Vulnerability Management Payoff Requires Road Map
Vulnerability management may be the next big thing in terms of IT security strategy, but deriving the maximum value out of your efforts requires hard work and a comprehensive plan, industry insiders recognize.
Speaking at the SOURCE Boston conference this week, scanner maker Tenable Security's Carole Fennelly outlined some of the best practices that organizations should observe as they attempt to identify and remediate security weaknesses that exist throughout their IT systems and applications.
While vulnerability scanners such as Tenable's Nessus can provide organizations with loads of valuable data about potential weak points throughout their IT ecosystems, if companies don't have the right road map in place to respond to and act on the results provided by the assessment tools, they won't realize as many benefits of the vulnerability management process, Fennelly said.
The expert outlined a series of steps that organizations should follow to help optimize their efforts, which start with prioritizing exactly which assets have to be managed most aggressively. That might sound like obvious advice, but many companies put the carriage in front of the horse in terms of getting involved with vulnerability management without first understanding what they need to address, she said.
"Organizations need to create asset lists that define their critical business systems to help prioritize their efforts; they need to have the support of different internal groups to create these lists that will help them mitigate their most critical problems," said Fennelly, Tenable's director of content. "For instance, if you can classify your data and know what area of your network certain data is supposed to be on, then you can tune your scanners to monitor your network appropriately. But admittedly, trying to get business people to come up with this type of classification is often the tough part."
Fennelly said that along with mapping out their systems, data and security game plan, vulnerability management leaders need to tackle the always challenging process of fostering better communication between security strategists and individual business units.
"Before buying tools, organizations should develop a vulnerability management blueprint," she said. "It's about what is in place to support your program; you need to define business requirements, get the business units involved and see what's important to them; you need to segment the network, map the data flows and define what the product requirements are for any reporting tools. You need to know who is going to run and maintain the programs, what is the scheduling process, what the overhead costs are, and who has the responsibility to fix what you find."
The longtime security specialist who worked as a practitioner on Wall Street before moving to the vendor world said that when planners run into internal hurdles about how and why they need to conduct assessments they should sell many of the related security benefits that vulnerability management can produce beyond merely identifying potential points of risk.
"You have to point to the ability of vulnerability management to help solve problems that some people might not expect, how it can complement your patch management system, how it can help with configuration management," said Fennelly. "It's also important to look at different standards and tailor your approach to them to address your unique organization. You have to look at your actual needs and tailor how you approach standards to your situation. That makes any work that you're doing to address standards easier to maintain as well."
IT security executives attending the discussion agreed that selling vulnerability management in the right manner inside of your organization is indeed one of the keys to making the whole process go.
It's literally a process of becoming an internal marketing salesman in some senses, said Jonathan Klein, senior director of security engineering at Broadridge Financial Solutions.
"No matter what program you're trying to promote, you have to show business the value of the program, how it will make their jobs easier, how it can be tied to customer contracts, such as with reducing risks related to data breaches," said Klein. "By getting into other parts of your organization, showing developers how you can make them more efficient, you can help them see value in the process and become more integrated in the process, rather than just threatening them with potential results."
All this upfront work can take time, as sometimes it can take weeks simply to identify which business units own which servers, when scans and other tests can be run without interrupting critical business operations, who will fix any problems that are unearthed and what types of products may be required to meet your specific vulnerability management goals, the experts agreed.
As such, vulnerability management must be approached methodically in general, they said.
"Vulnerability scanning goes far beyond finding vulnerabilities, if you're just looking for software bugs, that's actually sort of limiting," said Fennelly. "You might not want to start in as comprehensive a manner as you hope, but you can tie your efforts to other opportunities over time. You can tie it to inventory, to mapping networks, things that are not necessarily about vulnerabilities, try to tie it to your entire security program."
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.