Vulnerability Management: If You Can’t Prove It, It Didn’t Happen
Penetration tests should be fundamental parts of an organization’s security program. Historically, many penetration tests turn into a list of vulnerabilities which is turned over to information systems and information security staff to fix. In too many cases, formal tracking relies on spreadsheets and task lists. Reporting can be simplistic and is used to confirm a vulnerability has been remediated.
Unfortunately, organizations who do not actively manage their vulnerability management programs may not have the ability to identify details that can improve their vulnerability management, security program, and perhaps all operations.
Effective organizations track progress so they can report on the status of their vulnerability management process at each step. The organization should be able to easily tell which vulnerabilities have been identified, accepted, prioritized, patched, and closed. Organizations must be able to meet demands of regulatory compliance, cyber insurance, breach liability, and other metrics that can be demonstrated by the organization’s ability to manage risk. Such metrics can also demonstrate the effectiveness of the security program, justify the cost of managing security measures and support the security return-on-investment.
Reporting and the ability to demonstrate active management may be improved by consolidating assessment data in a single location, rather on distributed desktops. Centralizing this data also helps normalize the compiled data, improving consistency and accuracy, and providing a single source of truth.
Effective project management also ensures the organization understands two key metrics they should care about in their vulnerability management programs. An organization which has the ability to report on these two metrics can demonstrate effective control over not just their vulnerability management program, but over their entire security program.
1. Organizations should evaluate the hours dedicated to remediation activities, along with what type of activities those are.
a. This information can be used to identify inefficiencies in the organization. If the organization is constantly addressing high volumes of vulnerabilities, such issues may be reduce with hardening systems and networks. If the organization is constantly addressing vulnerabilities related to configurations, such issues may be reduced with better training, better processes and documentation, increased validation checking, or peer reviews. If the organization constantly addresses vulnerabilities in their applications, such issues may be reduced with to training in secure coding practices, code reviews, code testing, and application testing.
b. An efficient organization will review the types of vulnerabilities they are fixing, and determine if it is more efficient to identify and fix the root cause of vulnerabilities before they are introduced into the production environment.
2. Organizations should be evaluating how long it takes them to fix vulnerabilities, and be striving to reduce “time to fix.”
a. Time to fix is often an under-appreciated statistic. It illustrates how long the organization has been exposed to a vulnerability. A shorter time to fix means the organization experienced less risk exposure over time to that vulnerability.
b. The organization should also care because a shorter time to fix can be an indicator organizational staff spent less time remediating a vulnerability or a collection of vulnerabilities.
c. Clients will care because it means their data had less exposure to the potential impact of a vulnerability being identified and exploited.
d. A shorter time to fix may mean fewer breach notifications if less data and fewer clients were affected (in the event of a breach).
e. Regulatory compliance and legal care because a shorter time to fix means less exposure, better compliance, and less liability.
An organization which has the capability to report on vulnerability management, and report on the exact state of their known vulnerabilities is exercising good standards of practice. This information can be used to improve organizational efficiency, and reduce the time to fix known vulnerabilities, demonstrating maturity of their security program and control over their environment.