In this article, I will try to answer several important questions related to identifying, classifying, prioritizing, and eliminating vulnerabilities in a timely manner, as well as how to automate the vulnerability management process.
Let me start the article by defining the classic process of finding and eliminating vulnerabilities.
What is considered the classical approach here? Many experts believe that vulnerability management covers several stages. First, all possible software assets in the company’s IT infrastructure should be identified. Once you have this list, you can find actual vulnerabilities that are already known and fix them. You should also check whether the discovered vulnerabilities are really fixed.
The most important and, perhaps, the most challenging stage, requiring the most attention, is the stage of removing vulnerabilities.
At the stage of removing vulnerabilities, it is essential to pay attention to the sequence of performed actions. If vulnerabilities are removed in a random order, then the process becomes inefficient and lengthy. This cannot satisfy anyone, neither the customer nor the service provider.
The reason for the delay is that the list of possible vulnerabilities can be close to infinity. Vulnerabilities can be associated with many different features of software and infrastructure. In reality, only a part of the vulnerabilities known to the vendor may appear in companies.
It is necessary not only to identify vulnerabilities but also to assign each of them its own priority and degree of importance. Prioritization can be performed in different directions: by software products, by IT infrastructure assets, and by the degree of threat created.
Adopting vulnerability management
The process of working with vulnerabilities is not just sorting through the list of potential threats. This is a complex process that must be well managed.
Vulnerability management is part of the existing risk management system. As already mentioned, after the asset inventory, we find vulnerabilities and prioritize them. At this stage, signs are already appearing that require special management. It is necessary to immediately specify how the identified risks will be handled.
There are various options here. You can deal with them directly, or you can group them and transfer them to another level for processing, etc. Thus, already at the stage of analyzing assets for vulnerabilities, it is necessary to have a ready-made strategy for dealing with risks.
Effective mitigation of vulnerabilities requires a precise choice of actions
Remediation of vulnerabilities is a well-defined, not a stochastic process. The tactic of its implementation is determined mainly by what tools are used to solve the tasks.
The choice of tactics is essential. If security issues are resolved spontaneously, then the task of eliminating vulnerabilities may lose its boundaries. The company begins to experience a shortage of time, resources, and employees. This should be taken into account in advance.
Why can’t you take a linear, step-by-step approach, just find and fix vulnerabilities as information comes in? If you force sysadmins to constantly engage in patching, then they will simply "howl" from excessive workload.
It can be done differently. After prioritizing vulnerabilities, administrators will fix only those that belong to the critical level and ignore medium or low-level vulnerabilities.
We can say that the process of eliminating vulnerabilities is creative. It not only requires the identification of security gaps that may appear in the company’s infrastructure but also must be conducted in a way that saves human resources. The process should not follow the formal principle of the interactive development and control cycle Plan-Do-Check-Act (PDCA).
Source: https://betanews.com/2022/10/03/vulnerability-management-2023/