Vulnerability Management: How to Measure Success

Vulnerabilities
Written By Paul Kubler

A continuation of our series on vulnerability management, this article assumes that you have already began to implement a vulnerability management program. If you haven’t, check out our blogs on: why you need vulnerability management, and 9 myths of vulnerability management.

Metrics: Why you Need them

Key Performance Indicators (KPIs) and other metrics really sound like a chore to most security professionals. However, setting up easy to measure, use, and present metrics allows your team to get the budget it needs and prove success. Choosing the right metrics allows you to prioritize your efforts to generate the most impact with the least amount of work.

Environment Coverage

A lot of programs focus on what they believe to be the most important, in order to reduce effort. This is a common myth of vulnerability management, and can leave your company exposed. Scanners should include every public IP address and URL, and all internal systems including development/QA/staging environments and business continuity/disaster recovery locations. All to often these can be publicly exposed or suffer from vulnerabilities that make lateral movement child’s play. If you aren’t covering everything, you are blind to the true risk.

Beyond this, routine attack surface discovery is important. The team should look for new subdomains, added or rogue systems in the environment, and applications being managed. The hackers will do this, so your team should too. This process can involve staff and cross-departmental interviews and a good change management process.

Vulnerability and Risk Prioritization

Depending on the size of your organization, you may have dozens to hundreds of thousands of vulnerabilities. So figuring out what matters most is of utmost importance. It is more than simple CVSS scores, you need to consider the risk each finding has, as well as the effort required to remediate it.

Prioritization starts with understanding your organization. Do you store sensitive data, host applications, have a DMZ, or any other special circumstances that may impact risk? If so, these need to be accounted for in order to make sense of the noise. A critical vulnerability with no public exploit, no patch, and on a system that has no internet access may be less important than a high vulnerability on your firewall.

When focusing on vulnerabilities, do not ignore those that are internal. Simple tools that focus only on the internet facing assets miss a significant portion of risk. If a zero-day does occur, an internal network that is not secure will become a buffet for hackers. That’s also not to forget about phishing or social engineering.

Remediation Time (aka Time to Fix)

Fixing a vulnerability is the ultimate goal of vulnerability management, so it is important to take note of the amount of time it takes the team to fix. To really get a good handle on this, and not have management be disappointed, it is important to note when a patch is released. If no patch is available, mitigations should be put in place to reduce risk, while biding time for the patch to come out. Being able to record this will ease staff strain.

Next, the risk rating should include your environment details to factor in importance of the asset. If a system supposed to be up 99.9999% of the time, then you need to be able to record that as to why patching is slow. The same goes for less important vulnerabilities. If the risk is low, then remediating it can be a distraction.

Another way to improve your time to remediate is to lump vulnerabilities into fix effort. Will a quick settings change fix ten vulnerabilities, or does it require re-architecting your entire Active Directory? These will be important to measure, because a high level of effort to fix a critical finding will require additional resources, and this can be a good argument for management to increase the team’s budget.

Management Requirements

The final piece of advice is to figure out the metrics determined by the stakeholders. The CTO, CEO, IT Security Lead, and others will all have different metrics that they want to see. Having a tool that allows you to record this and present it in an easy read-only view or report can save lots of time in meetings.

If any of these metrics are something you are struggling to measure or show to management, Glassportal will be able to help. Schedule a demo to see it in action: demo@glassportal.io

Paul Kubler
Previous

Weekly Vulnerability Summary: 7 New Vulnerabilities for the week of November 5, 2023
Next

CVSS 4.0 is Released: Find Out How it Impacts your Company