I get it. Running a vulnerability management program is a complicated task for any company. In my position as vCISO at Integris, I have the vantage point to see where vulnerability management programs go wrong and where they go right.
So I’m here to tell you—the problems lurking in your vulnerability management program are common and usually easily fixed. In this month’s blog, I will lay down some knowledge about the most significant vulnerability management fails we see and how to turn them around. But first, let’s talk about what constitutes a solid vulnerability management program in the first place.
What Is Vulnerability Management?
Vulnerability management is the process of identifying, assessing, and remediating the security risks to your systems. It’s a continuous process for your company, one where you’re constantly scanning for problems across endpoints, workloads, and systems.
The best vulnerability management programs use advanced and efficient scanning tools. Cybersecurity experts prioritize incoming threats and remediate them quickly as the threat intelligence streams in. Documentation, of course, is another critical pillar of vulnerability management. With it, companies can create a baseline of remediation trends that can help them make better strategic security decisions in the future.
Before we discuss vulnerability management strategy, I’d like to take a moment to discuss some of the language we use to talk about system vulnerability.
What’s the Difference Between a Vulnerability, a Threat, and a Risk?
This is getting in the weeds a little bit, but I’d like to take a moment to review common terms in vulnerability management discussions. While many of these terms are used interchangeably, they actually have more precise definitions in the cybersecurity world.
A vulnerability, as defined by the international organization for standardization, appears when a weakness is detected in an asset or group of assets.
A threat is a hack or system deficiency that exploits a vulnerability.
A risk is all the damage that could occur from the threat.
Now that we’ve got that out of the way let’s move to the common deficiencies we see during our new client assessments.
Five Ways Your Vulnerability Management Program Could Be Falling Short (and What to Do About It)
#1—Failing to Get a Continuous Vulnerability Scanning Tool
If you have experts on hand to do your patching, you might think your vulnerability management is covered. Trust me—you don’t.
It’s not enough to have a program that reacts to security alerts. Far too many companies think it’s okay to do patches every couple weeks or months. The hackers, however, are looking for a zero-day vulnerability to creep into your systems before you have a chance to patch. Don’t give them the opportunity.
Every company should have a continuous vulnerability scanner tool looking at all parts of their network and leveraging reports on their latest vulnerability alerts. This should form the backbone of your mitigation efforts so that you can remove threats efficiently. Don’t skimp on this. It will only cost you more later. Then, it’s crucial to patch immediately—around the clock, if possible.
#2—Failure to Do Regular Reviews
While continuous scanning tools are great, fail number two happens when you rely on scanners to pull all the weight. There’s a tremendous temptation to set it and forget it—letting your team fall into a cycle of getting and remediating alerts without looking at why they keep happening.
Your company should have regular security reviews, whether you have an MSP or an in-house CISO. This is your opportunity to look at your alerts and vulnerabilities in the macro. By taking a top-down view, you can start to notice the trends that point to deeper problems in your systems.
Consider having a SOC analyst review all your cybersecurity and having a CISO review your reports regularly, too. This attention to detail can help you catch problems before they become a long-standing pattern. These reviews can also help you understand traffic and usage, so you can plan where your security resources should be focused.
#3—Failure to Properly Scan
There are so many ways a company’s vulnerability scans can go wrong. The first common mistake we see is running a vulnerability scan at the wrong time. Let’s say, for instance, that you’d like to run your scans at 6:00 p.m. to avoid any system glitches. A sound strategy, isn’t it? Except for one problem: half your staff is home by this hour with their machines turned off. Your scan ends up never running on those machines.
We also see companies that fail to run scans on all their endpoints. For instance, they run a scan on their servers and all the machines that are connected on the office’s local network. Yet, they fail to scan the salesperson working on a laptop in a coffee shop or the executive working on their beach vacation. The most common failure of all is skipping scans on the employee-owned phones and tablets they use to access your network. Without coverage for scans and patches, they quickly become your security network’s weakest link.
It’s not just the scanning that’s the problem. These same companies often neglect to reboot their systems after their patching is done. If you want to correct this situation, we usually recommend setting a specific time every week to reboot your computers and your servers regularly.
#4—Failure to Cover Remote Employees
The IT industry, in general, got a crash course in dealing with remote work cybersecurity during the pandemic. But that doesn’t mean everyone has learned their lesson well.
We still see far too many companies failing to truly cover the cyber security needs of their remote workforce. To be fair, it is a far heavier lift than protecting cyber security for office-bound workers. Still, letting your remote workers open your front door to hackers is far too easy.
Home offices are ripe environments for system breaches. You have to ask—are your remote employees connecting to secure wifi networks? What about the devices your employee connects their work computer to, like a home printer? Be sure your mobile device management program includes built-in vulnerability scanning, so everything that comes into contact with your machines is rigorously checked.
#5—Failure to scale your scans to your needs
We are all for robust, powerful scans. But they can be overdone.
Like anything else in your organization, your vulnerability scans must scale to your system size and usage. Too many companies invest in scanners that are not designed to run continuously, causing network outages and downtime.
A good MSP should be able to help you calibrate your scan, so they run seamlessly on your network. After all, the best vulnerability management systems are the ones that run entirely in the background.
The Right Vulnerability Management Program Won’t Be Complicated
Are you overwhelmed yet? Don’t be. While vulnerability management programs sound very complex, they will become a pillar of your overall cybersecurity effort. When you’re doing it right, vulnerability management is simply what you do every day to keep your organization safe.
Don’t have the resources to execute all this? Integris can help. We’d love to talk to you about your cybersecurity needs. Contact us for a free consultation or download our Guide to Creating a Cybersecurity Plan for Your Business.