Seven Steps to Developing an Advanced Vulnerability Management Program

For the past two years, cybersecurity teams have been confronted with an unprecedented surge of publicly reported vulnerabilities in both software and hardware products, severely complicating the task of prioritizing patch management.

Jon Ridyard, Senior Sales Engineer at Axonius, outlined seven best practices for establishing a mature vulnerability management process while mitigating professional burnout during a presentation at an industry event.

1. Process: Incorporate CTEM Concepts

Ridyard asserts that vulnerability management should not be framed as a finite program, as such a perspective suggests a termination point once certain goals are attained. He highlighted the need to integrate continuous threat exposure monitoring (CTEM) concepts into vulnerability management processes. This approach advocates for a continuous evaluation of the management processes through breach simulations, attack path analyses, and automated testing. Vulnerability management teams should not solely react to high-profile vulnerabilities or isolated incidents following scans.

2. Prioritization: Go Beyond the Technical Score

Technical scores, such as the Common Vulnerability Scoring System (CVSS), serve as useful tools for vulnerability managers, but they fall short due to their lack of contextualization. Ridyard pointed out that a CVSS score does not encapsulate the unique security posture of an organization, does not consider risk vectors pertinent to specific businesses, and does not identify critical assets. To remedy this, he recommends developing a company-specific vulnerability and patch management matrix that utilizes varied levels of risk prioritization—categorizing them as urgent, high, medium, low, or exempted—within three context areas:

– Security context: CVE entries and CVSS scores
– Asset context: Considerations relating to the production environment, endpoint protection status, and public exploitation
– Business context: Assessment of potential exploitation impacts on broader business operations

3. Offload Triage: Automate Steps Before Mobilization

After establishing a matrix to guide remediation, practitioners must still triage and prioritize detected vulnerabilities. Ridyard recommended leveraging a combination of manual methods and automation to streamline this process. Automation can assist in gathering essential information, such as the CVE identifier, CVSS, and Exploit Prediction Scoring System (EPSS) scores.

4. Remediation: Add Logic to Automate Resolution

Ridyard further suggested that aspects of the remediation process could be automated. This includes tasks related to fixing vulnerabilities and applying compensatory or mitigating controls. He emphasizes the importance of implementing logic that allows the automation of decisions regarding when to engage remediation.

5. Mobilization: Formalize and Gamify Collaboration

Given that vulnerability management often requires cooperation across different organizational teams, it is vital to formalize collaboration efforts and delineate responsibilities clearly. Ridyard proposed gamifying the patch management process—introducing elements of friendly competition to incentivize collaboration. Transforming vulnerability remediation from a mundane task into an engaging activity can enhance teamwork.

6. Metrics: Set and Communicate Expectations

Establishing clear expectations for a robust vulnerability management process is essential. Ridyard highlighted the significance of implementing protection level agreements (PLAs) that align with the board and overall business expectations, based on the security team’s allocated budget. He provided an example: if a budget of $10,000 is allocated to patch vulnerabilities within a specified timeframe, failing to meet these expectations can lead to accountability in the event of a breach.

7. Wellbeing: Empower and Entertain Your Security Practitioners

Lastly, Ridyard emphasized the importance of empowering team members to ensure they feel their work holds meaning and significance. Encouraging proactive creativity within security teams can contribute positively to their well-being and overall job satisfaction.

In summary, implementing these seven steps can significantly enhance the maturity of vulnerability management programs, ultimately strengthening an organization’s overall security posture.