Re-assess 

This step exists to ensure that the measures taken in the “Act” phase were effective. 

Validate Success and Rescan  

Validation of the remediation or mitigation success should happen after the vulnerability has been fixed or a control has been deployed to mitigate it. Validation methods include: 

  • VA tool scan; 
  • Report from a configuration management tool; 
  • Targeted penetration testing, including vulnerability exploitation; 
  • Applying a BAS tool to verify the attack scenarios. 

The initial scan may trigger rules that generate tickets. As remediation is completed and tickets are closed, an automated rescan is initiated by a VA tool, which then updates the tickets and records that the fix has succeeded.  

Improve  

This phase is focused on measuring the performance of the program and identifying ways to continuously improve its maturity and ability to properly manage risk. 

Evaluate metrics 

VM practices must be constantly measured for their effectiveness in assessing if the appropriate risk reduction is being achieved. Organizations should measure their VM via reports which should be time-based and generated periodicallyMetrics should be displayed alongside the relevant SLAs and trends in metrics should be tracked over time. 

Eliminate underlying issues 

When the VM cycle generates metrics and additional information about vulnerabilities, the organization can step ahead of the game and identify trends and underlying causes for those security issues (this could justify the removal of softwareconfiguration or architecture changes). 

Evolve processes and SLAs  

Organizations will often start VM with a basic set of processes and conservative SLAs. As they iterate the VM the organization improves its remediation processes and it is reasonable to slowly move the remediation targets to more aggressive times.  

Risks and Solutions 

It is very important to keep in mind the following risks and the best approaches to deal with them: 

  1. Unreported vulnerabilitiesVM is confined to looking for reported vulnerabilities across commercial software and Oss; thus unknown vulnerabilities persist, and organizations have to use additional mechanisms to defend against their exploitation (e.g. leveraging exploit mitigation technologies, monitoring and incident response);  
  2. Fixing all vulnerabilitiesorganizations cannot immediately fix all vulnerabilities identified during the VA; a prioritization method is vital to obtain the best risk reduction. 
  3. Lack of communicationno organization can succeed in VM without the appropriate communication and integration between security teams and IT operations teams. 
  4. Insufficient remediation resourceswhen insufficient resources are allocated to remediation, vulnerabilities will accumulate, and unpatched vulnerabilities can quickly become a huge security issue to organizations. 
  5. Fixing only “high” vulnerabilitiesit is important to remember that many breaches are the result of small issues exploited and high-severity vulnerabilities may be on systems protected by many layers of security safeguards and do not need to be acted on immediately. 
  6. Wide or eternal exceptionsexceptions must always be time-bounded because the conditions requiring them rarely persist forever, and the perceived risk may change over time.  

Advantio’s team of experts helped many companies around the globe to build their vulnerability management strategy. If you want to evolve the cyber maturity of your organization, get in touch with us and our experts will take you through this process. 

DOWNLOAD THE SERIES

Column Header Text Column Header Text Column Header Text

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Discover More

Advantio_Blog_DNS_Diagram_V1 Image caption goes here. This is HTML text.

Compliance consultant specialized in Data Protection Law and ISO/IEC 27001 Lead Auditor; currently working on GDPR, ISO/IEC 27001 and ISO/IEC 27701 projects.

WHAT OUR EXPERTS HAVE TO SAY