Integrating Vulnerability Management into your ISMS
Despite the increasing threat and a rapidly increasing number of cyber attacks, many companies seem to be struggling with managing vulnerabilities. When a vulnerability is identified, a security patch is released to address it. However, the time taken from the point a vulnerability is discovered to the point when the security patch is updated is often too long. Hackers take advantage of this time gap to launch an attack.
The problem is even bigger when companies fail to instal the update or security patch years after its release, making them an easy target for a cyber attack. According to a report by Check Point, 75% of attacks in 2020 exploited vulnerabilities that were at least 2 years old.
It’s high time organisations take vulnerability management seriously. It is a continuous process that proactively identifies and treats vulnerabilities before hackers take advantage of them. Several organisations face challenges in integrating vulnerability management programs with their Information Security and Management Systems (ISMS) programs. This manifests into significantly greater risks and data and systems exposed to attacks.
The challenges
Below are the most common challenges organisations face in integrating vulnerable practices into security operations.
Issues with vulnerability scans
Issues related to scanning vulnerabilities directly impact the accuracy and timeliness of identifying vulnerabilities. Problems such as misconfiguration of the vulnerability scanner, delays in scanning vulnerabilities, inaccurate scans, etc. all result in incorrect reporting which does not give a true view of the vulnerability status.
Poor visibility of the organisational environment
When you don’t have enough visibility of the systems, networks, and data, it is difficult to identify all the vulnerabilities. After all, unless you know where to look, how will you find all the issues there are?
Too many vulnerabilities
Complex, large systems can have hundreds of thousands of vulnerabilities. When the number of vulnerabilities is overwhelming, organisations tend to define a narrow scope for security operations effectively ignoring a lot of vulnerabilities that don’t get treated on time.
IT and security teams are not aligned
In a bid to ensure more uptime, IT teams sometimes don’t sanction the downtimes needed by the security teams to instal patches and updates to treat vulnerabilities. This conflict can cause delays in vulnerability treatment exposing the systems and software to risk.
The best practices
A holistic approach to cyber security requires integrating good vulnerability management practices with your ISMS. The following best practices help in achieving this.
Create and maintain the list of assets
The first step to having good visibility of all the systems and software in an organisation is to have a detailed asset list. One of the reasons why organisations sometimes miss a vulnerability is because they do not start with a complete asset inventory and end up missing some assets in the vulnerability scans.
You also need to ensure the asset list contains any remote devices. Especially now, with the remote and hybrid work culture, some assets are not on the organisation’s network, especially during out-of-office hours.
Use threat intelligence to fix vulnerabilities
Cyber threat intelligence can help you understand the common vulnerabilities in your industry so that you can address them before a security incident occurs. Prioritise vulnerabilities that can be accessed from the outside since these are easy targets for hackers.
Use risk frameworks and threat hunting programs. Threat hunting programs can help security teams determine critical vulnerabilities and also take action if these vulnerabilities have already been exploited.
Carry out penetration tests
Penetration tests are very effective in uncovering vulnerabilities. They are carried out by security personnel who simulate a cyber attack in a controlled environment. This highlights the weaknesses in the system and even vulnerabilities you weren’t aware of come to the fore.
This will also help you come up with a response and recovery plan if the vulnerability does get exploited.
Use automation
Using security automation tools can help speed up the vulnerability management process. It will also enable the steps to identify and reduce vulnerabilities and risks such as quarantining affected systems, containing the damage, triggering the recovery process, etc. By automating certain aspects of vulnerability management, the security team will have more bandwidth to work on updates and patches and other critical tasks.
Report the success of vulnerability management
Once you start implementing the vulnerability management program, you will start seeing system metrics that justify the investment in the program. This could be the list of critical vulnerabilities that had gone unnoticed, the number of fixes applied to enhance security, the number of attacks averted, etc. Document and report these metrics to the decision-makers in the organisations so that they continue to approve the investment in vulnerability management.
Who is responsible for Vulnerability Management in an organisation?
Cybersecurity should be everyone’s responsibility. However, when it comes to vulnerability management, it is important to know the important stakeholders. Below are the 3 people/departments in an organisation who need to be actively involved in the vulnerability management process.
Chief Information Security Officer (CISO)
The CISO should be involved in creating a strategy that brings together vulnerability management and other activities under the ISMS program. They also need to define the roles and responsibilities of the employees and set the rules and policies related to security. They also need to be involved in the decisions about the security controls to be implemented and the risk management process.
The Security Operations Centre (SOC)
SOC is responsible for implementing all technical measures such as security patches, software updates, firewalls, antivirus programs, etc. They also need to be involved in running vulnerability scans and risk identification. If your organisation carries out penetration testing, the SOC is responsible for carrying out these tests.
When a solution is deployed, the SOC needs to test and demonstrate that the solution has reduced or removed the vulnerability in question. All reports regarding vulnerability management and risk management must be handed over to the CISO by the SOC team.
Software Development Team
Vulnerability scans and security checks need to be included in all stages of the software development lifecycle. If the software products developed are to be deployed in the market, large enterprises can register their own CVE Numbering Authority (CAN) and assign CVEs to vulnerabilities. When vulnerabilities are found in the product, the software development team should release security patches to treat the vulnerabilities.
IT Operations Team
The IT operations team needs to ensure that the updates to the firewall, antivirus program, software, etc. are carried out on time. This is an important step in addressing vulnerabilities in the IT infrastructure. Removing or replacing obsolete systems and reporting any inconsistencies to the CISO is also their responsibility.
Final thoughts
Focusing only on cybersecurity is no longer enough, now that the threats are becoming more sophisticated. Where cybersecurity practices take more of a reactive approach to information security, vulnerability management is proactive.
By integrating Vulnerability Management into the ISMS, you ensure that the important practice of identifying and treating vulnerabilities becomes a part of the security operations. Read more in the blog Understanding Vulnerability Management.
Vulnerability management is much more than just mechanically identifying vulnerabilities and installing security patches. It is an ongoing disciplined practice that needs a shift in the organisational mindset to accept this process as an integral part of the security initiatives.
Written by Heather Buker
Heather has been a technical SME in the cybersecurity field her entire career from developing cybersecurity software to consulting, service delivery, architecting, and product management across most industry verticals. An engineer by trade, Heather specializes in translating business needs and facilitating solutions to complex cyber and GRC use cases with technology. Heather has a Bachelors in Computer Engineering, Masters in Engineering Management, and a Doctorate in Information Technology with a specialization in information assurance and cybersecurity.