6 PROVEN STEPS TO [RE]GAIN CONTROL OF VULNERABILITY MANAGEMENT
By William Nana Fabu, CISSP
It’s time to move vulnerability management to the front of the line. Of the many data breaches that have made news headlines in recent years, 44 percent were successful due to the presence of non-remediated vulnerabilities. Today, from board members to customers, everyone wants to know how vulnerable the company is. This opens the door for investing in top-quality vulnerability management tools and information security professionals, and creates the atmosphere to seek out and remediate vulnerabilities.
Vulnerability management covers the following areas:
- Vulnerability identification and reporting
- Vulnerability analysis (remediation path)
- Vulnerability remediation
The Problem is Real
Generally, people are not that good at identifying their weaknesses because such flaws only arise when challenges are faced. In many cases, a third party lets us know about our weaknesses. In the IT world, unfortunately, that third party is often the attacker and we learn about a vulnerability only when the attacker uses it to harm us. The good news is that most vendors and some specialized organizations (National Vulnerability Database, US-CERT Cyber Security Alerts) work in discovering, analyzing and cataloging most of the vulnerabilities and make their findings available to the public. These lists even include remediation solutions. Also, most of the vulnerability management platforms come with a knowledge base that goes deeper in the analysis and matches discovered vulnerabilities with patches. These platforms also identify patchable and non-patchable vulnerabilities.
As often stated, numbers never lie. Some telling statistics from Edgescan in its 2016 Vulnerability Statistics Report:15 percent of assets have high or critical risk vulnerabilities 29 percent of the hosting layer vulnerabilities are patching vulnerabilities and 48 percent are configuration vulnerabilities The average time to fix a vulnerability at the network layer is 12 days, while at the application layer it is 62 days
These numbers go a long way in illustrating the problem most institutions face when it comes to vulnerability management. When you consider that nearly half of the vulnerabilities are non-patchable, you see the need to start working on vulnerabilities as soon as they are discovered. It takes far longer to remediate non-patchable vulnerabilities than patchable ones, and the process generally involves change control and close coordination with system administrators, IT groups, vendors and, of course, the business.
The Case for a Vulnerability Remediation Team
After last year’s Equifax breach, many companies and institutions put pressure on their information security teams to:
- Clearly assess the vulnerability ecosystem (numbers, severity, effective risk, etc.)
- Put in place a vulnerability management program with effective remediation plans
- Reduce the vulnerability numbers and related risk to at least the institution’s tolerance for risk
The experience at my organization makes a strong case for creating a vulnerability management team. While our information security team was tasked with reporting vulnerabilities, there was no follow-up on effective remediation. This led, not surprisingly, to the constant increase in vulnerabilities with no strategy to reduce their number.
Generally, the vulnerability management process falls within the information security team. While the team would generally do a good job on reporting and risk assessment, it would often be difficult for them—due to their workload and the fact that they are mostly dealing with governance—to work effectively on remediation. With the exposure to vulnerabilities revealed across the globe, board members and management want to see an effective downtrend in the number of vulnerabilities and a more accurate risk assessment of the vulnerability ecosystem. My organization recognized this; upper management then put in place a vulnerability remediation team that I manage to set targets and translate the vulnerability list into action item lists. The team’s key functions include:
- Acting as liaison between the information security team and the vulnerability owners (IT, business, etc.)
- Facilitating the vulnerability remediation, and working with the vulnerability owners and the patching team
- Reporting on vulnerability remediation and proposing targets and strategies to management
- Building processes to improve effective remediation of vulnerabilities
My company has successfully applied this concept with tangible results, permitting a smooth transition from the volume approach (bring down the numbers first) to the risk approach. Working with the application and system owners to look for the best way to address their patchable and non-patchable vulnerabilities also helped build awareness and made it easy for the application and system owners to take ownership of their vulnerabilities. This was a big win and change of culture for the institution and is captured in the message from the vulnerability remediation team to the entire organization:
“We know you have vulnerabilities, but we are here to help you address each one of them and clean your system, and by so doing increase the security posture of the company.”
An added benefit is that by remediating vulnerabilities, a lot of EOL (end-of-life) software and devices were removed from the network and replaced with new systems that were compliant to the company standard and more efficient.
Best of all, we were able to reduce the number of vulnerabilities by 50 percent in just six months!
Putting Vulnerability Remediation into Action
Today, most institutions show an uptrend in the number of vulnerabilities, making it increasingly challenging to remediate in a timely manner (62 days for a critical vulnerability, according to Edgescan) and to significantly reduce the numbers. With the increased dangers posed by new vulnerabilities, coupled with the fact that the “bad guys” are also targeting old vulnerabilities that can still be found in our infrastructure, the time has come to move the focus from vulnerability reporting to vulnerability remediation.
The tools in the market today make it possible to automate at least 70 percent of the remediation process. The remaining 30 percent is analysis and decision-making. This is crucial for the success of a remediation campaign as it permits you to better understand your environment and build targets not limited to:
- Vulnerabilities on mission-critical applications
- Vulnerabilities on the perimeter
- Vulnerabilities older than one year
- Vulnerabilities qualified as “low-hanging fruit” (known vulnerability with known patches and known impact)
The “target” approach is strongly suggested because it not only defines a clear scope, but it is very metrics friendly.
Only after a comprehensive analysis in cooperation with the information security team would you be able to identify your targets and use your tools to deploy the patches securely and with limited impact on systems and availability. By moving away from the numbers and moving toward a remediation plan, the organization will have an improved risk posture. The plan of action includes:Complete management support
Remediation involves all departments in the company, so it is imperative to have full support at the top. Without management support, your crucial patching programs could take a back seat to business priorities. Note that in most institutions, the lower environment is not a replica of the production environment. Therefore, testing in the lower environment does not guarantee a “zero issue” state when you move the patches to production. This is where management support plays a key role in moving forward with the remediation program.Educate the business on the importance of patching
Patching and remediation are not just for information security, but cover the entire enterprise. You have to build awareness on the importance of patching. Use the examples of current ransomware and other cyberattacks to make your case, especially to the senior business (non-IT) managers, as they are the ones likely to push back the most. Have management send the message about patching activities to stress the importance and support. Finally, make sure you are effectively working with the business (system and application owners) during this process.Patch both new and historical vulnerabilities
Do not limit your patching to the newly published patches and vulnerabilities. Make sure you also tackle the historical patches and vulnerabilities (backlog). Remember that bad actors generally use forgotten vulnerabilities to launch their attack campaigns. Also pay attention to the new patching format introduced by Microsoft and adapt your patching program to it as soon as possible. You need to communicate the fact that most vulnerabilities are directly connected to the OS and application versions. It may be time to move to new and updated versions before looking at the vulnerabilities.Work also on the non-patchable vulnerabilities
It may take more time and effort to clear your non-patchable vulnerabilities, but you need to put in the effort and energy on this category, especially in your most critical network zones and mission-critical applications. Build a strong relationship with the system administrator and propose clear remediation paths (upgrade, system configuration, end-of-life system and application replacement, etc.). This is where you need to put on your consultant hat and work with the application and system owners to translate the non-patchable vulnerability list into a list of actionable items that are easily implemented. Do not forget to involve vendors at the beginning of this process. Generally, the solution or at least a key part of it would come from the vendor. Finally, do not forget to insist on testing the system after remediation.Build exception groups
There will be times when systems crash after a patch despite the due diligence and testing. For these cases, build exception groups, have the business enter an exception with information security and clearly document the cases. Moving forward, pay close attention to those groups and engage the business as much as possible.Move from volume to risk
In most cases, start with a volume approach to reduce the vulnerability count. When the number has reached an accepted ratio (number of vulnerabilities compared to the number of endpoints) prescribed by management, then shift to a risk approach. At this point, build your targets based on the risk assessment carried out by the information security team. The risk is generally calculated using the CVSS score and all the mitigation controls in the infrastructure. Do not only rely on the CVSS score to prioritize vulnerability remediation.
Moving vulnerability identification and analysis to vulnerability remediation is crucial. With the rapid change of the attack layer and the fast turnaround of attack vectors, it is imperative to rid your infrastructure of vulnerabilities as completely as possible. Start with the low-hanging fruit (known vulnerability/known patches) and move to the non-patchable vulnerabilities that necessitate more planning and interaction with system administrators. Always remember to gain the full support of management and that the bad guys mostly go for the old and forgotten vulnerabilities that have not been patched. A vulnerability remediation team is a good place to start.
William Nana Fabu, CISSP, works in Atlanta and is a past contributor to Insights and InfoSecurity Professional magazine.
LEAD IN: LEADERSHIP ADVICE FROM AWARD-WINNING SECURITY PROFFESSIONALS
The following Q&A was excerpted in the January/February issue of InfoSecurity Professional. Here it is in its entirety.
Jorge Mario Ochoa is an information security officer at Millicom International Cellular (Tigo). He is from Guatemala City, Guatemala. Of his 18 years in IT, the past eight have focused on information security. Among his credentials and accomplishments: CISSP; C|SISO; CISA; CISM; C)PTE; C)SWAE; Cobit v4.1 & 5; ISO 9001:2008; ITIL v3.1 & v2011; Lead Auditor ISO 27001:2013; Lead Auditor, ISO 22301:2012; and Six Sigma White Belt Business Intelligence, Design Thinking.
Congratulations on winning an Americas ISLA® at Security Congress. What did it feel like the moment your name was called?
I already felt very honored to be sharing the finalists list with outstanding professionals. When I heard my name as one of the winners, I felt very grateful to God for blessing me with a wonderful family that has supported me unconditionally, especially Karina (my wife), great friends, colleagues and co-workers who have had the good disposition to share their knowledge and experience and, of course, (ISC)² for contributing to my professional development through its certifications, conferences and publications.
You won in the project/initiative category. In what ways did you help improve the information security culture at your organization?
As part of the continuous improvement that we promote within my team, we found that most of the employees in our organization are millennials. Knowing that, we designed a program that promotes an information security culture based on gamification. We formed a multidisciplinary team with partners in talent management, internal communication and marketing. In this way, we turned a good idea into a great idea. We understood how to communicate with our people, who were engaged and enjoyed the learning journey.
Additionally, we also designed training for technical teams, to make information security a lifestyle, an automatic thought. From their conception, our projects have integrated security components. As a result, we can spend more time in the second quadrant of time, according to Stephen Covey, which is the “important but not urgent” quadrant. Therefore, we engage in more strategic thinking and spend less time putting out fires.
As an (ISC)² instructor, what do you teach and what skills did you need to develop in order to excel in that role?
In classes, I promote an atmosphere of trust, in which everyone can contribute expertise and knowledge to make a much more enriching course. It also motivates me to constantly evolve, learning new ways to connect with the audience; identifying how the class progresses by analyzing questions and answers; noting body language and even silence. Sometimes the right question provides more answers than a mere explanation. I teach that knowledge is useful only when we share it and identify how to apply it.
Communication is vital in the learning process. What’s said is important, but how it is said is even more important. Tone of voice, posture, pauses, expression, energy, confidence, examples, experiences and dynamics used—these allow the student to be connected and interested in participating throughout the course.
Of all the projects you’ve worked on, which stand out as your greatest accomplishments?
I had the opportunity to lead the implementation and certification of ISO 27001:2013 and ISO 22301:2012 of a business unit in record time. The challenges started with the project´s sale; a solid business case was required in C-level terms, such as the return on investment and the business benefits of the project. The next challenge was to break paradigms that consider information security as a cost instead of a strategic partner and manage the change to create a process-oriented culture. At the end of the project, we exceeded expected benefits. The team always had the conviction that the project added value and was aware of how each activity made a positive impact. Because of that, the certifications were obtained and are still up-to-date.
What do you believe it takes to be a project leader?
Of all the skills and knowledge that a project leader can possess, the following are the ones I think a leader must work harder at:
- Humility: For me, humility is the most valuable human quality. Humility allows us to learn from each member of the team, recognize mistakes so that they become experiences, ask for help in a timely manner and listen carefully to suggestions and feedback.
- Envisioning (I read that word in a Harvard paper): This is understanding and believing in the purpose of what we do and that we will exceed objectives. But even more important, we can transmit our vision vividly, so that our team can see with their own eyes how they will reach the goal. The feeling of pride in their hearts when they reach the goal and breathe that fresh air of victory is as real as when we imagine the taste of a lemon on our tongue and begin to salivate.
- Discipline and perseverance: Without them, everything could be only good intentions. With them, results can be achieved without excuse.
If you had limited time to work on “soft skills” to improve someone’s leadership, what would you recommend?
It will sound trite, but I would give each individual coaching to help them find purpose. Since I have come to the understanding that my purpose is to serve, things have been much easier. I look for each activity I undertake to add value to that purpose. As a result, I feel my goals are realized. There is a famous talk by Simon Sinek, “Start with Why.” When we start with understanding the “why”—that is, the purpose—everything makes sense. The “what” and “how” will be very clear.
How many hours weekly do you work?
Normally I work 40 hours, thanks to our excellent team. We spend less time communicating via email and more time in conversation in person or by phone with colleagues in different areas of our firm. By adopting this philosophy, we better understand their needs and can work as multi-disciplinary teams to find the most efficient solutions.
I know you are expecting a new addition to the family soon. How do you plan to maintain a work-life balance so you can be there for those who depend on you at home and at work?
First, thanks for asking such an important question. In November, the doctor gave me and my wife news that in March our first child, Alejandro, will be born. I believe that the most valuable things in life are found in the details, not just big events. I really like a popular phrase, which I first heard in the movie Hitch: “Life is not measured by the times you breathe, but by the moments that leave you breathless.” There is nothing more important than the family. I also have an excellent team and when we work as a team to achieve our objectives, that teamwork allows us to be with our families so we do not miss the most important moments.
Do you have any advice for (ISC)² members who want to become better cybersecurity leaders in 2018?
Work even more closely with different business units to understand their needs. Communicate with them in their languages by changing bits and bytes into understandable terms specific to each business unit (return on investment, turnover rate, customer satisfaction, leads, net promoter score, etc.). It will also allow you to have a holistic vision, generate synergies. As a result, all areas will see us as a strategic partner and as an enabler. As a Chinese proverb says, “If you want to go fast, walk alone. If you want to go far, walk together.”