Assess

The assessment phase is when vulnerabilities are identified and it includes the proper identification of all assets in scope, scanning for vulnerabilities and reporting the findings.

Identify assets

The organization must implement asset discovery for all technology environments included in the scope of the VM program. An updated CMDB is the preferred way to manage asset data, however, most organizations are unable to consistently maintain such a database. In this regard, VA tools provide different asset discovery capabilities. A VM program should account for changes to the business and an evolving IT environment and consequently, organizations must also connect the VM program to the existing change management processes.

Scan for vulnerabilities and report the findings.

VA should be more frequent than remediation, but in most cases, it doesn’t need to be drastically more frequent; PCI DSS 11.2 and 6.1 indicate that you should scan quarterly and patch within 30 days of vulnerability release, respectively; however, these are lower bounds for meeting compliance standards. The minimum scanning frequency an organization can achieve depends not only on the size and of the technology environment to be scanned, but also on the process overhead defined around the scan.

Vulnerability scans are usually performed during non-business hours to minimize potential impacts and it good practice that the scans do not compete with other resource-intensive activities (backups and file transfers). As with any other activity running during off-hours, the availability of resources for support and troubleshooting should be planned. In highly regulated IT environments, coordinating the scans with change management processes is an important requirement.

Prioritize

The best way to prioritize vulnerabilities is based on the associated security risk posed to the organization. A good framework for vulnerability prioritization has four components that fall into two categories — vulnerability context and asset context.

Advantio_BlogSeries_VulnManagement_02_Diagram_V1.0

Defining the prioritization method

The definition of a prioritization method depends on a few factors, ranging from the complexity of the environment to the context data available. It is important to remember that prioritization approaches and the data that fuels them must be re-evaluated from time to time (prioritise risk proactively and reactively). The following are the most useful methods: 

  1. Prioritizing by vulnerability severity: many organizations rely almost exclusively on vulnerability severity to prioritize their remediation efforts; the base Common Vulnerability Scoring System (CVSS) is a popular standard to represent vulnerability severity, and CVSS base scores are often mapped onto a qualitative scale of critical/high/medium/low (PCI DSS, for example, relies on qualitative ratings based on CVSS scores).
  2. Adding asset data to vulnerability prioritization: the information about the assets is often not available or must be obtained manually by the organizations. Some organizations have information about their assets available in existing datasets, as a CMDB. It is important to remember that this information cannot be provided by an external party, such as a third-party supplier.
  3. Adding threat data to vulnerability prioritization: threat data relies primarily on threat intelligence: how vulnerabilities are being exploited by threat actors. This information can be conveyed in different ways. One example is simply statistics of observed incidents involving specific vulnerabilities. Another example is identifying additional context that indicates the level of attacker interest and ease with which vulnerability could be exploited. Context can be provided as labels for the vulnerabilities in the order of increasing security risk. These labels can be used to reflect the likelihood that a vulnerability will be exploited by an attacker.

Organizations often produce a prioritization model based on a combination of factors and the decision of which factors to use is based on multiple aspects, including the availability of data, granularity provided, required tools and amount of effort involved in applying the resulting criteria.

Tools

Some technologies are recommended for organizations that want to simplify their prioritization efforts; modern vulnerability assessment and Risk-Based Vulnerability Management (RBVM) vendors are pioneering the evolution of VM with the dynamic addition of threat data to the prioritization process. They are also leveraging more-sophisticated scoring methodologies, including predictive models for vulnerability exploitation. The VA vendors themselves are also expanding their products to include RBVM capabilities.

In the next articles of the series we will talk about the remediation of vulnerabilities.

If your company wants to take its vulnerability management strategy to the next level, get in touch with us and our team will guide you through this process.

Column Header Text Column Header Text Column Header Text

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Discover More

Advantio_Blog_DNS_Diagram_V1 Image caption goes here. This is HTML text.

Compliance consultant specialized in Data Protection Law and ISO/IEC 27001 Lead Auditor; currently working on GDPR, ISO/IEC 27001 and ISO/IEC 27701 projects.