In this third and final post of our series on vulnerability management, elevenM’s Theo Schreuder explores some of the common challenges faced by those running vulnerability management programs.

In our experience working with clients, there are some recurring questions that present themselves once vulnerability management programs are up and running. We outline the main ones here, and propose a way forward.

Challenge 1: Choosing between a centralised or decentralised model

Depending on the size of your organisation, a good vulnerability management program may be harder or easier to implement. In a smaller organisation it usually falls to a single security function within the IT team to provide management of vulnerabilities. This makes it easy to coordinate and prioritise remediation work and perform evaluation for exemptions.

However, in larger organisations, having individual systems teams all trying to manage and report on their vulnerabilities makes it difficult to manage vulnerabilities in a holistic way. In these scenarios, a dedicated and centralised vulnerability management team is necessary to provide governance over the entire end-to-end cycle. This team should be responsible for running scans and providing expertise on assessment of vulnerabilities as well as providing holistic reporting to management and executives.

The benefit of a dedicated vulnerability management team is that there is a single point of contact for information about all the vulnerabilities in the organisation.

Challenge 2: Ensuring risk ownership

To avoid cries of “not my responsibility” or “I have other things to do” it is important to establish who owns the risk relating to different assets and domains in the organisation, and therefore who is responsible for driving the remediation of vulnerabilities. Without a clear definition of responsibilities and procedures it is easy to get bogged down in debates over responsibilities for carrying out remediation work, rather than proceeding with the actual doing of the remediation work and securing of the network.

Furthermore, in our experience there are often different responsibilities with regards to who patches what in an organisation. As mentioned in our previous post, often there is a distinction between who is responsible for patching of below base (system level) vulnerabilities and for above base (application level) vulnerabilities. If these distinctions, and the ownership of risk across these distinctions, are not clearly defined then the patching of some vulnerabilities can fall through the cracks.

Challenge 3: Driving risk-based remediation

The importance of having an organisation-wide critical asset register cannot be overstated. From the point of view of individual asset owners, their own application is the most critical….to them. It is important to take an approach that measures the risk  of an asset being exploited or becoming unavailable in terms of the business as a whole, and not just in terms of the team that uses the device.

In the same way, security risks, mitigating controls and network exposure must be taken into account. From a risk perspective, an air gapped payroll system behind ten thousand firewalls would not be as critical as an internet-facing router that has no controls in place and a default password that allows a hacker access into your network. Hackers don’t care so much about the function of a device if it allows them access to everything else on your network.

To recap …
We hope you enjoyed the series on vulnerability management. For a refresher, you can find links to all the posts in the series at the bottom of the article. In the meantime, here are our 5 top steps for a good vulnerability management program:

  1. Get visibility quickly – scan everything and tailor reports to different audiences.
  2. Centralise your vulnerability management function – provides a holistic picture of risk to your entire network and supports prioritisation.
  3. Know your critical assets – understand their exposure and prioritise their remediation.
  4. Get your house in order – have well defined and understood asset inventories, processes and risk ownership.
  5. Automate as much as possible – leverage technology to reduce the costs of lowering risk and allow you to do do more with less resources.

Read all posts in the series:
Patch me if you can: the importance of vulnerability management
Patch me if you can: the six steps of vulnerability management
Patch me if you can: key challenges and considerations