Don’t Skip Vulnerability Management: It Could Cost You

Vulnerability management is an important, and sometimes overlooked, part of a good cybersecurity posture. Vulnerability management is more than just scanning and patching, it is the entire process of discovery, prioritization, and remediation. A well oiled vulnerability management program in a company actually saves time during the process, because all the overhead has been streamlined. This is also compounded by the fact that companies that have poor or no vulnerability management spend a lot of time dealing with zero-days, or in the worst case, a breach.

Vulnerability management starts with discovery, not scanning. First the team must identify all systems and assets that need to be scanned, inventoried, and categorized. Do not make the mistake of leaving out “unimportant” systems, as they can also be the source of a breach. The discovery phase should be redone at regular intervals to ensure that the scans are always up to date and have the appropriate numbers. If there are 85 devices in accounting, but the scan only found 40 of them, now you know there is an issue. This also works the other way to discover rogue devices.

Next is setting up the scan. Here the interval matters, and this takes into account when devices are online and operational. If database backups are being performed, it isn’t wise to scan them. The same goes for employee take-home devices, that are no longer in the office to be scanned after hours. These are especially dangerous, as they often have out-of-date anti-virus and leave the secure network only to introduce viruses once back. Pick times and intervals to cover as much as possible. Sometimes it is daily and other times weekly, but as long as each device is being scanned at least monthly, the process is working. This will change if a big zero-day is released, so be sure to keep an eye on the news, such as our weekly vulnerability summaries.

Now, once the results are in, is the hard part of vulnerability management: prioritization. While tools like Glassportal can help you do this, it is important to understand the process. First, review any of the latest news reports to know if there is any new critical exposure. Next take a look at the vulnerabilities: what is their exposure to the internet, are exploits available, do they store sensitive data, are these systems critical to business operations. Once you can answer these questions, you can prioritize findings. A critical vulnerability on a employee laptop with no known exploit may be less than a high severity finding on a public facing application server that has sensitive data. This will be very subjective, but once the team knows what they are looking for, this can be greatly sped up. It also helps to use tools, like Glassportal, to really get the data and automatically categorize assets through our unique context-driven platform.

Finally to conclude the vulnerability management process is patching and lessons learned. Patching is sadly not as simple as hitting update, though it can be occasionally. It requires an understanding of what the patch notes include and what dependencies exist. An application may require a certain version of a library to run, and updating it will break the application. This is why research and testing is important. Roll patches out to development environments first, before they go to production. Or roll them out to a subset of devices before the entire office. When patching is not possible, look into mitigations. This may be strong network segmentation via port filtering or VLANs, or by reducing which users have access to the system. Not every system can be fixed in a timely manner, which is why a strong vulnerability management program is important. Once patches have been rolled out, it’s time for a lessons learned phase. Be sure to ask yourself what went wrong, what can be improved, and what is missing. These will help streamline the process for the future.

If you are interested in how Glassportal can help save time during vulnerability management, schedule a demo here: demo@glassportal.io