Creating a Vulnerability Management Program – The People, Process, and Technology
- Apr 05, 2022
- Brad LaPorte
Continuing our How to Build a VM Program series, this third installment breaks the working components of a program into three integral and equally important parts- people, process, and technology. All three are necessary to create an effective and scalable vulnerability management program, but each have their own unique considerations.
Many of us who are involved in technological fields became interested in it because we loved the hardware, the programs and all the other tech tools that are essential in our job functions. And so when a problem arises, we have a tendency to jump first into evaluating the technical solutions to the issue.
That’s fine — it’s good to understand what vendors have created to address a given challenge. But too much of a focus on technology itself can result in buying things that aren’t appropriate for our situations because we didn’t fully know what we needed to begin with. That’s why we suggest you start with the two other parts of the people-process-technology structure before making an investment in cybersecurity tools.
Let’s start with people.
To respond well to cybersecurity threats, ideally you’ll have teams with two different functions: One team to run the vulnerability management strategic side (assessing risks, prioritizing actions, simulating threats and the like) and another team to monitor and remediate threats. But you can start with just a handful of people. – a security director or manager tasked with handling vulnerability management and at least one analyst who identifies, tracks and assesses vulnerabilities across your environment. On the remediation side, you’ll want someone in charge of fixing the vulnerabilities, although that person’s responsibilities may span across multiple departments, such as IT, DevOps, and AppSec.
But as you learn more about vulnerability, you’ll likely want to evaluate the best use of your existing staff as well as other potential hires. This means understanding the overall process of the workflow and the activities involved in each stage. Process, in other words.
You’ll need to educate yourself about the way organizations approach cybersecurity, but recognize that this is a crawl-walk-run proposition. Don’t expect to move too quickly, or you’re likely to stumble. You might want to look at such resources as the CRR Supplemental Resource Guide, Vol. 4: Vulnerability Management to see how organizations should create a solid program.
Implicit in the process requirement is getting buy-in and support from your top leadership, as well as broad understanding of the issue across your organization. This is a collective effort that requires commitment for the long term. Cybersecurity is an issue that is unlikely to go away anytime soon, if ever. That fact has to be known and appreciated by everyone.
Finally, you’ll see what tools and technology you’ll need. Common vulnerability-finding tools used by security teams unearth vulnerabilities (“vulns”) within the environment. Once these vulns are located, a configuration management database provides detailed information about all the hardware and software assets in an organization. A vulnerability management solution makes sense of this acquired data, then sorts it and ranks the vulnerabilities on the threat they represent to the organization. These are then fed into a remediation workflow (typically using a ticketing system) which is shared with IT and DevOps.
Next you’ll want to take this information and cross-reference it with the threat landscape of your environment. This will help you determine the impact of a potential exploit—another key factor in determining risk. Tools such as CVE (common vulnerabilities and exposures) lists, CPE (common platform enumeration) and CWE (common weakness enumeration) information offer a start, but to effectively cross-reference, you need broad, real-world data that only a modern vulnerability management program will incorporate.
If you haven’t read the first two installments of this series you can do so here:
Next: Creating a Vulnerability Management Program – Discovering Your Vulnerabilities: The First Foray