What’s next for vulnerability management? How to complete the picture?
Pravin Kothari
Vulnerability assessment tools (VA tools or scanners) have been evolving from network-based to host-based to application scanners (web-apps and databases) and even to source code scanners. Tackling known exploitable vulnerabilities is an obvious activity towards managing risk and compliance. Enterprises have spent millions in vulnerability management as part of risk and compliance management programs. Yet, management is struggling to get visibility and answers for basic questions such as – are we focusing on risks that matter to our business? Are we in compliance? Are we secure enough? Is our sensitive data not vulnerable to breaches? They have started to realize that vulnerability assessment tools are just a piece of the broader risk and compliance management puzzle.
Some of the challenges facing vulnerability management programs are the following:
First of all, scanners do not have complete information. There are multiple scanners in deployment – each providing report of its own world. On the other hand, there are number of vulnerabilities that scanners cannot get to due to installed security on servers and desktops. Also, scanners usually focus on open ports and network accessible vulnerabilities, and not as much on installed software vulnerabilities. Moreover, scanners do not address “zero day” / “early warning” vulnerabilities. Subscribers of “Early Warning” advisory services, such as VeriSign iDefense, end up with manually reviewing advisory alerts and are unable to track affected systems and software in their environment.
Second, scanners do not connect the dots. For instance, they do not usually have access to business context of target systems and applications, such as Confidentiality-Integrity-Availability-etc. requirements. A vulnerability affecting a server that stores credit card information should not be treated with the same priority as the same vulnerability affecting a server that stores publicly available documents. Prioritization needs to take business details of the affected asset into consideration. Scanners generate a lot of data, often too much noise for the user to properly review and address in a timely manner – which exacerbate the issue especially with multiple scanners. Not having an efficient way of prioritizing vulnerabilities can cause the real serious vulnerabilities to be buried behind more trivial ones, causing significant delays in remediation.
Once a vulnerability is identified, its tracking and remediation process is often manual and error prone as it relies on a patchwork of disconnected technologies. The process typically starts with a human review of the found vulnerability and ends up with user prescribing a remediation action, which usually takes the form of a helpdesk ticket. Tracking of the ticket is again a separate process and it does not loop back to the vulnerability management. If remediation is done by a patch management system, it also does not loop back with vulnerability management.
Lastly, vulnerability scanners do not correlate vulnerabilities with the compliance requirements, compensating controls and GRC programs, which are ironically partially funding the vulnerability management. Compliance and risk professionals end up manually copying-and-pasting vulnerability information in their control testing documentation.
Vulnerabilities, configurations, remediation and compliance are managed in functional silos and reported up in silos. Information is all available but they are in disparate systems. Enterprises are starting to realize that manual processes and incomplete silos prevent a unified view and clean picture, and result in duplicate efforts and high cost. They see a need to connect the dots, correlate vulnerability information with configuration, remediation, risk and compliance information.
Next time we will discuss how new technology-focused automated GRC platform can address these challenges.
