table of contents introduction 2 the evolution of...
TRANSCRIPT
![Page 1: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/1.jpg)
![Page 2: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/2.jpg)
Table of Contents
Introduction 2
The Evolution of Vulnerability Management 3
To Be or Not Be Hacked Should Not Be the Question 4
Vulnerability Risk Management 2.0: A New Approach 5 Prioritization 5 Remediation 7 Governance 7
Regulatory Compliance: Friend or Foe? 9
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 1
![Page 3: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/3.jpg)
Introduction
In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90
minutes. This consistent stream of new security vulnerability discoveries are due to a
number of causes from flaws in software development and improper configuration of
hardware and software applications to the inevitable unintended errors made by IT users.
Vulnerability risk management has re-introduced itself as a top challenge – and priority –
for even the most savvy IT organizations as new technologies such as mobile and cloud
continue to proliferate and further expand the attack surface for cybercriminals.
While organizations once found it difficult to detect vulnerabilities and threats across the
IT infrastructure, scanning technologies were introduced to help solve the problem.
Vulnerability scanners provide the visibility into the potential risk land mines across the
network, applications and endpoints. But the question of what to do next has created an
overload of data tracked in spreadsheets, inefficient business processes, and
communication breakdown between internal teams in charge of remediation.
Today, new challenges confront IT and security professionals tasked with vulnerability
and threat management. This guide will challenge organizations to rethink how they
manage vulnerability risk and offer new insights to move forward. We will explore the
current state of vulnerability risk management and recommend new insights to help
organizations take the next step to building a successful program.
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 2
![Page 4: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/4.jpg)
The Evolution of Vulnerability Management
Security vulnerabilities have been prevalent since the invention of computer networks. In
the past, organizations performed penetration testing at regular intervals to identify
weaknesses across the IT infrastructure from external and internal threats. Vulnerability
scanners were then introduced to provide an automated way to detect vulnerabilities on
an ongoing basis. Then, government and industry stepped in as data breaches started to
proliferate, passing regulations requiring organizations to institute vulnerability
management programs.
The term vulnerability management is often confused with vulnerability scanning.
Vulnerability management is the closed-loop process which includes vulnerability
scanning, but also takes into account other aspects such as remediation and risk
acceptance. Today, vulnerability management has become as much about people and
process as it is about technology, and this is where many programs are failing. The
problem is not detection. Prioritization, remediation, and program governance have
become the new precedence. Introducing a new era: Vulnerability Risk Management 2.0.
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 3
![Page 5: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/5.jpg)
To Be or Not Be Hacked Should Not Be the Question
Cybercriminals had a banner year in 2014. Development of malware was unprecedented
with over 600 new samples created every minute. Over 1 billion records were
compromised in data breaches. Even more, among known attacks, 99.9% of exploited
vulnerabilities had been compromised more than a year after being published.
These numbers speak volumes to the digital war that organizations must defend against
today. To be or not be hacked is no longer a question of if, but rather when. The inevitable
breach has become a commonly accepted reality.
Vulnerability risk management calls for a new approach that moves beyond a simple
exercise in patch management to one focused on risk reduction. To effectively close the
window of vulnerability, organizations must begin to look at success as a measure of risk
reduction, and not the number of patches applied.
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 4
![Page 6: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/6.jpg)
Vulnerability Risk Management 2.0: A New Approach
Much of the last decade has been spent on detecting vulnerabilities across the IT
environment. This has done little to help organizations move closer to the real problem of
patching the systems and applications that hackers are most likely to target.
Vulnerability risk management has entered a new era, and the issues have changed.
Security practitioners have moved from asking, “How do I find the problem” to “How do I
fix the problem,” thus creating a need for new tools, technology, and processes to answer
the question.
Vulnerability risk management 2.0 comprises three core areas: prioritization, remediation,
and governance.
Prioritization
In the land of cybersecurity, not all vulnerabilities are created equal. While the Common
Vulnerability Scoring System, or CVSS score, provides a basis for organizations to begin
the process of prioritizing threats, it is by no means the best measurement of risk on its
own.
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 5
![Page 7: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/7.jpg)
Factors such as known exploits, malware attacks, and the criticality of an asset also need
to be considered. Even social media is a proven indicator of vulnerability risk. For
example, a critical vulnerability is mentioned an average of 748 times on social media
versus 89 times for vulnerabilities classified as “high” risk.
Some organizations do correlate CVSS scores with threat intelligence, but it is often a
manual process tracked in spreadsheets and can consume valuable time and resources
that can be redirected to more effective activities.
Technologies such as NopSec Unified VRM can eliminate the labor-intensive tasks
associated with prioritization. By transforming security into business risk, organizations
can focus resources based on likelihood of breach, rather than on simple CVSS scores.
Using machine learning techniques, and incorporating influences from both open source
and commercial threat intelligence feeds and social media, NopSec Unified VRM saves
countless hours manually correlating these factors into actionable steps.
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 6
![Page 8: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/8.jpg)
Remediation
The lack of a unified view directly contributes to the breakdown of communication
between internal teams tasked with remediation. This is apparent in that it takes an
average of 103 days to remediate a vulnerability, and in some cases, it is even longer. For
example, one out of three vulnerabilities in the financial industry take over a year to fix.
Workflow automation is essential to help accelerate the remediation process. From
simple ticket and task management to notifications and patch deployment, automated
remediation within a single platform can significantly reduce the time spent navigating
and updating multiple systems.
Synchronizing communication is also key to provide much needed visibility between
internal teams. Imagine being able to assign a group of critical vulnerabilities for
remediation to a system administrator including complete information on the threat, the
top assets prioritized by risk, and direct links to available patches – all in a single click,
and from a single platform.
Governance
The adage, “You can’t manage it if you can’t measure it” is true when it comes to
evaluating the success of your vulnerability risk management program. But what does
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 7
![Page 9: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/9.jpg)
success look like? For most organizations, this will likely vary depending on the regulatory
nature of their industry and overall risk management strategy.
Program governance is necessary for many reasons, but two key focus areas are critical.
First, for the teams actually involved in remediation, communication and goal setting is
critical. For example, looking at hard metrics such as vulnerability aging can help internal
teams identify the gaps and address them to improve the process. Program governance
is critical to make success visible to the CISO and other key executives that have a stake
in ensuring the security and reputation of an organization.
Second, governance helps IT and security teams translate information security goals into
tangible business information. This is an essential step in bridging the communication
gap between the teams doing the work and C-level executives. IT and security teams
demonstrate greater value when they can move from communicating the number of
vulnerabilities patched to the percentage of risk removed from critical systems.
Establishing the right metrics is the key to any successful governance program, but it
also must have the flexibility to evolve with the changing threat landscape. In the case of
vulnerability risk management, governance may start with establishing baseline metrics
such as number of days to patch critical systems. As the program evolves, new, and
more specific, metrics can be introduced such as number of days from discovery to
resolution (i.e., time when a patch is available to actual application).
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 8
![Page 10: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/10.jpg)
Regulatory Compliance: Friend or Foe?
Government and industry regulations have compelled organizations to take action on
cyber security, and nearly all of them have some flavor of vulnerability risk management
requirements. So much time is spent on “checking the box” mentality and preparing for
audits that little room is left for measuring the real risk posture of an organization. Today,
32% of organizations are spending more than one-quarter of their IT security budget on
addressing compliance, but has security risk been drastically reduced as a result?
The debate still remains as to whether the drawbacks outweigh the benefits. Consider
PCI DSS standards for vulnerability management which requires remediation of any
vulnerability with a CVSS score of 6.0 or higher. This simple standard does not consider
other risk factors such as the business value of an asset or the external threat
environment. By eliminating this set of vulnerabilities, how much risk has actually been
reduced? Remember, Heartbleed was given a CVSS score of 5.0.
The perils of non-compliance and resulting fines or residual brand damage is stifling
innovation and making it difficult for organizations to take a risk-based approach to
vulnerability risk management. For practitioners, technologies that enable prioritized
recommendations, workflow automation, and governance can help simplify compliance
as well as deliver real visibility into risk reduction.
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 9
![Page 11: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/11.jpg)
Find out how NopSec’s Unified VRM can help you think like a hacker and stay ahead of
the trends. Visit www.nopsec.com or email [email protected] for additional
information or to request a demo.
About NopSec
NopSec operates with one mission: to help people make better decisions to reduce
security risks. Our team is passionate about building technology to help customers
simplify their work, manage security vulnerability risks effectively, and empower them to
make more informed decisions. Our software-as-a-service approach to vulnerability risk
management offers an intelligent solution to dramatically reduce the turnaround time
between identification of critical vulnerabilities and remediation.
NopSec helps security professionals simplify their work, effectively manage and prioritize vulnerabilities, and make better
informed decisions.
NopSec’s Unified VRM is an innovative threat and vulnerability management solution that addresses the need for better
prioritization and remediation of security vulnerabilities in a single platform.
NopSec Inc. • www.nopsec.com • [email protected]
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 10
![Page 12: Table of Contents Introduction 2 The Evolution of ...info.nopsec.com/rs/736-UGK-525/images/NopSec_VRM2... · Vulnerability risk management calls for a new approach that moves beyond](https://reader033.vdocuments.site/reader033/viewer/2022050206/5f5955a75ce7594f213c499a/html5/thumbnails/12.jpg)
Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 11