Vulnerability Management Part 2: Building a Solid Framework

I hope part 1 of my blog series on vulnerability management was an eye-opener. Accepting the difficult truth of knowing an application or database or system will have vulnerabilities is tough. The National Vulnerability Database shows that there were 13,554 vulnerabilities disclosed in the last three years. While 13,554 is a large number, we have to keep in mind that these are the vulnerabilities we actually know about. How many are still out there, waiting to be discovered? Who will discover them? Will they be security researchers, hacktivists, cyber criminals or government-sponsored attackers?

As security professionals, we know that we have to plan for managing vulnerabilities as part of our daily business. But who else in the business knows? And do they actually know?

At times, I find that the communication about an abstract program like vulnerability management is not done effectively. The evidence of this is usually the lack of personnel to support and budget for the correct tools as well as other parts of the business being fully-accepting and engaged.

To start your vulnerability management framework, you need to build using a “Top Down” approach. My compliments go to (ISC)² for that information nugget, because without the support of the top-level company tiers (executives, directors, managers, etc) no one will rally to your banner. That is not to say that you can ignore the technical issues of vulnerability management, but a technically-driven program will only get you so far without executive management support/muscle. Vulnerability management is truly a team effort with a little something for everyone to contribute too.

After gaining long-term (this is a key word) acceptance of the team concept accepted, the next step is to understand your world and balance that against your available resources. Vulnerability management is a full-time job (or jobs). Devoting less focus than that is to ask for trouble in the worst way. Vulnerability management isn’t as simple as scanning, patching and scanning, then call it a day. The best vulnerability management programs know exactly what is flowing through their river at all times.

Hopefully, with the FTE resources and capital (Yes! Vulnerability management takes money!!!) you’re ready for the last piece of your framework - managing the business unit relationship and cooperation. This is the toughest part of the program, because there will be tasks required from various units within your organization. Due to the intrusive nature of vulnerability management, the rule of delegation is preferred, and ownership should be shared.

After nailing all the pieces above together, you should have a pretty solid framework which will allow program flexibility as the environment changes. It will also place your vulnerability awareness in a proactive state, instead of the firefighter state. Without a solid security framework, you’re going to be treading water in quicksand.