Vulnerability Management pt.1 – A custom approach

Companies now a days must face an “always-growing” risk named cyber crime. By the very first time that a company publishes it’s systems or resources on the internet, for the world to see, it starts to risk itself with threats like cyber-crime, hacktivism or just people pure malicious will. Vulnerability management should allow an organization to understand, in a continuous form, the risks associated to the vulnerabilities contained in it’s assets. The goal is to identify and mitigate vulnerabilities related to it’s IT systems so a organization can prevent attackers from causing damage.

For this post I’ll be writing about a relatively new subject, at least for me and most of the companies in Brazil and maybe also in south America. As most of people know, or should know, the methodologies or good market  practices around doesn’t work as a silver bullet, these methodologies are very useful as guidelines for something that you (or your consultant company) may use for drawing a customized and efficient process that fits your needs.

Based on my experience, study and security consultant/analyst years, I started drawing and developing a Vulnerability Management cycle, by reading from many published good management practices, including sources like NIST and SANS. This work was also my essay, presented as my graduation work, which was accepted and approved as my conclusion thesis.

To start off, I’ll be quoting some basics about vulnerability management as told by SANS in one of it’s publications. A vulnerability management process typically has the following steps or fields:

  • Asset Inventory
  • Information Management
  • Risk Assessment
  • Vulnerability Assessment
  • Reporting and Remediation Tracking
  • Response Planning

Each field has it’s unique challenges and good practices, which aren’t my objective here for this post but if you are interested I definitely recommend reading “Vulnerability Management: Tools, Challenges and Best Practices” by SANS. These fields are the baseline for a successful vulnerability management process and therefore must be accomplished.

To illustrate the process itself, SANS uses the following image:


Moving to the main objective of this post, I’ll be presenting one of the fields which I stressed the most during this project and the complete overview of the custom vulnerability management approach proposed. Before I move forward, here’s a little background from my current company and the environment that I have to deal with:

“We are a multi-business, multi-national enterprise, a holding, of 5 different companies from energy (gas and petrol) to retail and logistics, with 10.000+ employees. Me and my team are responsible for the information security processes and risk analysis for all 5 business.”

By that I think I could say that our network environment are pretty big and complex, something that can totally justify the need of implementing such process.

My goal was to develop a flux of processes which could be executed repeatedly and would feedback itself, something like the PDCA model and many others that aims for the continuous improvement. The following cycle was developed based on the good practices mentioned above and with my real world experience, also looking for the company needs and ours GRC’s (Governance, Risk and Compliance) objectives.

GV0-Fluxo Macro-v1.0-EN

This cycle is the main overview for the vulnerability management process, it is divided in 3 big basic processes as you have seen above:

  • GV1 Detect Vulnerabilities;
  • GV2 Report;
  • GV3 Manage Vulnerabilities.

Each one of these processes has it’s unique set of activities and tasks to be completed before moving to the next step. For the GV1, the key activities are:

  • Assess systems, applications and infrastructure;
  • Program automated security tests, tool-assisted;
  • Safely explore critical vulnerabilities, checking it’s full potential;
  • Vendor and vulnerabilities newsletter analysis.

It is crucial that this process gets as automated as possible, since it requires the analysis of many applications and infrastructures. The recurrence is also something very important, as time goes by, new threats and vulnerabilities will be spotted in the wild, consequently new risks will appear.

Moving to the second step, GV2, the main activities are:

  • Develop and maintain a report standard;
  • Document and inform the findings;
  • Keep stakeholders aware of the known risks;
  • Expectation alignment, risk acceptance, remediation plans, etc.

It is important staying up to date with reporting the findings and making sure that the stakeholders involved are well aware of the risks and impacts that the vulnerabilities may present. It is also time to relate and compile all the information regarding the vulnerable asset, using asset inventory and vulnerabilities databases. It is possible to occur a callback for the GV1, it should happen whenever the findings could have changed, for example, when the stakeholders have taken some mitigation action and the vulnerability must be reevaluated.

For the GV3 step, the key tasks are:

  • Document, manage and monitor vulnerable assets;
  • Keep the risk acceptance or remediation plans in track and up to date;
  • Study and apply vulnerability remediation possibilities, firewalls, IPS, etc;
  • Focus efforts in mitigating critical vulnerabilities.

This step is supposed to organize the changes requests, incidents handling and risks management related to vulnerabilities, the idea is to maintain track of the risks and keep people aware in a timely manner. For example, if a given incident root cause is a previously found vulnerability, were the stakeholders aware of the issue and the impacts that it could lead to? Did they accepted the risk and maintained the vulnerability for a later study? Independently of the answer, it is important that the information security team does it’s job by safeguarding the company’s IT assets, informing the stakeholders that there are vulnerable assets and the risks are real.

For this first part, I’ve just shown a quick preview of this work and I’ll be digging in a more detailed post in part 2, talking about the GV1 process itself.

Source material:

  • SANS – Vulnerability Management: Tools, Challenges and Best Practices
  • SANS – Implementing a Vulnerability Management Process

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s