NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Security Team Intelligence

Creating a Vulnerability Management Program – Discovering Your Vulnerabilities: The First Foray

Geometric Design

We talked previously about the need to use people, processes, and technology wisely to support your vulnerability risk management. Each element needs to be addressed and sequenced properly. You need to understand your existing human-resources capacity, plan how to group those people, and assign responsibilities. Only then does it make sense to acquire new tools (although many are tempted to do this sequence backwards).

At this point, we’re assuming that you have enough in your toolbox to begin discovering where you are vulnerable, and you’ve lined up the people to do the work. The first order of business in your processes might be to look at where you have information silos that must be overcome. 

Visibility Plus Segmentation

You can’t effectively understand threats and address them if you can’t see all of them at once. Analyzing threats to separate locations or operations shouldn’t involve potentially duplicate efforts. For example, if you’re worried about a specific attack vector, you should be able to do a complete sweep of your assets all at once, rather than doing it for each separate location or operation.

On the other hand, this doesn’t mean you should blend the entire network into one open exchange. It’s in your security interests to be able to segment inflows to where they’re needed. This makes it easier to isolate portions of your network that might be subject to an attack aimed at certain endpoints not found throughout your enterprise. For example, if the vector is aimed at IIoT devices, you would want to shut down portions of your manufacturing operation but not the network portions serving HR, sales, accounting, etc.

You also want to begin to get a rough understanding of what areas should get priority when it comes to discovering and remediating cyberattacks. Those with the highest revenue value and potential legal consequences, such as customer information, should get top priority.

Actions to Take

 You’ll want to conduct an initial cybersecurity risk assessment of your infrastructure while understanding how your security efforts mesh with the business goals of your organization. This means answering these questions:

  • Are your security controls working as expected?
  • What is your organization’s risk appetite?
  • What is the current state of your risk-management governance structure?
  • How are you documenting your cybersecurity actions?
  • Are the controls aligned with your organization’s business strategy or overly cautious and thus interfering with business operations?

 Also consider conducting table-top exercises, meeting with experts and engaging in security validation activities.

One key point: Not all alerts require action. If a threat is aimed at financial security firms, and you oversee cybersecurity for a hospital, ignore it and focus on threats that are pertinent to your organization. Similarly, threats may be directed at endpoints that aren’t present in your network.

This first foray into your organizational vulnerabilities is needed to get a broader view of where you need to put your efforts in terms of visibility, risks, and prioritization. In subsequent posts, we’ll look at how you can drill down from there and build a more robust, yet sustainable, cybersecurity defense system.

NopSec’s Unified further helps organizations further centralize their asset discovery by ingesting their CMDB and can utilize existing asset groups. The platform leverages this information to assess and combine asset critically factors into the vulnerability risk scores it produces. If you’re curious to learn more about our solution contact us today. If you’d like to read more about the latest in Vulnerability Management, we invite you to read the 2022 State of Vulnerability Management Report

 

FAQ

Question #1: What is a configuration management database (CMDB)?

Answer: Is a database that stores information about an organization’s hardware and software assets. This database centralizes all of this information to allow for more efficient asset management and IT decision making.

Question #2: What is the difference between vulnerability and risk?

A risk is the danger posed by the external environment that could be relevant to a company’s cybersecurity preparations. Vulnerability creates risk. 

 

If you haven’t read the previous installments of this series you can do so here:

Next: Creating a Vulnerability Management Program – Patching: Take the Panic out of Patching by Managing CVE Threat Overload

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.