Creating a Vulnerability Management Program – Discovering Your Vulnerabilities: The First Foray
- Jul 12, 2022
- Brad LaPorte
We talked previously about the need to use people, processes, and technology wisely to support your vulnerability risk management. Each element needs to be addressed and sequenced properly. You need to understand your existing human-resources capacity, plan how to group those people, and assign responsibilities. Only then does it make sense to acquire new tools (although many are tempted to do this sequence backwards).
At this point, we’re assuming that you have enough in your toolbox to begin discovering where you are vulnerable, and you’ve lined up the people to do the work. The first order of business in your processes might be to look at where you have information silos that must be overcome.
You can’t effectively understand threats and address them if you can’t see all of them at once. Analyzing threats to separate locations or operations shouldn’t involve potentially duplicate efforts. For example, if you’re worried about a specific attack vector, you should be able to do a complete sweep of your assets all at once, rather than doing it for each separate location or operation.
On the other hand, this doesn’t mean you should blend the entire network into one open exchange. It’s in your security interests to be able to segment inflows to where they’re needed. This makes it easier to isolate portions of your network that might be subject to an attack aimed at certain endpoints not found throughout your enterprise. For example, if the vector is aimed at IIoT devices, you would want to shut down portions of your manufacturing operation but not the network portions serving HR, sales, accounting, etc.
You also want to begin to get a rough understanding of what areas should get priority when it comes to discovering and remediating cyberattacks. Those with the highest revenue value and potential legal consequences, such as customer information, should get top priority.
You’ll want to conduct an initial cybersecurity risk assessment of your infrastructure while understanding how your security efforts mesh with the business goals of your organization. This means answering these questions:
Also consider conducting table-top exercises, meeting with experts and engaging in security validation activities.
One key point: Not all alerts require action. If a threat is aimed at financial security firms, and you oversee cybersecurity for a hospital, ignore it and focus on threats that are pertinent to your organization. Similarly, threats may be directed at endpoints that aren’t present in your network.
This first foray into your organizational vulnerabilities is needed to get a broader view of where you need to put your efforts in terms of visibility, risks, and prioritization. In subsequent posts, we’ll look at how you can drill down from there and build a more robust, yet sustainable, cybersecurity defense system.
NopSec’s Unified further helps organizations further centralize their asset discovery by ingesting their CMDB and can utilize existing asset groups. The platform leverages this information to assess and combine asset critically factors into the vulnerability risk scores it produces. If you’re curious to learn more about our solution contact us today. If you’d like to read more about the latest in Vulnerability Management, we invite you to read the 2022 State of Vulnerability Management Report.
Answer: Is a database that stores information about an organization’s hardware and software assets. This database centralizes all of this information to allow for more efficient asset management and IT decision making.
A risk is the danger posed by the external environment that could be relevant to a company’s cybersecurity preparations. Vulnerability creates risk.
If you haven’t read the previous installments of this series you can do so here:
Next: Creating a Vulnerability Management Program – Patching: Take the Panic out of Patching by Managing CVE Threat Overload