In this interview, Mitchell Ashley, CTO and VP of Customer Experience at StillSecure discusses vulnerability management process and how it intefaces with existing IT systems. Mr. Ashley has more than 20 years of industry experience holding leading positions in data networking, network security, and software product and services development.
How do organizations put a vulnerability management process in place?
It is important to realize when developing on a vulnerability management program that it involves a lifecycle process. The first step is to fully discover the devices present on the network. This should be done on a regularly scheduled basis so devices entering and leaving the network are identified.
Next, identify those devices which are candidates for vulnerability scanning. The best method is to schedule specific devices and ranges of IP addresses for regular vulnerability scanning. Production windows and device availability should be considered when deciding what to scan and when. Again, scheduled scanning is preferred over manual methods so that devices are regularly and consistently scanned for vulnerabilities.
Next, begin the notification and remediation processes. Remediation can be performed via patches (manually or through patch managers), configuration changes, as well as network configuration changes such as updating firewall policies and access control lists. Most important is to maintain a record of all activities from discovery through remediation. This information is critical for reporting results and progress to managers, auditors and outside regulatory agencies. A manageable approach to any vulnerability management process will require automated tools that can perform these steps without requiring additional technical resources that perform manual processes.
What are some of the key features and functionality that differentiates vulnerability scanning from vulnerability management?
Vulnerability management is all about creating a sustainable, systematic process. The key to this is automation. Basic vulnerability scanning relies on manual steps that a network or security engineer must perform, populate into spreadsheets, send out via email, wait for replies back, and manually track, update and report. That’s a lot of valuable engineering time and resource wasted performing administrative tasks. Vulnerability management automates all of these processes. The security or network engineer’s time is spent thinking through the proper vulnerability policies that should be used, performing activities such as prioritizing exposures that may exist and then assisting others with diagnosis or repairs.
All of the underlying processes are automated so the engineer can focus on more valuable tasks. The automation also means that these processes will happen regularly and not get interrupted by other duties. Additionally, the data must be warehoused in a central database. Spreadsheets and emails easily become unwieldy and frankly most technical staff avoid this type of administrative work because it’s a headache. Having a centralized database means a history of vulnerabilities and repairs are immediately available for reporting to management and auditors. We took this into consideration when we built VAM, StillSecure’s vulnerability management platform.
Can vulnerability management tie into the rest of the IT architecture? Is it possible to leverage existing IT systems and processes?
Network security’s job has changed. Many of security’s responsibilities require that they work through other parts of the organization, frequently including those outside of IT. This can be a challenge especially when there already exist systems and processes for making configuration changes, tracking change requests, managing asset inventories, etc. An enterprise class vulnerability management system can facilitate the needed adoption of vulnerability management processes by tying into systems and processes that already exist. It is much easier to achieve results if organizations don’t have to adopt new systems or processes that overlap or replace the current work methods already in use. Integrating your vulnerability management system with an asset management, trouble ticketing, and/or patch management system can significantly ease the adoption of these new processes.
Depending on the tool you use this can be an easy or very difficult process. Oftentimes vendors throw in APIs as an afterthought when customers start asking to integrate their vulnerability manager with other IT applications. The StillSecure VAM platform, for example, has a purpose-built integration framework and pre-packaged connectors that make integration with the rest of the enterprise IT architecture much easier. Building integration capabilities into a product comes from experience with integrating IT systems, which has always been a priority at StillSecure- with our own product suite as well as the IT systems security solutions talk to.
What is the best approach for choosing vulnerability assessment tool for your environment?
Begin with the end in mind. Network and security administrators should figure out whether they’re looking to perform occasional scanning to get a report or whether they need to rely on a systematic process for achieving regular, consistent results. Sometimes a scan here and there is okay. In most situations, especially if others outside of the security team are expecting reliable results, a more comprehensive vulnerability management program is required.
Here are some things to consider when looking for a vulnerability management system: How much automation is provided for scheduling, scanning, notifications, and reporting?; Can the tool facilitate the workflow necessary by system administrators and security staff, and is it flexible enough to work within the rest of the organization?; Can the system handle the distributed topology of the network and is it scaleable enough to handle the changes and anticipated growth?; Is it multi-user structure with permissions that restrict and control which users can see what information or perform actions such as scanning and data changes?
Regulatory Compliance are two words that scare most security professionals. How can implementing a vulnerability management program ease the pain of complying with regulations such as FISMA, Sarbanes Oxley, and HIPPA?
Let’s face it, regulatory compliance has helped gain funding for security projects but it has also increased the visibility and accountability of the security organization. Auditors and management now expect regular reports about vulnerability management, where the greatest risks to the business exist, and how the organization is addressing these issues. The regulations don’t always spell out exactly what an IT organization is supposed to do; that’s frequently left up to the organization and the auditors. Fundamentally what is required are systematic processes for vulnerability management that are implemented, followed, monitored and acted upon, demonstrating that the organization and its decision makers are safeguarding the security risks within the business.
Vulnerability management is a proactive measure that ensures the highest risks are addressed, such as, where someone could compromise a system or network element. It then provides the necessary tools, tracking and reporting mechanisms to mitigate the risks. In addition to making this a systematic, automated process, vulnerability management systems stop the scramble to scan, synthesize data, and craft reports at the end of each month.