Best Practices for Vulnerability Management: The Key to Managing Risk

By Drew Robb

(Back to article)

New virus on the scene? Mad rush to deploy anti-virus software. Spyware appears. Better get some anti-spyware tools. Network intrusions. Let’s add a firewall. These reactive approaches may plug the holes, but it isn’t risk management. That’s where vulnerability management comes in.

“Anti-spyware and antivirus tools address specific threats,” said Michael Montecillo, an analyst at Enterprise Management Associates. “Companies are constantly adding new technology to address the latest threat. Vulnerability management looks at the overall amount of risk in an environment. The only reason you get affected by malware is if there is a weakness in your infrastructure that can be exploited. So, the idea is to minimize risk by eliminating the areas where you are vulnerable.”

He cites credit card processing, as an example. There is a move ongoing to have vulnerability management applications made mandatory due to the massive consequences occasioned by malware-induced disruption and confidential credit care information ending up in the wrong hands. While other industries don’t yet have legislative pressure to adopt this technology, it is probably a sign of things to come.

The whole point is to be continuously evaluating the infrastructure for possible threats and taking action proactively. Test after test must be conducted to ensure there are no cracks in the network. As a best practice, Montecillo recommends implementing any new applications within a test environment. By validating that the new application has a base level of security before adding it to a production environment, problems can be minimized if not eliminated all together.

“It’s expensive to fix things once you go live,” said Montecillo. “It is better to test for vulnerabilities and fix them before broadly implementing a new application or production environment.”

Vendor View

While there is plenty of process involved in vulnerability management, Montecillo doesn’t recommend that organizations attempt to reinvent the wheel. There are many tools that can act as a catalyst for vulnerability best practices. They won’t all necessarily function in your environment so product demos and free trials should be used to find the one that works best in your environment. As well as the big boys such as CA and Symantec, vulnerability management tools are on offer from startups such as nCircle, Qualys, eEYE.

“These tools identify the environment and do the vulnerability assessment for you,” said Montecillo. “They simplify the process, create a reporting methodology and allow you to conduct assessments in a repeatable way. I’d recommend that companies look for a process that is quick, repeatable and doesn’t take up a lot of resources.”  

nCircle defines vulnerability management as the continual process of measuring and managing the risk presented by flaws in software and configuration within an organization. The process generally includes comprehensive discovery and profiling of network assets, assessment of each asset for applications and vulnerabilities within those applications, prioritization of the assets and vulnerabilities, and finally workflow for remediation of the prioritized conditions.

“Many tools provide some piece of the vulnerability management process, assessing only network vulnerabilities, Web application vulnerabilities, or configuration,” said Tim Erlin, principal product manager at nCircle. “It’s important to remember that all of these can present risk in an environment, and leaving any one out leaves the vulnerability management puzzle missing pieces.”

Erlin's best practices for vulnerability management are as follows:

Comprehensive Discovery and Profiling - You can only accurately assess risk given a comprehensive inventory of what exists in the organization. Since the network is generally not a static entity, a continuous and comprehensive discovery process is a requirement.

Prioritization of Assets and Risk - Every vulnerability management tool will produce more work than an organization can accomplish, therefore every vulnerability management program must provide a mechanism for prioritizing the results to address the highest risk first—even if all the discovered vulnerabilities are critical.

Workflow for Remediation - Ultimately, no vulnerability management program can succeed if the process for addressing risk is broken. The right tools can support an effective workflow with open interfaces for automation, built-in ticketing systems, and accurate data, but each organization is different in how they assign ownership and responsibility.

“Before acquiring a vulnerability management tool, examine the processes in place for applying patches and upgrading to determine where they should change and where a tool can assist with automation,” said Erlin. “Use that data to inform the product evaluation process, but don’t eliminate all flexibility. The right tool will support the process, but that doesn’t mean the process won’t need to adapt or change at all.”

Ben Greenbaum, senior research manager at Symantec Security Response, adds that the most common misperception about vulnerability management is it starts and ends with patches. Simply subscribing to the vendor's mailing list to stay up to date with the latest information is not enough.

“Many vendors withhold information about vulnerabilities until they have a patch ready (or longer) but there is always some reparative or mitigating action that can be taken in the interim,” said Greenbaum. “However, there are advanced vendor services available that can keep your IT staff abreast of the most recent vulnerability discoveries and provide actionable advice well before the vendor ever mentions the issue publicly.”

On the security side, he stresses good habits. The probability and impact of exploitation of any vulnerability can be lessened by maintaining an environment of least-possible-privilege, e.g., if connectivity to a particular service or system isn't required from all points limit it to only those points that are required; deploy firewalls to enforce these limitations; and introduce Intrusion Prevention (IPS) and Intrusion Dection products to monitor and prevent attempts to breach the perimeter. 

Finally, an obvious best practice is to apply patches as soon as possible. It's not always possible to apply them immediately as critical systems need to be tested. This process can be sped up with either a dedicated lab or virtual environment set up to allow this testing to proceed as quickly as possible.

Collaboration Extends Beyond IT  

All of the above best practices, though, could result in little progress if IT attempts to make vulnerability management an IT-Only matter. The whole idea doesn’t work if it’s silo’d into one team or department. It has to encompass operations, security, facilities and of course top management.

“Vulnerability management is an ongoing process that will affect a large area within any organization,” said Montecillo. “It takes a collaborative effort from a technological and a political standpoint.”