The Problem with Vulnerability Management

Does this scenario look familiar to you?

Monday – “Roll up your sleeves, people! We’re going to patch some security vulnerabilities this week! I can FEEL it!”

Tuesday – “Reports are sent out and tickets have been created. They can’t ignore all those Highs and Critical CVEs THIS time!”

Wednesday – “I haven’t heard back from anyone yet. Maybe they’re so busy patching, they forgot to message me. I’ll email them a friendly reminder.”

Thursday – “No tickets have been closed? Wait, NO TICKETS HAVE BEEN ASSIGNED?!”

Friday – “Sigh. Backlogged again.”

After days, weeks, months, and years(!) of trying the same approach to solving the “vulnerability management problem”, in which your impassioned pleas for security fixes are largely ignored or de-prioritized, you start to realize something.

Your approach to vulnerability management does not work. Creating vulnerability reports, attending vulnerability review meetings, opening tickets to patch vulnerabilities, validating fixes and patches, etc. takes too much time, energy, and head-banging to make a large-scale difference in our respective companies’ admittedly woeful vulnerability statistics.

Because we all have something like 1,000 existing security vulnerabilities in our systems, right? Or is it closer to 10,000? 100,000? Does the number even matter?

Changing and improving the format and frequency of the reports, while seemingly beneficial, is a superficial band-aid to the underlying root cause of the vulnerability management problem: vulnerability reports, even good vulnerability reports, will be ignored.

But WHY?

WHY don’t years of vulnerability reports make a dent in the overall number of vulnerabilities?

WHY do teams take a low-priority approach to fixing critical security vulnerabilities?

WHY do InfoSec teams struggle to garner support and momentum for security activities?

The short answer is this: The vulnerability management problem, and by extension, InfoSec policy, budgeting, and executive-support problems, are largely symptomatic of an ineffective, incomplete, and unsupported approach to Information Security Governance.

Effective Information Security Governance requires several interconnected partnerships within an organization, but the MOST important of these is support at the executive board-level.

In other words, every executive board should*:

1. Treat information security as a critical business issue
2. Appoint a board member (or equivalent) to take overall responsibility for the organization’s information security governance approach
3. Define the overall objectives of the Information security governance approach, including:
   • Aligning the organization’s information security strategy with the organization’s business strategy
   • Ensuring that the governance approach delivers value to stakeholders through reduced costs, enhanced reputation, and improved risk management
   • Providing assurance that information risks are being adequately addressed.

A solid Information security governance framework should always include the following components:

1. Information security strategy
2. Stakeholder value delivery
3. Information security assurance

* Reference: The Standard of Good Practice for Information Security, Information Security Forum, Ltd. © 2016

Given the potential grandness and effort required to incite support for the points above, it all seems impossible, right? It’s a fine-and-dandy, idealistic, theoretical approach in a bleak world full of egos, personal agendas, and power plays, right?

Fortunately, even without initial executive-level support, the following team-level tasks can be performed in the near-term that would pay huge dividends in securing the overall security postures for our companies:

1. Asset management – Quantify business criticality as potential dollars lost in infrastructure systems and business applications to accurately prioritize Information Security activities and initiatives. Direct benefit to vulnerability management: vulnerability reports correlate security vulnerabilities to business dollars.
2. Baseline configuration management – Provide a set of gold-standard, frequently-updated and patched baseline configurations for new platform/OS images, common infrastructure, and business applications to reduce the number of known or previously-patched security vulnerabilities in dev, test, and production environments. Direct benefit to Vulnerability Management: vulnerability reports display the number of existing systems/applications “out of baseline” instead of the number of open security vulnerabilities on all systems.
3. Vendor (external supplier) management – Identify, assess, and manage the security risks associated with vendors during the proof of concept, procurement, and integration phases to determine the level of support required by the external vendor as well as the terms and conditions needed upon during purchasing. Direct benefit to vulnerability management: vulnerability reports separate vulnerabilities based on third-party applications and infrastructure components versus internally-created and managed vulnerabilities, thus providing another level of granularity to the vulnerability-prioritization process.

Conclusion

These three tactical actions – Asset management, baseline configuration management, and vendor management – are where even the smallest InfoSec teams can focus their immediate energy instead of spinning ever-evolving versions of vulnerability reports that would never gather the momentum needed to make a difference in their organizations’ vulnerability management programs.

Along with this bottom-up approach, InfoSec teams can work on the top-down approach of winning the hearts and minds of Executive Board members by helping them develop a strong Information Security Governance framework. This will greatly improve the security mindset, and by extension, the security posture, of any company.