Vulnerability management, in general, is supported by the idea that once an organization identifies a vulnerability that exists within its environment, proper steps should be taken to remediate that vulnerability. Those steps include being prepared, knowing when to identify the vulnerability, analyzing the vulnerability, communicating information to the right individuals internal and external to the organization, and finally treating the vulnerability. Within this post, we will review:
- What are vulnerabilities?
- What is the SANS vulnerability management maturity model?
- Essential details that should be included in a vulnerability management process template
- Vulnerability management tools
- Why vulnerability management is important
What is a Vulnerability?
According to NIST, a vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Vulnerabilities can originate from either an internal or external source to an organization. Oftentimes, vulnerabilities can be introduced unknowingly by an employee by using a device that is not authorized to access to the environment or even removable media that has not been approved for use.
Other times, vulnerabilities are done so by a bad actor outside of an organization. They use certain tactics and tools which scan internet-facing devices within an environment. If a device has not been configured properly or a known vulnerability has not been remediated they can exploit that vulnerability and gain unauthorized access.
What is the SANS Vulnerability Management Maturity Model?
The SANS Vulnerability Management Maturity Model was created for organizations that needed guidance as they implemented a process of managing how vulnerabilities were identified and then ultimately remediated. The model contains the life-cycle of vulnerability management and maturity levels. First, we will walk through the life cycle.
Vulnerability Management Process
At a high level, a vulnerability management process includes steps to identify, examine, and remediate vulnerabilities identified using the various methods utilized at a certain organization. Below you will find a step-by-step breakout of that process and the tasks included for each.
Preparation
When an organization is in the preparation stage of vulnerability management, they are focusing on two things:
- What policies and procedures are required.
- Finding personnel who are considered experts so that they can understand and implement organizational requirements within the remainder of the life-cycle steps.
Identification
Once proper preparation is complete, the next step within the vulnerability life-cycle is the identification of vulnerabilities. SANS identifies three main ways in which an organization should expect to identify vulnerability: automated, manual, and external. Using vulnerability management tools, which are generally a software as a solution (SaaS) type of tool, can be implemented within an environment. The tools generally include a database of vulnerabilities and will scan the environment for those known vulnerabilities.
When something is found, a line item with the vulnerability is generated so that proper action can be taken. Manual identification of vulnerabilities requires the knowledge of an expert. This is generally in the form of a penetration tester. Penetration testers review and test the environment in an effort to exploit any vulnerabilities. Their findings are included in a report and provided to management for review and action, as required. Finally, organizations receive input regarding vulnerabilities from external sources. Read here to learn more about the differences between a vulnerability assessment vs penetration testing.
While there is no one external way information can be provided, a couple of examples include a bug bounty program or information provided by a vendor. In a bug bounty program, organizations ask that any exploits found within its environment are submitted formally to the organization for remediation. Alternatively, vendors may at times be victims of an exploited vulnerability and as such must communicate that information to its users. In this scenario, the vendor would be providing the user organization with details of the vulnerability, so that additional action can be taken, as needed.
Analyze
Once a vulnerability has been identified, it is now time for the organization to analyze the threat to determine whether action is required. As part of the analysis, a documented review and root cause analysis should be completed. This review should also identify whether immediate action is required or whether it can be prioritized as low risk and as such may not require immediate action.
Communication
If during the analyze phase, it is determined that a vulnerability was exploited the next question to be asked is who the organization needs to communicate the exploitation to, if any. Generally, if a client’s information could have been exposed, communication to those users should be done in a timely manner so that they can also perform necessary analysis, communication, and treatment. As part of the communication, reporting may be required to provide specific details regarding the exploit and any treatment information, if that is available.
Treatment
The final step in the vulnerability life-cycle is treatment. Treatment should generally follow one of two processes: change management or patch management. When a vulnerability is found that requires patching, it should follow the organization’s patching process so that the vulnerability is fixed immediately. Otherwise, if the identification of a vulnerability requires a code or infrastructure change, that process should be followed so that a change is made that is authorized and in line with organization requirements.
Vulnerability Management Maturity – Process & Levels
Once an organization has a process to remediate vulnerabilities, it can then focus on taking steps to increase the maturity of the process. As a process is more mature, the hope is that there is less of a chance that a vulnerability is missed and that continuous damage within an environment is stopped sooner rather than later. See the levels below.
- Level 1 – Initial – Level 1 in the maturity model means that there is no documented process or definition related to the different vulnerability management life-cycle steps. At this level, organizations are often reactive to situations vs proactive.
- Level 2 – Managed – Level 2 in the maturity model means that policies and procedures are in place, however, they were put into place as a reaction to an event. Generally, they are not fully thought out but good enough to deal with the issue at present.
- Level 3 – Defined – Level 3 in the maturity model means that a set of policies and procedures were thoughtfully created based on an organization’s formalized response to vulnerabilities. These policies and procedures include actions and responses that reflect how an organization plans to meet the requirements of the vulnerability management life-cycle.
- Level 4 – Quantitatively Managed – Level 4 in the maturity model means that the actions and responses outlined in the policies and procedures are documented and tracked so that reviews can be completed and process updated in the event there is a deficiency noted.
- Level 5 – Optimized – Level 5 in the maturity model incorporates automated tools to force the actions required in the policies and procedures. That way steps in the vulnerability management process are not missed and key information is captured, as required.
What are the Essential Details that Should be Included in a Vulnerability Management Process Template?
While a template to address a vulnerability would be nice, it’s generally not that easy. As part of an optimized process in vulnerability management, automated tools that integrate with logging, ticketing, and internal communication together create the information required to properly track vulnerabilities through the vulnerability life cycle. However, not all organizations have a process that is optimized. If your organization falls under Level 1, or the initial level, then likely you do not have these tools in place. In that scenario, the following basic items should be considered.
- Who identified the vulnerability?
- What information about the vulnerability is currently known?
- What tools are being used to analyze the vulnerability?
- Can anything be done immediately to remediate the risk of further exploitation?
- What times of communication are necessary? (i.e. external and internal)
- What was the root cause of the vulnerability?
- What could be done going forward to prevent a similar event from recurring?
Going through questions similar to the ones above will be a good place to start until your organization can truly optimize the vulnerability management process.
What are Vulnerability Management Tools?
If you google vulnerability management tools, you will find a long list of options. A few include AlertLogic, Qualys, Tenable, Rapid7, etc. While they all have a goal of finding vulnerabilities within the environment it is important for your organization to complete proper due diligence to determine whether the tool meets the requirements and needs of the organization. As mentioned before, these tools generally have a growing database of vulnerabilities, which are prioritized by Common Vulnerabilities and Exposures (CVE). CVEs are assigned a security level to help prioritize remediation efforts. For example, CVEs that are considered high, are considered more critical and should be remediated as soon as possible
Why is Vulnerability Management Important?
Vulnerability management has become essential to any organization these days but especially ones that host client information. Ignoring the vulnerability management process could cost an organization its reputation. Luckily, a large number of tools and security-related organizations are out there to take much of the burden off the organization so that it’s much easier to become optimized. Additionally, there are a number of external scans, via penetration testing or vulnerability scans, that can be done to identify vulnerabilities. These can often be used together to best promote vulnerability management.
Vulnerability Management – Summary of Details
When an organization is looking to upgrade its vulnerability management process, the SANS Vulnerability Management Maturity Model is a great place to start. This will allow an organization to determine its current baseline and where it needs to go. Once determined, the next step should be to understand what tools are currently in use and how they can help to reach an optimized state. If tools are not in use, a review of possible tools should be done.
Additionally, a review of external scans should be considered as these often are tailored to immediate exploitations possible within your environment. Oftentimes, reports include steps that can be taken to help with remediation. Finally, management should continuously consider vulnerability management within its organization, even when considered optimized. This will keep the process a priority within the organization as vulnerabilities in the space continue to become more complex.
If you would like to learn more about vulnerability management and maturity models, or are interested in one of our many audit services, please contact the team of audit professionals here at Linford & Co.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.