The Goal of VM ?
What is the Goal of your Vulnerability Management Programme ?
In may engagements this is the staring point of a useful discussion. Many times the answer is “it’s just what we do” which doesn’t speak to a good understanding of the “why”. Perhaps the goal is one of the following….
(a) Risk Management
To manage the risk in your environment needs a lot of information in addition to Vulnerability scan results. You need to deeply understand your internal and external networks, their assets, functions and owners. For example – which systems generate 50% or greater of the company revenue ? Which devices make up that function ? What is their security posture ? Most businesses do not seem to have access to this information making this goal difficult to achieve.
(b) Threat Management
This approach looks to identify the threat vectors for the organisation, both internal and external, and for each vector are there active exploits in the wild ?
(c) Security Intelligence
This follows the concept of understanding network content at a variety of levels. Examples are “How many FTP servers do I have ?”. What about Mail and File servers ? Where are Java, Adobe, Linux, or soon to expire Certificates installed ? Which systems and services are visible from external ?
A scan of all systems to determine their existence, location, type and content is the base for this approach.
(d) Security Patch Auditing
How effective is your patch programme ? How can you demonstrate that ?
Can you identify systems that our not currently included in the patch process ? Can you identify systems that should be in the patch process but that are missing patches ? If so which patches are missing ? Which systems have been patched but the patch has not yet taken effect (pending reboot etc) ?
It can be a case of separating roles and not simply trusting your patching solution to be the only source of truth.
While all the goals above are laudable some are more achievable than others. It is important to be clear which of the above are your goals in order to set meaningful metrics to measure progress and achievement.