Vulnerability Management: Five Steps to Cybersecurity Success
Take charge of your cybersecurity program foundation with these five steps: discover, assess, prioritize, remediate and measure all assets across your computing environments.
Tenable Named a Leader in The Forrester Wave™: Vulnerability Risk Management, Q4 2019
Looking for a system of record to measure and reduce cyber risk? Check out the definitive analyst guide for evaluating vulnerability risk management vendors.
Effective risk-based vulnerability management requires a strong process mapped directly to these five Cyber Exposure phases:
The first step in your vulnerability management program is to inventory all hardware and software assets across your entire attack surface. This can be difficult because you likely have diverse asset types such as traditional IT, transitory, mobile, dynamic and operational technology, which often require different discovery technologies. To discover these diverse assets, you may be using disparate technologies from multiple vendors, which increases your acquisition and management costs. Using a variety of disjointed discovery products also results in asset inventory silos, making it difficult—if not impossible—to map diverse assets to your business services.
Understand your complete attack surface.
The foundation of your vulnerability program includes taking a complete inventory of every hardware and software asset across all of your computing environments, including IT, mobile, cloud and operational technology. You must identify all of the assets in your attack surface before you can adequately protect it.
Know which assets support specific business systems.
Group assets by business system to identify critical assets and inform vulnerability assessment and remediation. You can also group assets by type, geography and other user-defined criteria.
Streamline IT asset management processes.
Integration between Tenable platforms and your IT Configuration Management Database (CMDB) provides you with an enterprise-class system of record for your assets. The Tenable platform improves CMDB data integrity by adding assets identified during the Discover phase that may have been previously unrecorded in the CMDB. Asset attributes in the CMDB, such as asset owner, administrator, location and SLA will inform downstream vulnerability management phases. Rich CMDB data facilitates IT service management processes, including asset management and change management.
[We have] live discovery of every Netskope asset, providing dynamic and holistic visibility across the modern attack surface (cloud, data center, IoT, etc.). This includes automating asset discovery, particularly assets in their cloud infrastructure, including containers.Netskope Read the Case Study
Assessing assets for vulnerabilities and misconfigurations across your complete attack surface is challenging due to diverse asset types. Your asset mix likely includes traditional IT, transitory, mobile, dynamic and operational technology assets. These diverse asset types require different assessment technologies, but they all must be supported in a single vulnerability management platform that delivers a unified view of exposures.
Audit patching and configuration changes.
Ensure that you remediate vulnerabilities and misconfigurations as expected.
Inform incident management.
Automatically send vulnerability and misconfiguration information to your security information and event management (SIEM) to enrich event data, help prioritize events for investigation and inform responses.
Tenable.io provides us with a unified view of the state of all of our assets. We use it to run compliance scans in addition to system and network vulnerability scans across all our assets every night.Francis Pereira, Head of Infrastructure, CleverTap Check Out the Video Case Study
Understand vulnerabilities in the context of business risk and use that data to prioritize your team’s efforts. With a risk-based approach to vulnerability management, your security team can focus on the vulnerabilities and assets that matter most, so you can address your organization’s true business risk instead of wasting valuable time on vulnerabilities attackers may not likely exploit. By understanding the full context of each vulnerability, including the criticality of affected assets and an assessment of current and likely future attacker activity, you can take decisive action to reduce the greatest amount of business risk with the least amount of effort.
Provide comprehensive vulnerability information to IT Operations for remediation.
Focus remediation resources on vulnerabilities with the highest potential to adversely impact your organization. Document what the vulnerability is, why it is a top priority and how it can be remediated.
Inform incident management.
Automatically send vulnerability and misconfiguration information to your SIEM to enrich event data, help prioritize events for investigation and inform responses.
We can’t dump that list of 10,000 [vulnerabilities] on the IT team and expect them to engage with us. If I give them a list of a couple of hundred? [...] They’ll engage.Dan Bowden, CISO, Sentara Healthcare Check Out the Video Case Study
Remediating high-priority vulnerabilities, misconfigurations and other weaknesses often requires more than simply installing patches. Patching and other remediation activities require a handoff to IT operations staff, along with clear expectations and instructions. There are some instances when patch application isn't feasible. For example: a patch is not available; applying a patch may do more harm than good; or there are concerns about the system’s sensitivity. In these instances, your security team should consider applying compensating controls as an alternative. By taking a risk-based approach that prioritizes vulnerabilities and assets, you can reduce time and effort needed to secure your attack surface.
Improved operational efficiency.
Focus remediation resources on vulnerabilities with the greatest potential impact on your organization. Document the vulnerability, why it is a top priority and how it can be remediated.
A closed-loop vulnerability management process ensures you accomplish remediation as expected. Remediation scans validate if your vulnerability remediation actions on targets are successful. If a remediation scan cannot identify a vulnerability on previously identified targets, the system changes the status of vulnerability instances to "mitigate."
By putting in the right tools, IT security is now able to get ahead and patch and remediate and resolve security issues before they are discovered by the bad guys.Mike Koss, Head of IT Security & Risk, N Brown Group Watch the Video
Calculate, communicate and compare key metrics to understand your security program's effectiveness. Track your Cyber Exposure Score (CES), time to assess, and time to remediate and compare those metrics internally and against industry peers. Then communicate those results with your team and key stakeholders to build confidence in your program's success.
Communicate status to stakeholders.
Visualizations of your entire attack surface allow anyone—from analyst to executive—to quickly understand and communicate your organization’s Cyber Exposure.
Ensure complete and timely data.
Increase confidence in your risk-based reporting by monitoring the integrity of your risk-based vulnerability management program with metrics, such as scan frequency, scan depth, time to assess new vulnerabilities and time to remediate.
Compare your effectiveness internally.
Measure the effectiveness of your risk-based vulnerability management program to enable a clear dialogue between technical and business leaders to focus on areas for improvement and investment.
Metrics are an important part of information security, and being able to speak the language of executives and to be able to present information in the appropriate fashion. Tenable does a really nice job of helping me do that.American Eagle Outfitters Check Out the Video Case Study