If you haven’t read the previous article in this series on vulnerability management (VM), catch up on the series with articles one, two, and three to learn VM fundamentals and the steps you need to take in order to prepare for your journey up VM Mountain using the Capability Maturity Model.
We’ve already looked at the early stages of VM maturity, so let’s focus now on how to optimise your program once you’ve got the basics down. For example, a mature VM program has vulnerability assessments being run at least every week, with remediations taking place in a timely manner.
By now, these critical systems in your environment should be identified, and the full inventory of hardware and software should be well-documented. But how often should you assess the assets in your environment?
Prioritising Asset Assessment
While it would be ideal to assess everything, that’s not always practical. More realistically, the priority of the asset will determine the cadence.
Think about your externally-facing critical assets. Assets that, If compromised, will stop the business should be assessed at least once a day. Non-external facing critical assets should be assessed at least every three days. Other assets of impotence should be assessed weekly, followed by standard and low-priority assets at a slightly less frequent cadence. The cadence of patches can also play a role in these assessment times.
Types of Assessments
You can use a variety of assessment technologies to aid in your VM program. Scanning is generally broken down into a few main categories depending on the assets in scope. External assessments assess the vulnerability of a system without logging into the system. This style of checks will send packets to the target and determine vulnerability status based on the reply from the target. Internal assessments use credentials to log into the asset and determine a vulnerable state by checking items like file versions, configurations, rpm versions, registry keys, and so on. These require elevated system access on each asset to perform correctly.
Another important consideration is how you want to use agent-based or agentless scanning techniques. Both have their pros and cons, and organisations can often bolster the efficiency of their VM program by taking advantage of both. One of the ways agent-based scans are helpful, for example, is that they can run with elevated privileges, eliminating the need to manage passwords. This is beneficial for transient assets like laptops that may not be on the network at the time of a scheduled scan.
Tracking and Metrics
Once your VM program is more advanced, creating and tracking metrics becomes a priority. You can even begin by just tracking your assessment results to determine any trends. Some metrics to consider are:
- Organisation-wide coverage percentage: What percentage of the organisation is currently assessed? Use this to determine how to close the gap, and make sure this percentage is not slipping over time.
- The number of truly critical vulnerabilities: This is based on the risk score for a vulnerability. A numeric scoring system allows for the creation of a high-water mark so that any issues that score above the line can be remediated imminently.
- Mean time to resolution (MTR): How long does it take on average to remediate a vulnerability? Is this getting lower or higher?
- Time to detect: How long did it take to discover a new vulnerability once it was introduced? For instance, when a new vulnerability was introduced due to the installation of a new application, was detected in minutes, hours, days, or weeks?
Keep on Optimising
A mature VM program is something to celebrate, so don’t forget to take a moment to enjoy the view once you have all of the processes in place and running well. It’s not something you can set-and-forget, however. Continue to build upon the work you’ve done to get your VM program to a more robust level as time goes on.