Vulnerability Management in Government: Visibility Plus Context
Vulnerability management is an essential part of government cybersecurity. It requires not only continuous monitoring and visibility to spot vulnerabilities, but also the context needed to prioritize vulnerabilities based on risk so agencies can take effective action to eliminate, patch or mitigate.
Successful coaches know that a winning team must be able to execute on the fundamentals. The same holds true for government cybersecurity. The best talent and technology by themselves cannot ensure the security of an agency’s enterprise without a focus on the basics.
Vulnerability management is fundamental to government cybersecurity
Vulnerability management is fundamental to government cybersecurity. It is essential to good cybersecurity hygiene and a basic element of your agency’s risk management. It requires not only that you identify vulnerabilities, but also prioritize them so that they can be effectively eliminated, patched or mitigated. This requires not only visibility, but also context. Tenable, already the most widely deployed security solution for discovering what and who is on your network, can also provide the context and communication you need for fully effective vulnerability management.
According to the latest 2016 Data Breach Investigations Report from Verizon, the median time to exploit a newly identified vulnerability is about 30 days, and the top 10 vulnerabilities account for about 85 percent of successful exploits. This provides agencies with a reasonable window to patch or mitigate the most troublesome vulnerabilities in their systems. But there are another 900 Common Vulnerabilities and Exposures (CVE) that are being targeted by the remaining 15 percent of exploits.
Add to this the fact that your networks are dynamic, with new hardware and software continually coming online and increasingly mobile users accessing your resources remotely, and it becomes clear that managing vulnerabilities must be a continuous process.
A vulnerability management program can’t be effective if it manages only some of your agency’s assets
A vulnerability management program can’t be effective if it manages only some—or even most—of your agency’s assets. It must detect new and hidden (or shadow) devices and applications, as well as transient end devices such as laptops and mobile devices. These unknowns, including cloud assets, must be identified, their status and configuration discovered, and then managed on an ongoing basis.
Anyone who has updated, patched or mitigated vulnerabilities knows that this is not a trivial task. All changes must be vetted to ensure that they do not interfere with vital government missions. Devices that are not permanently part of the network must be managed when they show up—all while dealing with the addition of new software and hardware. This means that vulnerability management must be prioritized. If you can’t eliminate all vulnerabilities, you have to focus on the most important ones.
If you can’t eliminate all vulnerabilities, you have to focus on the most important ones
Which vulnerabilities are most important depends on the level of risk they represent, and this will vary from agency to agency. It depends on the likelihood that a vulnerability will be exploited, and the potential impact. So you not only need to spot the vulnerability, you must also know something about it and the system where it lives.
Relevant information must be made available to public sector stakeholders, including the security team, IT operations, asset owners, and executive-level management.
Visibility plus context
Tenable Network Security provides the visibility and critical context needed to move your agency beyond vulnerability scanning to effective vulnerability management. Tenable’s passive traffic and event monitoring detect and monitor services and applications in use, even in cloud and virtualized environments.
SecurityCenter™ is a comprehensive solution that provides not only discovery, but also analysis and a variety of customizable dashboards, reports and Assurance Report Cards™ so that stakeholders get the information they need. It combines technology with people, with a research team that provides daily content updates.
- Broadest coverage of CVEs
- Powerful communication
- Easy integration with third-party solutions
- Support from Tenable’s world-class team of researchers
The government vulnerability management life cycle includes continuous monitoring, analysis and response. By providing full-cycle vulnerability management, Tenable is ready to help your agency create a successful vulnerability management program.
Check out these resources for more information on vulnerability management:
- Vulnerability Management resources
- Comprehensive Vulnerability Management for a Changing IT Landscape blog
- Stay in touch with Tenable. Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page