Time is Money, Part 1: Vulnerability Management Maturity Levels

Time is Money is a six-part series we’re going to post throughout the first few months of 2019. We’ll also have several webinars related to these posts. Before we can understand how NopSec saves time and money, we need to first understand where that time is going. To understand what’s happening with employees’ time, we have to understand the maturity of the vulnerability management program, which is the topic of this first post in the series.

Level 1: Unmanaged and Undefined

At this level, vulnerabilities are often addressed and fixed only when they are perceived as an emergency. Someone in upper management reads about Drupalgeddon, for example, and asks the question – “Do we run Drupal?”

The answer comes back yes and everyone goes to red alert. Hopefully, things go back to normal before the next emergency.

There is no defined vulnerability management or remediation process at this level and no one is formally tasked with responsibility for finding, analyzing or fixing issues. We often see ‘heroes’ at this level, that step up and take care of the issues when necessary, before going back to their normal responsibilities.

If you’ve ever read the Phoenix Project, we’re talking about Brent.

Level 2: Defined, but Poorly Managed

The organization, at least at individual employee levels, has realized there should be a vulnerability management process. Perhaps someone buys a vulnerability management product and starts running scans.

The problem here is that there isn’t support from management, there hasn’t been much communication about this first effort and that first scan is about to open Pandora’s Box. Often, it’s one of these heroes that has gone out and acquired a product to ‘get things under control’. Perhaps it is even a trial version, or they’re comparing several products and don’t have final approval to purchase anything yet. Whatever the case, they eventually run a scan and the results come back.

SO. MANY. PROBLEMS.

The natural reaction to this situation is panic. We need to get the critical vulnerabilities out of this system and to the asset owners immediately. We need to let upper management know about these issues. How did things get so bad? Where do we even start? You especially have our sympathies if your first scan was an authenticated scan, which will likely return an order of magnitude more results.

One thing you can count on is that the scanner will immediately become an essential tool. There’s no unseeing all those vulnerabilities. There’s no closing Pandora’s Box. That’s a problem, because without a plan, a single vulnerability scanner can create a constant, never-ceasing sense of urgency.

If there was previously any semblance of order with change management, it will be tempting to put it on hold and declare a state of cyber-emergency until the massive swaths of red on these vulnerability reports give way to mostly orange and yellow. Rushing patches out causes more problems.

Many organizations get trapped at this level and never leave. To many, this is what information security is – an endless cycle of scan, analyze and patch. Scan, analyze and patch. It’s common to see nearly all of a security team’s resources focused on patch management and vulnerability management.

Level 3: Mandated

Congratulations! Management recognizes the need for vulnerability management, responsibilities have been assigned and budget has been allocated. Perhaps the mandate comes from regulations, or upper management are just convinced that it is a worthy investment. Whatever the reason, support from leadership is important. So is communication and having everyone on the same page. This represents a major hurdle cleared in the quest for maturity.

The remaining problem, however, is that the amount of work to be done is still monumental. There’s too much data and not enough time or people to fix all these issues. There are two paths from this point – throw more people at the problem, or better technology. Some organizations may even have the resources to do both.

Level 4: Defined, Managed, Efficient

Using more people can work, especially if processes are efficient and well-defined. Using a provider of managed security services (MSSP) in place of directly hiring additional headcount is an increasingly popular choice. In the past, most MSSPs just managed firewalls or monitored intrusion detection systems. These days, they’ll do everything from vulnerability management to malware detection and analysis.

NopSec has chosen to explore the second path mentioned above – better technology. We’ve found that better prioritization and automating manual tasks can greatly reduce labor costs and risk exposure (by speeding time to remediation).

In fact, that’s exactly where we’ll pick up in the next post, Time is Money, Part 2: Vulnerability Analysis.