What is a vulnerability management program? Well, it’s not a computer program, although you will need some software to run a successful vulnerability management program. But vulnerability management is a discipline. A vulnerability management program is an ongoing continuous operation to ensure the discipline is working in your organization.
That may raise as many questions as it answers, so let’s dig in.
What is vulnerability management?
Vulnerability management is simply ensuring security-related bugs get fixed. Easy enough, right? That usually means two things. First, it ensures someone is successfully applying patches every month to commercial software, such as software from Microsoft and Adobe. Second, it ensures someone is finding and fixing security-related bugs in your home-grown web applications, such as cross site scripting and SQL injection.
What is vulnerability management software?
To perform vulnerability management, you need some software. First, you scan your network, both inside and outside the firewall, with software from a company such as Qualys, Rapid7, or Tenable. Ideally, you set the software up so it can authenticate to your machines with administrative rights. This lets it query the operating system about what’s there and what isn’t there. The scan results give you a list of vulnerabilities and the patches to apply that fix them.
Testing for web-based flaws requires different software. Qualys, Rapid7, and Tenable all offer software that automates some of the testing. So do some other companies such as White Hat. You’ll also want a program for performing manual tests. The most popular solution is Burp Suite, from Portswigger.
The key to vulnerability management
The key to vulnerability management is remembering that the people who find the problems don’t fix them. That’s a separate duty. Your infrastructure team should have at least one person on staff with the knowledge to deploy patches each month as they come out. Your web app developers should be able to fix security bugs the same way they fix other bugs.
I look at it like a player-coach relationship. The vulnerability management team finds issues and points them out to the operational team. It helps immensely if the members of the vulnerability management team once did this same type of work and can occasionally lend an ear and even some advice. This fosters a more effective professional relationship. One way or another, find ways to collaborate so both teams set and reach goals and benefit.
Other skills useful for vulnerability management
Vulnerability scans produce a large amount of data. Being able to look at the data and identify root causes is incredibly useful. Most organizations aren’t as good at deploying patches as they would like to be. The reasons often vary.
Understanding the data
The greatest challenge a vulnerability management practitioner faces is infrastructure teams challenging the data. When you can look at this month’s data and last month’s data and observe that the team deployed a particular Microsoft patch and had a 99% success rate, they start to see that you and Qualys or Rapid7 or Tenable aren’t making the stuff up.
Counting the data
It’s also useful to be able to take the data and generate counts of missing patches and/or vulnerabilities. Whether that means running grep on raw CSV files or loading it into Excel and making a pivot table doesn’t really matter. Look at both the high counts and the low counts.
I once looked over a client’s data with him and I impressed him with an observation I made. “Your teams are really good at deploying Adobe updates and not as good at Microsoft updates. Why?” The answer was because his company used Ivanti products to patch, rather than Microsoft SCCM or WSUS.
In my experience, not every vulnerability management professional would have been able to answer my question.
Finding and fixing a common problem
Here’s another gimme. One of the most common problems in vulnerability management is systems not rebooting. Sometimes people forget to reboot after patching, and sometimes SCCM tells the system to reboot and it doesn’t. More frequently, SCCM tells the system to reboot once but the system really needs to reboot twice. A good vulnerability scanner will find these systems for you. That’s in the data too. Find it, and make it a goal to not find any next month. Your teams will have a better month if that happens.
What is vulnerability management, in conclusion
Vulnerability management was a mystery to me a few short years ago. A friend and mentor thought I would be good at it, because of my background as a systems administrator. It turned out he was right, and today I run multiple vulnerability management programs. Yes, multiple.
But I don’t know that anyone has ever really sat down and tried to explain what vulnerability management is, at least not thoroughly. Hopefully this provides a starting point. We won’t get good at this, collectively, until we talk about what works.