Ask the Expert: How do you level up your vulnerability management?

Cyber Risk

Kirk Hogan, Chief Innovation Officer at Iceberg Networks and Allan Liska, CSRIT at Recorded Future, sat down to answer some questions that they are hearing about how organizations can prepare for all levels of vulnerability, including how to get the best vulnerability prioritization, knowing where to look for vulnerabilities and in fact, if they are the MOST critical, as well as how to inject best practices of management and tools to help organizations elevate their approach. The following is an edited transcript of the conversation.

Kirk Hogan: I’ve given this a lot of thought, on up-leveling a solution, because a lot of our clients will talk about, ‘what is my maturity journey’? Well, the ones that actually care (the ones that don’t care, unfortunately, they don’t go very far) — and the ones that are really in tune, I’m going to say it’s a majority. And I say, ‘what are you going to do first, and what are we going to do next’. And if we design what that maturity level is, there are components that we’ll talk about getting to a more mature state. Obviously, those ones at the lower end of the scale are going to be ones who are doing more manual activities, we’re doing a lot more of sending around attachments and really have to redo a lot of work, because a lot of information coming off of scanners, etc, is a point in time. And unless you have some way to annotate that with record of decision or awareness or acknowledgement, it becomes very difficult. So let’s assume that’s been done. Considering moving say, from a Level 2/Level 3, we’re introducing some intelligence and automation. This is where also we need to consider about maybe creating a closed loop life cycle. And what I mean by that is, if we find it, and we fix it, we confirm it — I consider that a closed loop. And that’s a simplified structure. But it’s amazing how many people don’t do that last step to confirm it. So it’s much like a disaster recovery plan — you build a plan, but you don’t test it. So it’s really important, we close that loop. If we start to do that, the maturity can’t help but up level, because now we have accountability driven into different areas of the business — those that find it are experts in finding things, those that fix it are experts in fixing or applying patches or reconfiguring. So we need to make sure that all of those people have ready access to as real time information as possible. So those are design considerations, when we talk about up leveling appropriately.

Allan Liska: I agree completely. And I think, to your point about the vulnerability scanning — it needs to be dynamic and continuous. And I think it takes some organizations a while to figure that out. Because even medium and small networks are constantly changing, not just with whatever is being done internally, but you also have shadow IT, then unfortunately, you have to worry about all of these other problems. So that internal scanning and asset management, and that is continuous, this is really, really important to make sure you’re catching new things, and being able to account for that, because even if you didn’t authorize it, you’re still going to get blamed if a vulnerability in that system results in an attack on your organization or data loss or other problems. First of all, maybe understanding vulnerabilities that haven’t been published yet. Often vulnerabilities come out before there’s a CVE for them, whether it’s a zero day vulnerability, or whether a researcher discovers it, decides not to go through the normal process, and just posts it on Twitter. So understanding what those vulnerabilities are and how to adapt to those, is a challenge for any organization. If there is no patch, what are your compensating controls? How can you protect your organization? In 2020, there was something like 12,000 vulnerabilities that were released over the course of the year, but only 1 or 2% of those were active exploits. Finding that information and getting to the point of what is being actively and widely exploited is really important because it helps improve your organizational workflow and allows you to be more efficient in choosing what to patch.

Kirk Hogan: Then there is a ‘higher than should be’ dependency on the vulnerability scanner being your other source of information. And the vulnerability scanner is a great source of information, as they consider other aspects of information, but not all of them. But once you get down into the nuts and the bolts, and we can match up with what you actually have or do, then where do we get that information? Where do we get that intelligence to inject into the formula to reprioritize or change the risk score?

Allan Liska: I think a lot of companies especially as they get bigger, they kind of they operate like a small town in New Jersey — where everything works by ‘I know a guy’. That is unfortunately the way a lot of vulnerability management works — for example, we found a vulnerability in this system, well who’s responsible for that? Well, I know Bob over in business operations and this seems like a business operations thing. So you reach out to Bob. And Bob says, Oh, no, that’s not me. I think that’s over here. And then you reach out to, you know, the other department, and hey say, no that’s not us. And finally you find somebody, somewhere who’s responsible for it. But they don’t necessarily know how to do patching or upgrades or put in compensating controls. And so you have to start the process all over again. And I love your concept of tabletop exercises for vulnerability management, something that I don’t think most organizations do, because until there is something that needs to be patched, you don’t know. And, you don’t realize that you don’t know who’s in charge of that. Because while it may seem obvious, but this is obviously a server, this should go to the server people or this should go to the endpoint people. It’s surprising when you find out there’s a whole other organization I wasn’t aware of, that may be responsible for this.

See all the Ask the Expert videos in this series:

Ask the Expert Part 1: Why CVSS isn’t enough?
Ask the Expert Part 2: How can I make my vulnerability solution more responsive?
Ask the Expert Part 3: How do you level up your vulnerability management?
Ask the Expert Part 4: What is the difference between vulnerability management and attack surface management?

UPCOMING WEBINAR Sweeten up your approach: Vulnerabilities and knowing exactly where to look. (30 minutes)

Start your GRC journey.
We’ll be your trusted partner.

Start your journey