table of contents introduction 2 the evolution of...

Table of Contents

Introduction 2

The Evolution of Vulnerability Management 3

To Be or Not Be Hacked Should Not Be the Question 4

Vulnerability Risk Management 2.0: A New Approach 5 Prioritization 5 Remediation 7 Governance 7

Regulatory Compliance: Friend or Foe? 9

Vulnerability Risk Management 2.0: Best Practices for Managing Risk in the New Digital War 1

Introduction

In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90

minutes. This consistent stream of new security vulnerability discoveries are due to a

number of causes from flaws in software development and improper configuration of

hardware and software applications to the inevitable unintended errors made by IT users.

Vulnerability risk management has re-introduced itself as a top challenge – and priority –

for even the most savvy IT organizations as new technologies such as mobile and cloud

continue to proliferate and further expand the attack surface for cybercriminals.

While organizations once found it difficult to detect vulnerabilities and threats across the

IT infrastructure, scanning technologies were introduced to help solve the problem.

Vulnerability scanners provide the visibility into the potential risk land mines across the

network, applications and endpoints. But the question of what to do next has created an

overload of data tracked in spreadsheets, inefficient business processes, and

communication breakdown between internal teams in charge of remediation.

Today, new challenges confront IT and security professionals tasked with vulnerability

and threat management. This guide will challenge organizations to rethink how they

manage vulnerability risk and offer new insights to move forward. We will explore the

current state of vulnerability risk management and recommend new insights to help

organizations take the next step to building a successful program.


The Evolution of Vulnerability Management

Security vulnerabilities have been prevalent since the invention of computer networks. In

the past, organizations performed penetration testing at regular intervals to identify

weaknesses across the IT infrastructure from external and internal threats. Vulnerability

scanners were then introduced to provide an automated way to detect vulnerabilities on

an ongoing basis. Then, government and industry stepped in as data breaches started to

proliferate, passing regulations requiring organizations to institute vulnerability

management programs.

The term vulnerability management is often confused with vulnerability scanning.

Vulnerability management is the closed-loop process which includes vulnerability

scanning, but also takes into account other aspects such as remediation and risk

acceptance. Today, vulnerability management has become as much about people and

process as it is about technology, and this is where many programs are failing. The

problem is not detection. Prioritization, remediation, and program governance have

become the new precedence. Introducing a new era: Vulnerability Risk Management 2.0.


To Be or Not Be Hacked Should Not Be the Question

Cybercriminals had a banner year in 2014. Development of malware was unprecedented

with over 600 new samples created every minute. Over 1 billion records were

compromised in data breaches. Even more, among known attacks, 99.9% of exploited

vulnerabilities had been compromised more than a year after being published.

These numbers speak volumes to the digital war that organizations must defend against

today. To be or not be hacked is no longer a question of if, but rather when. The inevitable

breach has become a commonly accepted reality.

Vulnerability risk management calls for a new approach that moves beyond a simple

exercise in patch management to one focused on risk reduction. To effectively close the

window of vulnerability, organizations must begin to look at success as a measure of risk

reduction, and not the number of patches applied.


Vulnerability Risk Management 2.0: A New Approach

Much of the last decade has been spent on detecting vulnerabilities across the IT

environment. This has done little to help organizations move closer to the real problem of

patching the systems and applications that hackers are most likely to target.

Vulnerability risk management has entered a new era, and the issues have changed.

Security practitioners have moved from asking, “How do I find the problem” to “How do I

fix the problem,” thus creating a need for new tools, technology, and processes to answer

the question.

Vulnerability risk management 2.0 comprises three core areas: prioritization, remediation,

and governance.

Prioritization

In the land of cybersecurity, not all vulnerabilities are created equal. While the Common

Vulnerability Scoring System, or CVSS score, provides a basis for organizations to begin

the process of prioritizing threats, it is by no means the best measurement of risk on its

own.


Factors such as known exploits, malware attacks, and the criticality of an asset also need

to be considered. Even social media is a proven indicator of vulnerability risk. For

example, a critical vulnerability is mentioned an average of 748 times on social media

versus 89 times for vulnerabilities classified as “high” risk.

Some organizations do correlate CVSS scores with threat intelligence, but it is often a

manual process tracked in spreadsheets and can consume valuable time and resources

that can be redirected to more effective activities.

Technologies such as NopSec Unified VRM can eliminate the labor-intensive tasks

associated with prioritization. By transforming security into business risk, organizations

can focus resources based on likelihood of breach, rather than on simple CVSS scores.

Using machine learning techniques, and incorporating influences from both open source

and commercial threat intelligence feeds and social media, NopSec Unified VRM saves

countless hours manually correlating these factors into actionable steps.


Remediation

The lack of a unified view directly contributes to the breakdown of communication

between internal teams tasked with remediation. This is apparent in that it takes an

average of 103 days to remediate a vulnerability, and in some cases, it is even longer. For

example, one out of three vulnerabilities in the financial industry take over a year to fix.

Workflow automation is essential to help accelerate the remediation process. From

simple ticket and task management to notifications and patch deployment, automated

remediation within a single platform can significantly reduce the time spent navigating

and updating multiple systems.

Synchronizing communication is also key to provide much needed visibility between

internal teams. Imagine being able to assign a group of critical vulnerabilities for

remediation to a system administrator including complete information on the threat, the

top assets prioritized by risk, and direct links to available patches – all in a single click,

and from a single platform.

Governance

The adage, “You can’t manage it if you can’t measure it” is true when it comes to

evaluating the success of your vulnerability risk management program. But what does


success look like? For most organizations, this will likely vary depending on the regulatory

nature of their industry and overall risk management strategy.

Program governance is necessary for many reasons, but two key focus areas are critical.

First, for the teams actually involved in remediation, communication and goal setting is

critical. For example, looking at hard metrics such as vulnerability aging can help internal

teams identify the gaps and address them to improve the process. Program governance

is critical to make success visible to the CISO and other key executives that have a stake

in ensuring the security and reputation of an organization.

Second, governance helps IT and security teams translate information security goals into

tangible business information. This is an essential step in bridging the communication

gap between the teams doing the work and C-level executives. IT and security teams

demonstrate greater value when they can move from communicating the number of

vulnerabilities patched to the percentage of risk removed from critical systems.

Establishing the right metrics is the key to any successful governance program, but it

also must have the flexibility to evolve with the changing threat landscape. In the case of

vulnerability risk management, governance may start with establishing baseline metrics

such as number of days to patch critical systems. As the program evolves, new, and

more specific, metrics can be introduced such as number of days from discovery to

resolution (i.e., time when a patch is available to actual application).


Regulatory Compliance: Friend or Foe?

Government and industry regulations have compelled organizations to take action on

cyber security, and nearly all of them have some flavor of vulnerability risk management

requirements. So much time is spent on “checking the box” mentality and preparing for

audits that little room is left for measuring the real risk posture of an organization. Today,

32% of organizations are spending more than one-quarter of their IT security budget on

addressing compliance, but has security risk been drastically reduced as a result?

The debate still remains as to whether the drawbacks outweigh the benefits. Consider

PCI DSS standards for vulnerability management which requires remediation of any

vulnerability with a CVSS score of 6.0 or higher. This simple standard does not consider

other risk factors such as the business value of an asset or the external threat

environment. By eliminating this set of vulnerabilities, how much risk has actually been

reduced? Remember, Heartbleed was given a CVSS score of 5.0.

The perils of non-compliance and resulting fines or residual brand damage is stifling

innovation and making it difficult for organizations to take a risk-based approach to

vulnerability risk management. For practitioners, technologies that enable prioritized

recommendations, workflow automation, and governance can help simplify compliance

as well as deliver real visibility into risk reduction.


Find out how NopSec’s Unified VRM can help you think like a hacker and stay ahead of

the trends. Visit www.nopsec.com or email [email protected] for additional

information or to request a demo.

About NopSec

NopSec operates with one mission: to help people make better decisions to reduce

security risks. Our team is passionate about building technology to help customers

simplify their work, manage security vulnerability risks effectively, and empower them to

make more informed decisions. Our software-as-a-service approach to vulnerability risk

management offers an intelligent solution to dramatically reduce the turnaround time

between identification of critical vulnerabilities and remediation.

NopSec helps security professionals simplify their work, effectively manage and prioritize vulnerabilities, and make better

informed decisions.

NopSec’s Unified VRM is an innovative threat and vulnerability management solution that addresses the need for better

prioritization and remediation of security vulnerabilities in a single platform.

NopSec Inc. • www.nopsec.com • [email protected]


http://www.nopsec.com/

mailto:[email protected]

http://www.nopsec.com/

mailto:[email protected]

table of contents introduction 2 the evolution of...

Documents