats in the context of other enterprise risks? Finally, the Business wants assurance that the most precious assets are protected.  Are my crown jewels adequately protected?


So we have a multi-dimensional problem, with numerous stakeholders – where do you start?


First, let’s get a handle on asset catalogs.  Vulnerability Scanners are viable mechanisms to discover and identify assets on the wire.  But those assets can’t just sit in Security-land.  They need to be communicated to IT so they can differentiate between production, development and other types of IT systems.  But even better – let’s connect them to the business so that both Security and IT gain insight on the business context of IT assets.


Second, let’s take those massive reports off the table and provide IT with amanageable vulnerability system that helps them prioritize and address issues.   Many vulnerabilities are patched through normal operational procedures – Patch Tuesday comes out, the patches are tested and validated, the patches are pushed out via the patch management system and POOF – vulnerabilities fall off the map.  Of course there will be wrinkles – systems don’t reboot, systems will be off the wire, there are lots of things that can interrupt a patch cycle.  However, let’s not keep bugging IT  - let’s help them figure out what needs to be addressed.


So that means we need an escalation process that works for both IT and Security.  IT needs an ‘out’ when things get tough.  That doesn’t mean ignoring vulnerabilities or dropping them into a bottomless pit.  It means keeping things on the radar and working the problem.  Security needs a path to escalate serious threats – a change in a vulnerability, an active attack, the release of exploit code – and fast track certain patches or vulnerability fixes.


What’s working in your organization?  Do you have strategies in place to address these issues?  What’s it look like out on your ocean – boiling, luke warm or floating icebergs?   Take a look at our solution to these issues with our new Vulnerability Risk Management module for RSA Archer.