Once upon a time (a few years ago) vulnerability management programs focused solely on servers, running quarterly scans that targeted only critical systems.
But that was then, and you can no longer afford such a limited view in the now. To illustrate these changes in how modern enterprises need to approach their vulnerability management programs, we’ve created a whitepaper describing these challenges: The Four Pillars of Modern Vulnerability Management: A comprehensive approach to reducing vulnerabilities across your ecosystem. But where there are challenges, we aim to provide solutions: Learn how shared visibility, analytics, and automation—principles core to the practice of SecOps—are inextricably linked to forming a modern vulnerability program.
Here are some of the highlights.
Complete ecosystem visibility
Today, your security team has more on its plate than ever before. Gone are the days of worrying about a few critical servers. Now the team needs to monitor a vast attack surface, including systems and software in corporate data centers and on cloud platforms, running in physical, virtualized, and container environments.
Your vulnerability assessment solution should be able to keep pace with these ever-increasing demands for visibility. For instance, it should work with VMware, AWS, Azure, and other virtual and cloud platforms. It should eliminate blind spots in your environment by integrating with cloud platforms, detecting when new devices are deployed, and automatically assessing them.
You can take another step in this direction by embedding agents in cloud and virtual images, so that every time a new component of a service is spun up you get instant visibility into the risk it introduces into your network.
Automated remediation workflows
Want to have a big impact on security quickly? Make your patching and remediation activities faster and more effective. Enable your vulnerability assessment tools to hand off vulnerability data and tasks to the ticketing system employed by your IT team. An automated handoff gives operations teams access to more data, faster, so they can patch systems and fix misconfigurations quickly and accurately. This is the practice of SecOps in action.
Some enterprises go even further by integrating vulnerability assessment products with automation and orchestration tools. This allows organizations to create and apply patches automatically, increasing efficiency while lowering risk.
Web application security
While we are talking about ways to make security more effective, there’s a lot to be said for addressing a huge blind spot in traditional approaches to vulnerability management: web application security. Web applications are the number one source of breaches, according to the Verizon 2018 Data Breach Investigations Report. Securing them should be an integral component of every modern vulnerability management program.
Legacy application scanners were designed for older web technologies like HTML, PHP, and Perl, and are often unable to test rich web applications built with newer technologies and protocols and that involve complex multi-step workflows like shopping cart checkout sequences.
A modern vulnerability management program should utilize tools that are as smart and sophisticated as today’s modern web apps. These tools should be able to automatically scan applications built with Single Page Application (SPA) frameworks like REACT.JS, REST APIs, as well as complex, multi-step workflows, for web application vulnerabilities. Web development teams are constantly on the hunt for newer and better technologies; a modern vulnerability management program should be prepared with testing tools that can keep pace.
Speaking of keeping pace with change, software development teams use agile and DevOps techniques to turn on a dime and respond quickly to changing customer and business needs. But security can get left behind when new application code is promoted into production on a daily or hourly basis.
Security organizations should work toward a DevSecOps approach, performing vulnerability assessment not just on production systems, but also in development, testing, and staging environments.
Teams should also consider integrating vulnerability management into automated continuous integration (CI) and continuous deployment (CD) processes. For example, you can configure CI tools to kick off vulnerability scanning tasks in the build pipeline. This ensures that new versions of your applications will be scanned automatically, so you can fix vulnerabilities before new code is exposed to attackers. These workflows might require some investment up front, but the long-run result is the unmatched agility that comes with SecOps.
According to the SANS Institute 2017 Threat Landscape Survey: “Endpoints—and the users behind them—are on the front lines of the battle: Together they represent the most significant entry points for attackers obtaining a toehold into the corporate network. Users are also the best detection tool organizations have against real threats.” The report specifically identifies phishing as the threat type most frequently seen in and most impactful on the organizations surveyed.
We forward-thinking security professionals can draw an obvious conclusion from this finding: vulnerability management programs should include phishing awareness training campaigns to train employees to recognize and resist social engineering attacks. You can also reduce the success rate of social engineering attacks by making it easy to report and analyze phishing attempts, and by using phishing simulations to reinforce training. These activities also generate data that helps security teams identify weaknesses and quantify risks in the short and long terms.
Our final thought for you today is that penetration testing should no longer be treated as a standalone activity. Information from network assessments, application tests, phishing programs, and other sources of information on vulnerabilities should be shared with pen testers, so they can assess the actual risk to the organization posed by each type of vulnerability (which can be very different from the risk implied by CVSS ratings and other generic risk measures).
In addition, results from pen tests can be shared with the groups that prioritize and remediate network and application vulnerabilities, so they can focus on the weaknesses that pose the greatest risks to your enterprise.
But wait, there's more...The shared visibility, analytics, and automation of a modern vulnerability program is core to the practice of SecOps. To learn more about what goes into a modern vulnerability management program‚ including the SecOps mindset, download our whitepaper (no form-fill needed!):
Also interested in learning how Rapid7 solutions help address the challenges outlined in the whitepaper? We’ve also created a solution guide for you to reference alongside “The Four Pillars of Modern Vulnerability Management.”