Best Practices for Enterprise Vulnerability Management
A well-known idiom states that rules are made to be broken. While law enforcement officials and parents may disagree wholeheartedly with that statement, it certainly seems that software and hardware creators have applied this principle to many of the products they create. Our world is becoming increasingly dependent on digital products and services, and as the number of these devices increases, so does the vulnerability count. Over 8,000 vulnerabilities were published in Q1 of 2022, continuing the record-setting pace set in previous quarters. Compounding the issue is the seemingly glacial pace at which some vendors release updates, leaving enterprises and individuals on the hook for stopping the attacks they know are coming.
Traditional vulnerability management teams have struggled with massive ‘patching campaigns’ that, while thorough, are incredibly disruptive to the enterprise. Here are a few tips to keep your vulnerability management program in check.
Know Your Assets
Your infrastructure comprises thousands of devices, each with its own software and/or firmware. Each has its own set of vulnerabilities that you will never know about without having the proper visibility. Consider the type of assets that may exist, and ensure that your detective capabilities can document the assets that currently exist and those that are likely to exist. At the very minimum, you should account for the following:
- Internal assets
- Externally-facing assets
- Cloud-hosted assets
- BYOD and ephemeral assets
Understand that not everything on your network will be placed there by authorized staff, and ensure that you are able to detect and optimally quarantine devices that do not belong. Treat this as an exercise and exert the level of control over rogue assets appropriate for your required level of security.
Get Smart (Use Intelligence Feeds)
Your threat intelligence team (or person) can never know everything they need to know. They are probably tasked with many other duties in the workplace, and every bit of knowledge helps. Take time to understand the difference between Strategic, Operational, and Tactical intelligence and apply them at the appropriate levels of the organization. Take advantage of threat and vulnerability feeds like VulDB or even a paid service and integrate the data into your overall process.
When is a critical vulnerability not truly critical? Is there ever a time when you can deprioritize something once thought critical, and more importantly, are there low to moderate-level vulnerabilities that are given less thought but can seriously cripple the enterprise? Without applying relevant data and prioritization efforts, you may be wasting time on non-issues or ignoring relatively hidden threats. Building on your asset management program, you should understand how placement on the network, the availability of exploit code, and organizational priorities affect your program. Developing a proactive approach to understanding the true impact of vulnerabilities and threats will pay dividends in managing the effort involved in running the program.
Layer Your Defenses
Zero-day exploits were involved in 66% of malware in Q4 2021. This means that no matter how well-informed you are, some vulnerabilities will be exposed and used against your organization. When those weaknesses are exposed, leverage the power of a layered defense to protect your organization. A good approach builds a series of capabilities that examine threats from different perspectives to limit a threat’s blast radius. In addition, take time to safely test your network against real-world threats. Red/Blue/Purple team testing is an invaluable way to test the response level of your entire organization, including both technical and process-related controls.
Even the best laid plans can be rendered somewhat less effective when a change occurs in the environment. Change management plans should account for the affected items and how the organizational controls change around them. Understanding changes in how, for example, data is ingested, processed, and stored will inform the overall vulnerability management program and allow you to focus efforts where they are needed most. Ensure that your change management process includes relevant security input that re-prioritizes assets as their use within the organization changes.
Managing vulnerabilities within a complex enterprise can seem like more of an art than a science, and it can be challenging to stay abreast of the details and various nuances. Regardless, an organized approach is essential to help manage overall risk. Taking the above steps adds robustness and lends order to an often chaotic and challenging process.
To learn more, reach out to our security team today.