Introduction
Digital technologies lie at the heart of nearly every industry today, including banking. The automation and greater connectedness they afford have revolutionized the world’s economic and financial institutions — but they’ve also brought risk in the form of cyberattacks.
These cyberattacks poses numerous challenges — increasingly persistent and devious threat actors, a daily flood of data full of extraneous information and false alarms across multiple, unconnected security systems, and a serious shortage of skilled professionals.
Vulnerability Management
Vulnerability management is the practice of proactively identifying, analyzing, and addressing potential weaknesses in hardware or software that could serve as attack vector. The basic goal is to apply these fixes before an attacker can use them to cause a cybersecurity breach.
“It is the process of staying on top of vulnerabilities so the fixes can be more frequent and effective.” — CSO Online
Current Challenges
There are two major sets of factors that impact an organization’s ability to effectively protect themselves against cyber threats. The first set relates to the growing frequency, reach, and sophistication of threats and their risk to each organizational unit. The second set is operational complexities that make it difficult for an organization to know what vulnerabilities are exploitable, how they map to its asset criticality footprint, and what other factors achieve cyber hygiene.
Building and executing a vulnerability management program can be a daunting task. With the number of vulnerabilities growing by the day, many organizations continue to struggle to wrap their arms around such a gigantic task. Discovering the vulnerabilities isn't necessarily the biggest pain point but dealing with the amount of vulnerabilities that organizations are finding. Having the ability to manage the sheer volume of vulnerabilities, correctly prioritize them, and track the organization’s progress in mitigating them are the largest concerns experienced today.
Moreover, the successful management of vulnerabilities requires not just comprehensive insight into the evolving field of vulnerabilities and threats, but also the means to effectively prioritize activities by enterprise risks.
It is one thing to say that an organization must adopt a risk-based approach to cybersecurity that includes continuous compliance controls and closed loop management of threats and vulnerabilities. It is quite another thing to do it. The current technology environment is becoming increasingly complex, both in terms of the organization’s internal and cloud infrastructure and in terms of the threats looming overhead.
Seeking answers to following questions will give you a far better understanding and insight of where your vulnerability management program stands and where it should be:
How can you get a handle on the large number of vulnerabilities that plague your operations?
What is happening around the world? Which vulnerabilities are most exploited? Has there been any attacks in your industry? Who is targeting your organization, and from where?
Is your vulnerability management program driven only based on the vulnerability’s severity scores provides by the vulnerability assessment tools?
Can you really afford to prioritize a High severity vulnerability on a receptionist PC over a Medium severity vulnerability on mission critical server?
Is there an automated mechanism to conduct follow-up assessments?
Are you leveraging the all-important Risk Assessment reports/Risk Registers produced by your GRC team?
Is Asset Register and asset score taken into consideration?
How about the alerts from your SIEM or other security technologies?
Risk-Based Vulnerability Management
A proper, integrated, automated, and risk-based vulnerability management program enables you to remediate vulnerabilities at scale.
Some of the things to consider while building a vulnerability management program are:
Threat Scoring
Go beyond the traditional product-based (High, Medium, Low) severity scoring of vulnerabilities. Make use of contextual data like alerts from SIEM and organizational risks from GRC team, for better prioritization and scoring. This contextualized information helps in better prioritization of vulnerabilities that should be patched first.
Threat Intelligence
Threat intelligence provides data that boosts your awareness of what is going on in the world, observe malicious activities targeting your industry. Utilize orchestration capabilities to integrate vulnerabilities data with threat intelligence data to get a better sense of criticality of a certain vulnerability. Because it is possible that a medium level vulnerability with available exploit can havoc more damage than a high-level vulnerability with no exploit.
Asset Values
Make use of your Asset register and individual asset’s value i.e. how important an asset is to the organization. Because you may want to fix a medium severity vulnerability on a server before fixing a high severity vulnerability on a help desk laptop.
Integrations
Go for a one window solution to bring get reports from different security technologies at one place. Establish integrations with help desk systems and patch management systems. This allows you to establish a communication and remediation channel with other departments. Assign tasks to other departments and asset owners from the same platform.
Automation
Vulnerability management is an ongoing process. Every scan requires a follow-up scan after a round of patching and fixing. Capability to automate these assessment activities can dramatically reduce time to identify and remediate the vulnerabilities. With automation, you can schedule follow-up scans or execute them manually.
Vulnerability Management with SIRP
SOAR solutions derive several key benefits when connected to automated vulnerability management.
Use Cases
An organization has developed their operational plan on how they would like to triage their vulnerability scanning results. They gathered input from all departments who would be responsible for helping to mitigate their vulnerabilities and created their action plan.
When a new vulnerability is detected by Tenable Security Centre, SIRP playbook for Vulnerability Management is executed automatically.
USE CASE #1 - Vulnerability Management Playbook
The Vulnerability Management playbook will start off by identifying what vulnerability has been detected. Depending on the priority, it will take one of three paths to confirm its true priority and alert the necessary teams for mitigation. Once the vulnerability is parsed from the event, the playbook will pull information regarding the involved asset including its system information. Once this information is gathered, SIRP will come to its first set of conditional statements which look to see if the involved asset is a high priority.
If the asset is considered a high priority target, the playbook will elevate its priority to critical if it is already a high priority vulnerability. If it is a medium or low priority vulnerability it will be upgraded to a higher priority incident. Once this information is gathered, SIRP will come to its second set of conditional statements which evaluate whether there were any additional security events targeting the asset. If there were additional security events a user choice selection will temporarily pause the playbook and alert an analyst for manual review of the case.
If the analyst finds that the events were targeting the vulnerability reported by the asset, the priority is again adjusted and a case is created in the SIRP for the responsible parties, which include the change asset owners, change management team, and patch management team to plan for appropriate patch and mitigation activities If additional security events are not observed, the playbook will conclude by opening a case in the for the appropriate parties to review the vulnerabilities by vulnerability priority and plan for patching and remediation.
USE CASE #2 - Automated Vulnerability Ingestion, Enrichment and Response
Challenge:
Constantly evolving threats keep security teams perpetually behind the eight-ball trying to identify and patch vulnerabilities before they are exploited.
Solution:
With SIRP’s integration with different VA tools, the vulnerabilities are automatically ingested into the SIRP. Upon ingestion, automated playbooks enrich and add context to these vulnerabilities by utilizing threat intelligence data. The playbook then hands-off control to security analysts for further investigation or remediation.
Benefit:
The solution helps analysts prioritize vulnerabilities based on severity level and the threat actor behind the attack. This has proven to shorten the time from detection to response from hours to minutes. In addition, a standardized process implemented via automated playbooks can pave the way to more proactive vulnerability management.
USE CASE #3 - Interactive, Real-time Investigation for Complex Threats
Challenge:
While playbooks can automate commonly performed tasks to ease analyst load, an attack investigation usually requires additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
Solution:
After running enrichment playbooks, analysts can then gain greater visibility and new actionable information about the vulnerability. For example, if playbook results throw up alert details, analysts can retrieve details for a given vulnerability or get specific device information. They can also run actions from other security tools in real-time using the SIRP, ensuring a single-console view for end-to-end investigation.
Benefit:
SIRP allows analysts to quickly pivot and run unique actions relevant to vulnerabilities and incidents in their network from a single window. All participating analysts will have full task- level visibility of the process and be able to run and document actions from the same window.