Facebook Google Plus Twitter LinkedIn YouTube RSS 菜单 搜索 资源 - 博客资源 - 网络研讨会资源 - 报告资源 - 活动icons_066 icons_067icons_068icons_069icons_070

Tenable 博客

订阅

A Practitioner’s Perspective on Risk-Based VM: What People, Processes and Technologies Are Required?

Moving from legacy vulnerability management to a risk-based approach can be a paradigm shift, requiring not only new technologies, but changes in your existing processes and procedures. Here’s a brief overview of how you can get started.

Vulnerability management can often feel like a never-ending game of Whac-a-Mole. Fix one vulnerability and several more pop up elsewhere. As the number of new vulnerabilities continues to skyrocket, it’s become clear that legacy VM practices are no longer sufficient at keeping up and addressing the risks that matter most. 

The problem is legacy VM tools are inefficient at best. They assess only traditional, on-premises IT environments, and their periodic scans don’t reflect the evolving threat landscape. They also lack the context you need to prioritize which vulnerabilities to remediate first. 

Of course, this inefficiency didn’t happen overnight and isn’t the result of any one thing. Organizations have been slow to adapt to incremental changes in several different areas over time. Fortunately, the tools and best practices now exist to help your team quickly evolve your VM program to meet the demands of the modern attack surface.

Moving from reactive to proactive: The lifecycle for risk-based VM

As a general rule, you want to evolve from a highly reactive VM program, which is interrupt-driven and error-prone, to an approach that is proactive and strategic so you can maximize your efficiency and effectiveness. In other words, you need to get out of firefighting mode so you can focus on the vulnerabilities that pose the greatest risk. How can you accomplish this? In addition to investing in an expanded set of tools, your organization will need to update its VM policies and procedures to keep pace with evolving cyberthreats.

At Tenable, we think about this organizational process as a five-step lifecycle:

Cyber Exposure Lifecycle for Risk-Based VM

Rather than just discovering and assessing vulnerabilities, risk-based VM enables you to effectively prioritize them by understanding the full context of each vulnerability, determine the appropriate action to take, and calculate key metrics as well as compare against industry standards. A few of the many ways this can benefit your organization includes: 

  • Prioritize valuable security and IT resources
  • Optimize the team’s efficiency
  • Reduce business risk
  • Minimize VM program costs
  • Improve security reporting
  • Build confidence across the C-suite

Discover critical business services across your attack surface

The first step in a risk-based VM strategy is to take the time to truly understand your business environment. That means determining and prioritizing business-critical services and applications, identifying service and application owners and other stakeholders, and evaluating existing security and applicable IT policies and processes. 

You don’t necessarily need tools for this step, but you do need cooperation from the rest of your organization – particularly from the owners of all business-critical assets, applications and services. You need their permission to access their assets for scans, patching and other security measures. You also have to work out a schedule to ensure that your actions won’t interfere with the availability of their services.

Assess your network with frequent scans to eliminate blind spots

Next, you’ll need to fully assess all your assets. That means you’ll need a new scanner – one that can go beyond your traditional IT network to assess your entire attack surface, including any assets you have in cloud, operational technology (OT) and container environments. Having an integrated web app scanner is important too, since the majority of your organization’s sensitive data lives in, or runs through, apps – which has made the application layer a primary attack vector.

But simply upgrading your tools isn’t enough. You’ll also need to examine your security processes. Are you scanning enough of your network? Any assets your scanners can’t see puts you at risk from critical vulnerabilities that may reside on those assets. You also have to determine if you’re scanning frequently enough. Many organizations employing legacy VM methods scan monthly or less frequently. As a result, they’re basing their remediation decisions on old, outdated information. The threat landscape is dynamic in nature, so you’ll want your security intelligence to be dynamic, as well.

Prioritize vulnerabilities based on asset criticality and attacker activity

Once you can see all the vulnerabilities across your entire attack surface, you need to understand them in the context of business risk and use that data to prioritize your team’s efforts. That means you need a VM platform capable of analyzing the vulnerability data that comes from your scanners, together with other essential contextual elements, including the criticality of the affected assets and an assessment of current and likely future attacker activity. 

Of course, analyzing all this data simply isn’t practical to do on your own. So, you’ll want your VM platform to employ automation and machine learning, so it’s capable of rendering an accurate decision in seconds.

As you continue to refine your prioritization strategy, make sure your assessment windows work well for each asset to minimize business disruptions while achieving reasonable service-level agreements (SLAs). This is tied to the work you did in step 1, when you took the time to understand the business environment and established agreements on patch windows. After all, achieving your SLAs is meaningless if the cost to the business is greater than the benefit of the fix.

Remediate or mitigate critical vulnerabilities 

Once you’ve determined which vulnerabilities are the highest priority, you’ll want your VM platform to tightly integrate with your ticketing system so you can send tickets directly to IT, pre-populated with the information they’ll need to understand what to fix, how to fix it and why it’s a priority. Auto-ticketing capabilities further streamline the effort and maximize the efficiency of the entire process. Communications should also be bi-directional so IT can initiate scans to validate their remediations.

Keep in mind that you can’t remediate everything, and doing so isn’t necessarily the best use of your security resources. Instead, you’ll want to determine the implications of remediating each prioritized vulnerability. Is remediation feasible? If not, are mitigation factors in place that reduce or neutralize the threat exposure? Can you afford to simply accept the risk and take no action at all? Risk acceptance may be appropriate if the vulnerability is on a non-critical asset, or it may be necessary if the remediation runs the risk of breaking critical processes that are running on the asset.

In many cases, you’ll need to get agreement from each asset owner on your response plan before you take any action. And once you perform the remediation, you’ll need to validate its effectiveness before moving on to the next vuln.

Measure to communicate your security progress

Finally, you need a rich set of reporting and analysis tools to effectively communicate the team’s efficiency – to gain and maintain management’s confidence in your abilities. In addition to the tools, themselves, you’ll need to work with the various security groups throughout the organization to develop common dashboards that ensure consistent reporting. You’ll also need to work with your management to decide when and how often reporting should occur.

As with most of the prior steps we’ve discussed, the weaknesses you’ll need to address here are on the human side, rather than with the technology. You’ll need to decide as an organization what KPIs are most important, so each team can deliver consistent reports that can be easily rolled up to encompass multiple areas of responsibility, or even the company as a whole, so that the CISO can clearly report your progress to the board.

Risk-based VM is the foundation of a modern security strategy

Implemented correctly, a risk-based VM strategy can help you prioritize your remediation efforts to focus first on the assets and vulnerabilities that matter most. As a result, you’ll be able to make the most efficient use of your limited security resources by reducing the greatest amount of risk with the least amount of effort. This newfound efficiency will free some of your most senior resources to work on more strategic security initiatives.

Want to learn how to put this framework into practice? Download our whitepaper, Reference Architecture: Risk-Based Vulnerability Management

相关文章

您可加以利用的网络安全新闻

输入您的电子邮件,绝不要错过 Tenable 专家的及时提醒和安全指导。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

试用 Tenable Web App Scanning

您可以通过 Tenable One 风险暴露管理平台完全访问我们专为现代应用程序量身打造的最新 Web 应用程序扫描产品。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。立即注册。

Tenable Web App Scanning 试用版还包含 Tenable Vulnerability Management 和 Tenable Lumin。

购买 Tenable Web App Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN

$3,578

立即购买

试用 Tenable Lumin

使用 Tenable Lumin 直观呈现及探索您的风险暴露管理,长期追踪风险降低状况,并比照同行业者进行基准衡量。

Tenable Lumin 试用版还包括 Tenable Vulnerability Management 和 Tenable Web App Scanning。

购买 Tenable Lumin

联系销售代表,了解 Tenable Lumin 如何帮助您获取整个企业的洞见并管理网络安全风险。

免费试用 Tenable Nessus Professional

免费试用 7 天

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。

新 - Tenable Nessus Expert
不可用

Nessus Expert 添加了更多功能,包括外部攻击面扫描,以及添加域和扫描云基础设施的功能。单击此处试用 Nessus Expert。

填写下面的表格可继续试用 Nessus Pro。

购买 Tenable Nessus Professional

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。Tenable Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。

选择您的许可证

购买多年期许可,即享优惠价格

添加支持和培训

免费试用 Tenable Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Tenable Nessus Professional?
升级到 Nessus Expert,免费试用 7 天。

购买 Tenable Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

选择您的许可证

购买多年许可证,节省幅度更大。

添加支持和培训