The Technology Side of GRC

Pravin Kothari

What’s the essential first step for a successful vulnerability management program?

In the last posting, we started talking about the challenges facing vulnerability management (VM) programs. Today, we’ll look at the all-important starting point: gathering all relevant vulnerability information from several sources: scanners, threat feeds, advisories, asset context, etc. The right information can help drive countermeasure decisions in an efficient and risk-based manner.

Vulnerability assessment tools (known generally as scanners) provide a lot of data (with a lot of noise), but at the same time they are missing a ton of information required for VM programs. Scanners cannot get to significant number of vulnerabilities, due to installed security on the network, servers and desktops.

Scanners are not enough.

Running only network-based and web-application vulnerability assessment tools is not enough to find all vulnerabilities as scanners do not touch software applications installed on the host. You will also need to scan the host for vulnerabilities, such as configuration checks for installed software applications and the OS.

Vulnerability assessment is a necessary part of a VM program whether it’s network, application and host-based scanner, but even that is not sufficient.  You cannot rely only on vulnerability assessment. You need to bring in information from several other sources.

One excellent source is the NIST National Vulnerability Database (NVD) database of vulnerabilities—it is industry standard, continuously updated, and freely available. It’s a master repository of all published vulnerabilities by vendors, by users and research organizations. That information can be filtered to be relevant to technologies deployed in your environment. For example, if you know you have Firefox v3.5 on selected systems in your environment, you can use NVD’s latest Firefox v3.5 vulnerabilities to identify all affected systems without running a scan. Such complementary techniques are valuable when scanners are unable to fully scan some hosts and installed software.  NVD also provides additional vulnerability attributes to help risk scoring.

Another key piece of information is an external threat intelligence feed, which includes new vulnerabilities discovered by security researchers, underground forums, law enforcement, and others. It also has information about what’s going on in the wild and whether an exploit is available for a given vulnerability – all that information can drive risk-scoring and prioritization. There are also commercial feeds available from VeriSign, Symantec, and so on, that provide advance notice and early warnings on emerging threats – resulting in solid 30 to 60days to deploy compensating controls before that vulnerability becomes public knowledge for exploitation or tested by a scanner.

Similarly, a prudent VM program should also include advisory reports that are provided by your vendors, such as Microsoft and Red Hat, that are relevant to your environment.

Are we missing any other important piece of information?

Yes, one of the most important pieces of information is the business context of target systems and applications. Business context includes how critical the target system is to the business, and its confidentiality, integrity and availability requirements. All the collected security information—vulnerability, threats, advisories, configuration issues, etc.—must be correlated with target systems’ business context for risk scoring and prioritization. Target systems should be linked to higher-level business processes, such as financial reporting, which may be subject to compliance requirements such as SOX.

Such business requirements and threat feeds play a key role in deriving the risk and priority of each vulnerability. A vulnerability affecting a server that stores credit card information should not be treated with the same priority as the same vulnerability affecting a server that stores publicly-available documents. Not having an efficient way of prioritizing vulnerabilities and threats can cause serious vulnerabilities to be buried behind more trivial ones, causing significant delays in remediation.

Seeing the whole picture

Basically, your vulnerability management program should aggregate information from aforementioned sources in order to adapt to the ever changing landscape of threats and to help you provide countermeasures in an efficient and risk-based manner.

Next time, we’ll continue to discuss Vulnerability Management as a key feature of new technology-focused automated GRC platforms. Also, we’ll talk about the next step: Making vulnerability lifecycle management smarter and more efficient with GRC platforms.