Re-assess 

This step exists to ensure that the measures taken in the “Act” phase were effective. 

Validate Success and Rescan  

Validation of the remediation or mitigation success should happen after the vulnerability has been fixed or a control has been deployed to mitigate it. Validation methods include: 

  • VA tool scan; 
  • Report from a configuration management tool; 
  • Targeted penetration testing, including vulnerability exploitation; 
  • Applying a BAS tool to verify the attack scenarios. 

The initial scan may trigger rules that generate tickets. As remediation is completed and tickets are closed, an automated rescan is initiated by a VA tool, which then updates the tickets and records that the fix has succeeded.  

Improve  

This phase is focused on measuring the performance of the program and identifying ways to continuously improve its maturity and ability to properly manage risk. 

Evaluate metrics 

VM practices must be constantly measured for their effectiveness in assessing if the appropriate risk reduction is being achieved. Organizations should measure their VM via reports which should be time-based and generated periodicallyMetrics should be displayed alongside the relevant SLAs and trends in metrics should be tracked over time. 

Eliminate underlying issues 

When the VM cycle generates metrics and additional information about vulnerabilities, the organization can step ahead of the game and identify trends and underlying causes for those security issues (this could justify the removal of softwareconfiguration or architecture changes). 

Evolve processes and SLAs  

Organizations will often start VM with a basic set of processes and conservative SLAs. As they iterate the VM the organization improves its remediation processes and it is reasonable to slowly move the remediation targets to more aggressive times.  

Risks and Solutions 

It is very important to keep in mind the following risks and the best approaches to deal with them: 

  1. Unreported vulnerabilitiesVM is confined to looking for reported vulnerabilities across commercial software and Oss; thus unknown vulnerabilities persist, and organizations have to use additional mechanisms to defend against their exploitation (e.g. leveraging exploit mitigation technologies, monitoring and incident response);  
  2. Fixing all vulnerabilitiesorganizations cannot immediately fix all vulnerabilities identified during the VA; a prioritization method is vital to obtain the best risk reduction. 
  3. Lack of communicationno organization can succeed in VM without the appropriate communication and integration between security teams and IT operations teams. 
  4. Insufficient remediation resourceswhen insufficient resources are allocated to remediation, vulnerabilities will accumulate, and unpatched vulnerabilities can quickly become a huge security issue to organizations. 
  5. Fixing only “high” vulnerabilitiesit is important to remember that many breaches are the result of small issues exploited and high-severity vulnerabilities may be on systems protected by many layers of security safeguards and do not need to be acted on immediately. 
  6. Wide or eternal exceptionsexceptions must always be time-bounded because the conditions requiring them rarely persist forever, and the perceived risk may change over time.  

Advantio’s team of experts helped many companies around the globe to build their vulnerability management strategy. If you want to evolve the cyber maturity of your organization, get in touch with us and our experts will take you through this process. 

DOWNLOAD THE SERIES

Column Header Text Column Header Text Column Header Text

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving
  • Their work should have not stopped there because achieving

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Performing a review of the media inventories at least annually

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Row Header Text

Lorem ipsum dolor sit

Lorem ipsum dolor sit

23

Discover More

Advantio_Blog_DNS_Diagram_V1 Image caption goes here. This is HTML text.

Established in 2009, Advantio offers a comprehensive portfolio of professional, managed, advisory, and security testing services. Our subject matter expertise and services focus on cybersecurity, data protection, risk, and compliance with a distinct specialization in the ‘Payment Card Industry.’ We believe that for your organization to compete and grow in a rapidly evolving environment, investing in the right partner and technology is crucial to help you focus better on your core business. Our team works tirelessly to help you achieve, maintain, and demonstrate compliance against the most demanding cybersecurity standards and regulatory frameworks on time and on budget. With a strong presence across Europe and global reach on four continents, we have become the partner of choice for many large corporates and international enterprises. Our clients span a diverse range of fintech suppliers and fintech consumers in verticals such as travel, hospitality, telecommunication, financial, healthcare, education, entertainment, government, non-profit and more.

Schedule a call with an expert