Vulnerability Management is a Lie
- Jun 28, 2013
- Guest Author
I came across a post by Tony Turner titled, “Vulnerability Management is a Lie” and I could hardly wait to read it with a headline like that! Mr. Tuner approached vulnerability management from the perspective of an “Internal Security Guy” and his argument mirrored many of the challenges that we hear from our customers. Now it’s my turn to comment on exactly why he may be correct!
Mr. Turner begins his post describing the phases of vulnerability identification. What we’ve found with our customers is that jumping right into the use of a vulnerability scanner sometimes leads companies in the wrong direction. It is crucially important to understand what assets and applications are most important to your organization, so you can focus efforts. The adage, “any road looks good if you don’t know where you’re going” certainly holds true when it comes to an IT security strategy.
Most of our customers have a process in place to deal with identifying vulnerabilities. You can read more about this in a prior post, Mistakes Companies Make When it Comes to Vulnerability Management. Mr. Turner states, “We hire penetration testers to test our systems and pray that we get a useful report at the end of the engagement that can help us through this process.”
In most cases classification of the discovered vulnerabilities is pretty straightforward. The database of Common Vulnerabilities and Exposures (CVEs) makes it easier to share data across separate vulnerability tools. However, we find that where most vulnerability scanners fall short is in tailoring information to the specific organization. Mr. Turner laments, “This can be difficult and time consuming if you are doing this across your enterprise.” In our solution, Unified VRM, we deliver a prioritized list of vulnerabilities based on your company’s unique business environment without you having to do the work.
“If your vulnerability management teams are independent from operational groups it can be really tough to pull this stuff off.” Indeed. Vulnerability management is as much a people process as a technology process. In Unified VRM, we try to help by fostering collaboration among internal teams on security projects. Provide a consistent view of vulnerabilities and help disparate teams track progress toward resolution. Mr. Turner’s suggestions on “How do we fix this?” are addressed here.
So is vulnerability management a lie? Only if you let it. Please view our approach to vulnerability management and discover the truth — get started by reading our Best Practices Guide: Vulnerability Management