Taking the vulnerability management program from good to great

A good vulnerability assessment program has many elements including risk prioritized endpoint groups and scheduled vulnerability scans followed by result reviews. However what differentiates a good program from a great program is a strong integration of the vulnerability management program with other key business and technical systems and processes.

A truly powerful and great vulnerability program will tie into three of these critical systems and business processes.

• Inventory management
• Patch management
• Application security
• Risk management

Inventory management

A good vulnerability management system requires a good inventory system. If the systems to be scanned do not show up on the inventory management system then the system will not show up on the vulnerability scans and consequently will not be patched. So before moving along too far ahead in the vulnerability program it is good to stop and evaluate the coverage of the inventory management tool.

Oftentimes the patch management tool and the inventory tools are part of the same large system. So the inventory tool will find and inventory the endpoints while the patch management tool will then patch the inventoried machines. The inventory system or the patch system also allows the inventoried endpoints to be grouped into various classifications for patch deployment. For example, test servers may go into one group while workstations at low risk offices may land up in another group and mission critical server will comprise yet another group.

[ ALSO ON CSO: Vulnerability management tools: Dos and don’ts ]

The vulnerability management system should also include servers in the cloud. Many vulnerability management systems now provide scanning services for cloud based servers that in addition to the usual vulnerability results also inventory users and systems in the cloud.

Patch management

A good vulnerability management program drives a good patch management and server hardening program. The vulnerability management program validates that the patch management program is working as designed. The vulnerability management program can also verify that the hardened server baseline is indeed setup in production as designed.

If the patch management program is designed to patch for critical and severe patches then the vulnerability management program will reflect a drop in the related critical and severe vulnerabilities and a different trend on the remainder high, medium and low level patches.

Also a vulnerability program can identify gaps in the patch management program by identifying endpoints that consistently fail the patching process or certain vendor patches that are chronically on the vulnerability list but never patched. A regular and periodic vulnerability program that has vulnerability scans running in chronological tandem with the patch deployment schedule will also determine the timeliness of the patch management program by identifying patches that should have been applied within the patch time window.

Application security

Vulnerability scanning of hardware servers and systems can also tie into the application scanning of related web servers and clients (which is also part of a comprehensive application security program). Modern  vulnerability scanners now offer web based scanning services as part of the whole vulnerability management system which can also include patching services and Web application firewall updates.

Risk management process

Having the vulnerability management program closely tied into the risk management program allows the risk management program to get quality deterministic data for the associated risk. Typically assets in a risk register are qualified by subjective and qualitative risk assessments which while good, are a poor substitute for actual data.

So while it is good to classify a particular server as medium, high or low risk per the subjective residual risk classification matrix, it is far better to have a residual risk evaluation using an objective data source of actual vulnerability scan results. For example, a server that shows scan results of no vulnerabilities with a CVSS score of 4.0 or higher, may now be classified in the risk register as low risk (per the company risk model).

The risk rating which is now sourced from the vulnerability data provides a lot more confidence than a subjective rating provided as an opinion from say someone on the information security or network team. Ideally the risk management software should be able to pull the vulnerability scan data directly into the risk register to link the scan data to the server risk. The risk register can then be regularly updated with the scan results, providing an updated and accurate deterministic view of the risk. This functionality may not be commonly available and still require some amount of manual linkage between the risk register and vulnerability data.

A close integration and tight loop with inventory management, patch management, application security and risk management can elevate a great vulnerability program into a top notch and great business system and process.