Cloud Security and Governance – Mind the Security Gap Workloads are migrating to the Cloud with…
So what is Vulnerability Management? We’d suggest it is an ongoing process to ensure that your organisation remains secure through the mitigation of known vulnerabilities in assets.
Careful risk management is required to ensure that a vulnerability management solution and associated processes are effective (after all, companies don’t have unlimited resources to ensure all vulnerabilities are assessed and addressed). Vulnerability Management solutions enable your teams to proactively identify security exposures, analyse business impacts, and plan and conduct remediation across network, web, mobile, cloud and virtual infrastructures.
Further they enable your team to clearly communicate the risks to operations and compliance teams to further reduce risk to the organisation.
We have a number of tools to address every phase of vulnerability management – from assessment to remediation.
BeyondTrust Retina CS is the only vulnerability management solution designed from the ground up to provide organizations with context-aware vulnerability assessment and risk analysis. Retina’s results-driven architecture works with users to proactively identify security exposures, analyze business impact, and plan and conduct remediation across network, web, mobile, cloud and virtual infrastructure.
An effective Vulnerability Assessment (VA) approach
Organisations are most likely to fall victim to automated, indiscriminate attacks which use known vulnerabilities to compromise an environment. Patching, remediating and mitigating the right vulnerabilities at the right time is critical to an organisation’s overall security strategy.
However, with the amount pf patches required through-out an environment it becomes almost impossible to know what to patch and when without an effective vulnerability prioritisation program. Further, addressing vulnerabilities requires a precise, automated and systematic approach to ensure continuous coverage within an organisation.
Ideally an organisation should be able to address critical vulnerabilities within 24 hours. Although in a real world this is sometimes a streatch for organisations, it should be noted that organisational risk reaches moderate levels when a vulnerability remains in an environment for one week and becomes high when it remains within a critical system for a month or longer.
Policy and Setup – considerations
When considering the Vulnerability Assessment business case a number of items need to be considered.
- What systems are critical to keep your business running?
- How do you rank and prioritise your systems (for patching purposes)?
- How will a patching cycle impact your Change Management process?
- Is there an Approved Software Listing within your organisation that the patching policy should adhere to?
General VA and Patching Sequencing
Regardless of the underlying technology used within the environment an effective VA and Patch Management solution combine to address two items, “Patch Applications” and “Patch Operating Systems” within the organisation. (Perhaps we have a link to the ASD Essential 8).
Essentially the Vulnerability Assessment determines which systems are vulnerable and the Patch Management cycle remediates these vulnerabilities.
Automated Scanning – The cornerstone of good Vulnerability Asssessment
Critical to any Vulnerability Assessment is knowing what systems are running on your network. Good VA tools and regimes use a combination of both active and passive scanning of assets across a client’s organization and should include Subnet scanning, Windows Network Scanning and Active Directory Scanning.
Regularly scanning your devices for vulnerabilities is critical and should be completed on a regularly scheduled basis.
Separate schedules can be setup based upon your Asset Grouping (around risk rating of assets etc.). The following table enables different scanning schedules based upon different groupings.
Consideration should be given to both scheduled and emergency patching policies. Clients should review policies, procedures and change management implications around regular patching vs emergency patching options.
An emergency patching situation may require an immediate patch to systems (at either the OS or Application level) to counter a recent attack against a previously unknown vulnerability.
Automated Patching can be completed on a scheduled basis. Again tasks (and in turn schedules) can be created for differing Asset Groups. Asset Groups should have been defined in prior requirements gathering activities.
Patching of vulnerabilities can be completed based upon the severity level. For instance all vulnerabilities can be patched with severity level of High and above, meaning all High and Critical vulnerabilities could be patched, regardless of whether they are approved or not.