As we said in the introduction to this series, cybercriminals are becoming increasingly sophisticated in their assaults, and the methods of the past to defend against them are no longer adequate. The threat actors are scanning their targets for vulnerabilities and steathfully infiltrating organizational infrastructures until they find the prize they’re seeking.
Cybersecurity professionals know they have to avail themselves of the best defenses to meet this change of status. The phrase “vulnerability management” covers what is involved, and different organizations have different terms and steps to describe what is required. Don’t be surprised if what you read elsewhere doesn’t fit the exact sequence we’ll detail. The final destinations are largely identical.
At NopSec, we think of the pathway to optimal vulnerability management as consisting of these phases:
- Prepare — You need to line up resources in the form of a budget, team members, tools and processes for what you’re about to undertake.
- Discover — With everything lined up, you’re first discovering your status as an organization and where you may have vulnerabilities. This means a view of all possible weaknesses that could allow cybercriminals an entry point, as well as a holistic understanding of endpoints, their usage, the people responsible for them, etc.
- Prioritize — Next you need to see which of the vulnerabilities should be addressed first, then second, and down the line so the biggest dangers to your organization are given attention before the lesser dangers. “Danger,” of course, is determined by your organization. For instance, an attack that results in disclosure of customer information may be ranked ahead of proprietary information about a product that is valuable but not fundamental to the business’s success.
- Remediate — Of course, as soon as you identify the biggest danger, you’ll want to remediate it as quickly and completely as possible. Of course, remediation efforts must balance the need to protect the organization from harm with ongoing business needs. Overly aggressive actions may impede revenue unnecessarily, so remediation — like all aspects of vulnerability management — must be approached cautiously as well as rapidly.
- Simulate — As you move up your level of preparedness, you next want to anticipate possible attacks and see how well you’re equipped to defend against them. Cybercriminals are not resting in their efforts to grab your treasures, so you need to understand what your adversaries might next want to attempt.
- Measure and Analyze — Using data generated by your activities, tools and other sources of information, you can further refine your efforts. Which approaches are working best and are worth continued investment? Which third-party suppliers may pose a significant cybersecurity threat and should be either limited in interactions with your organization or replaced with another provider?
Of course, these are broad concepts, each of which needs to be explored in greater detail. But we’ll need to stay at a high level for now and in the next set of posts to give you the wider perspective critical for a vulnerability management system that works for you and your organization.
Next: People, Process and Technology: The Three-Point Structure That Supports Vulnerability Management