Scanning Ain’t Planning
Why you need more than just tools to manage vulnerabilities.
The first of a multi-part series in controlling the chaos of vulnerability management.
With unpatched vulnerabilities causing one-third of breaches, most security professionals agree that effective, timely vulnerability management is important to keeping organizations safe. However, keeping every OS and every application, across every device in an enterprise environment, correctly configured and up-to-date… well, that takes a lot of time, effort, and resources.
The recent explosion of new vulnerability scanning tools, combined with widespread adoption of cloud and DevOps, has compounded the issue – demanding a completely new approach to the vulnerability management process. The numbers back this up…
The figures above, taken from the Ponemon Institute’s State of Vulnerability Management Study for 2020, paint a painful picture of organizational struggle. Over 70% of security leaders admit to making decisions based on limited information and lack of insight into the VM lifecycle. Meanwhile, over half feel that they are at a disadvantage because they use manual processes (translation: spreadsheets, PDFs, emails, etc.) and struggle with prioritization.
The study gives datapoints to a problem we already knew was prevalent. Enterprises don’t know what or where their assets are, they don’t know what they’re scanning (if they’re even scanning at all), and they don’t know what’s important to fix, or how to fix it. They’re using manual processes, chasing down false positives, and stretching their teams thin in the process.
Too many moving parts. Weak alignment across teams. Information overload. Chaos. The good news is… it really doesn’t have to be this hard. Forming a documented plan and deploying the people, processes, and technology to execute that plan is where to start.
Scanning is Not Planning.
Most organizations don’t have a formal vulnerability management plan. They’ve got Backup & Recovery, Incident Response, Disaster & Contingency, etc… but no documented VM plan. We see a large over-emphasis on tools, and a mindset that a scanner or something advertised as a VM tool means you have a plan. Your plan is to scan. But until you’ve defined your goals and objectives, and how you plan on meeting them, you probably don’t even know what your tool suite should even look like.
If you don’t already have a plan in place, a good place to start is the SANS Vulnerability Management Maturity Model. Make an honest assessment of your program and see where you currently fall in the model, documenting the steps needed to mature your program.
People, Processes, and Technology
No one tool is a silver bullet. Any vendor who says so is lying. The people and the processes you have in place are just as important as the tools you’re using to support them. Once you have an idea of your optimal plan above, begin mapping objectives to the skillsets of your people, driving towards automation and workflows wherever possible. Vulnerability management is complex and involves a lot of different people from a lot of different teams to be done correctly – and while it’s impossible and irresponsible to automate the entirety of the process, you can save a ton of time and resources with smart automation wherever you can (Nucleus can help with that!)