What are the most important steps in the vulnerability management process? What technologies are essential?
When you start the process of managing security vulnerabilities within your organization, there are a few essential steps to make it successful, including:
1. Discover your IT assets and determine the network boundaries.
2. Organize and categorize these assets according to your organization and by business risk, for example:
- Geography / Function / Technology groups
- Classified by business risk analysis
- Remote or centralize administration with multiple user accounts
- Business Units.
4. Generate reports and prioritize remediation plans communicated to the correct stakeholders, for example:
- Executive report with global/transversal metrics
- Differential reports to measure the improvements and progress of patching.
- Implement a patch management process/technology
- Change management process is needed for production systems
- Test patches before deploying in production
- Deploy secured configuration policies
- Update security policies regularly.
While all the steps mentioned are extremely important, to get an optimal outcome you will really want to focus attention on the prioritization and reporting aspects. Specifically:
Prioritization: vulnerability scans can generate a lot of data and you can be lost in these details. In order to know where to start the process or how you can improve it, prioritize the results based on:
- Importance of the assets
- Severity of the vulnerabilities
- A risk analysis of your assets/network is a good start point: “What assets are important for my company in order for the business to continue to run without interruption?”. Then create an inventory of these applications and assets that are the most important to your business operations.
In regards to essential technologies, look for:
Scanning technology/architecture that is:
- Scalable and easy to deploy: As your network will change over time (company growth, acquisitions, re-organization etc.) you need to have a scanning technology that can easily evolve and adapt to support these changes.
- Accurate: no false positives in order to focus on real vulnerabilities that need to be fixed
- Universal: should support all the OS’s and products deployed in your company in order to one solution that can give you the coverage you need.