How to Build a Vulnerability Management Program that Protects Your Organization

Building a strong vulnerability management program requires a clear strategy that addresses its objectives holistically – people, process and technology. Without organizational buy-in and alignment to enterprise risk priorities, you may struggle with closing uncovered holes. Unwieldy reporting and security-centric disclosure requirements can frustrate or alienate the engineering and development teams that are relied on for remediation, while heavy-handed scanning activities can disrupt operations or even miss potential flaws if misconfigured. Perhaps more concerning, 56.73 percent of respondents in CDW Canada’s 2021 Security Study indicated that they conduct informal, ad hoc or no vulnerability scanning at all.

Vulnerability management is a foundational security control for any information security program because of its essential role in proactively identifying exploitable identity, access and software vulnerabilities that could harm your organization. It plays an important role in the security of our supply chain. It is a requirement for organizations holding third-party certification and even a regulatory requirement for many industries that protect our money, essential services, personally identifiable or sensitive information and many government agencies.

It is likely to look and feel different in different environments – distributed organizations where staff and services alike are mobile and dynamic; DevOps teams where assets may be hosted remotely or may be ephemeral in nature; security teams protecting open, heterogenous networks in higher education institutions, airports and other public places; manufacturing or heavy industrial organizations protecting both corporate information technology and operational technology environments and cloud-native startups with BYOD devices and infrastructure entirely in the cloud – but the value of the program remains the same. It is to inform you of your business’ risk exposure and provide an actionable gameplan to mitigate those risks.

To explain how it works best, we’re going to talk people, process and technology.

Because vulnerability management is a team sport, it works most effectively when security practitioners, engineers, developers and business owners all understand each others’ role as well as their own and share a mutually successful goal. Where security teams can meet with business owners and determine their organizational risk thresholds, as well as their critical assets and most importantly why they are important to the organization, they can best prioritize efforts that protect the organization and express this risk to the business.

When they learn the ways that engineers and developers address configuration and application changes in their typical workflows and provide risk-based vulnerability remediation recommendations that, as closely as possible, align to these workflows, they can meet security objectives while minimizing impact to the business. For organizations able to take the next step, they can see even bigger gains – but we can save that for the technology section.

For many organizations, vulnerability management involves scanning your network on a periodic basis, compiling a giant report, handing it to engineering and developer teams and then hopefully helping them decipher the recommendations into remediation actions to fit into upcoming change windows. Teams with skilled vulnerability analysts able to evaluate and prioritize vulnerabilities based on severity and proximity to business-critical systems can narrow the list of vulnerabilities shared with these teams, but this is often a manual process, which requires specialized skills or knowledge. Smaller organizations without dedicated technical expertise might rely on package managers to identify critical patches, and others might rely on their end users themselves.

With the explosion of technological adoption in the workplace, this manual, point-in-time approach to vulnerability management becomes more challenging. Organizations able to adopt enterprise-level vulnerability management platforms can implement a scanning architecture tailored to environmental requirements, including static infrastructure, transitive endpoints, cloud workloads, applications, IoT devices, operational technology assets and their network topologies identity providers like Microsoft’s Active Directory.

As we mentioned above, you can only protect what you can see, and your organization’s depth of understanding of its scope of vulnerabilities enables you to harden the attack paths to prevent lateral movement. In our previous Security Study from 2020, we identified that organizations with integrated enterprise risk management strategies experience significantly lower cyberattack success rates. This strategy works.

One of the most powerful, direct ways a security team can improve the security of its business’ operations is to provide vulnerability remediation recommendations to partner teams as work items in the environments they are most familiar with, to enable the business to make informed decisions on how to prioritize risk mitigation measures. According to the IBM System Science Institute, the cost of fixing a bug during the implementation stage is 6.5 times higher than fixing it in design. When security teams are granted the opportunity to identify potential flaws at the design stage, by scanning cloud workload configurations, application features, gold images or other sensitive assets prior to rolling over to production, you can save operational bandwidth and downtime, enabling your engineers and developers to spend more time and resources doing what they do best.

If you’ve listened to the introductory episode of CDW Canada’s webinar series, Why Vulnerability Management Matters, I mentioned the value of the ‘single pane of glass’ as a security concept. What I meant by that is the most effective vulnerability management program enables your partner development and engineering teams to see security risks expressed as tickets, bugs and events that should be prioritized according to their potential impact to the business. This should happen within their own workflows, where validation of remediation by the security team is kicked off automatically, and the closure of that Deming Cycle loop of Plan-Do-Check-Act is captured by both teams. As security practitioners, we can report the success of this program to our business owners in two key ways: by demonstrating the potential risk of exploitable and dangerous vulnerabilities identified by the team, successfully remediated by our partner teams and by giving our penetration testers and adversaries a harder time next time they attack our environments.

We published a four-part webinar series entitled Why Vulnerability Management Matters in partnership with our friends at Tenable that explored everything from vulnerability exposure and prioritization to threat modeling and vulnerabilities beyond the endpoint, to leveraging vulnerability information as security intelligence, to recommendations on developing an effective vulnerability program. If you’re interested in learning more, you can watch these webinars on-demand. Here are some key takeaways to arm yourself with:

▪  Map your business-critical assets

You can only protect what you can see. The most effective security practices have visibility and control over not only their assets, but the potential risks associated with them. This further benefits the team, because with a detailed understanding of your environment, its potential risks and compensating controls, you can better detect and respond to threats seeking to exploit any flaws or misconfigurations. To harden potential attack paths and protect what is most critical to the business, you must know what is critical, why it’s critical and how an attacker could exploit it. This knowledge may just help you find that rogue fish tank thermometer, outdated VPN software version, orphaned account or vulnerable application library, and remove that foothold for a potential attacker.

▪  Survey, define and measure your attack surfaces

Critical assets mean different things in different organizations. Ensuring that as a security team, you have an effective view of exploitable identity, access and software vulnerabilities in your environment – whether they reside on the endpoint, in your infrastructure, applications, cloud workloads, IoT devices, operational technology assets or Active Directory environments – empowers you to prioritize security initiatives that meaningfully improve your organization’s security posture and protect what’s most important to you and the paths to get to them.

▪  Vulnerability management is a team effort

You should be aware of not only the potential benefit that an effective vulnerability management program brings to the organization, but also the process, effort and resources required by your security team, as well as your partner development and engineering teams, to implement remediation or compensating measures. This enables security practitioners to be more attuned to their needs and tailor security hardening requirements to the language and systems they are accustomed to, reducing friction and communication gaps. Understanding how other teams within the organization may be able to leverage this information may also enable them to enrich other processes they undertake like build testing, configuration reviews, inventory efforts and more.

CDW's Vulnerability Management Service (VMS) helps to ensure the success of the vulnerability management lifecycle by identifying and prioritizing vulnerabilities and validating their remediation. CDW VMS Executive Summary Reports provide detailed information about the organization’s current cyberexposure with sections relevant to both operators and leaders. Our collaborative approach enables a virtuous cycle of continuous improvement in our reporting and data modelling to ensure that client and system administrators have the data they need to drive decision-making.

Tenable®️ is the Cyber Exposure Company

Tenable's goal is to arm every organization with the visibility and insight to answer four critical questions at all times: Where is it exposed? Where should it prioritize based on risk? Is it reducing exposure over time? How does it compare to its peers?

Approximately 40,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®️, Tenable extended its expertise in vulnerabilities to see and secure any digital asset on any computing platform. Tenable customers include approximately 60 percent of the Fortune 500, approximately 40 percent of the Global 2000 and large government agencies.

By Mitch Kelsey, CISSP, PMP

Cyber Security Advisor and Tenable Guardian, CDW Canada

Mitch leads discussions related to offensive security, risk advisory consulting, vulnerability management and cybersecurity practice maturity development for CDW Canada. Before moving to a presales advisory role, Mitch conducted risk advisory consulting, cybersecurity practice maturity development and managed security operations.  

Mitch started his career in security with a strategic security consultancy’s UAE office where he was engaged on threat risk assessments related to critical infrastructure, diplomatic security and counterterrorism, as well as cybersecurity strategy and policy development in the Middle East and internationally. As a result, Mitch takes a broad-spectrum approach to threat modeling and cybersecurity maturity evaluation to address cybersecurity risk systematically and ensure customers’ objectives align with their operational readiness and capabilities. 

Mitch has a BA focused on international security and conflict from SFU, CISSP and PMP, backed by international professional advisory experience to Fortune 500 companies.