We Scan and We Patch, but We Don’t Do Vulnerability Management
Lately, we’ve been flooded with calls about vulnerability management (VM). Many of the calls seem to be from organizations of medium to low security operations maturity, that are just starting with vulnerability management [and that’s OK – a wise mentor once told me ‘always remember that ‘90% of people are not in the top 10 percentile!’” :-)]
Many of them say something similar to “we scan and we patch, but we don’t do vulnerability management.” Essentially, they are coming to a realization that I often like to summarize as “VA is easy, but VM is hard.”
Of course, we have a lot of excellent research written on this topic:
- “A Guidance Framework for Developing and Implementing Vulnerability Management” (39 pages of juicy VM stuff!)
- “How to Implement Enterprise Vulnerability Assessment”
- “A Comparison of Vulnerability and Security Configuration Assessment Solutions”
The first paper has a lot of juicy and usable VM advice for all levels of security maturity, and this post is a reminder about these great resources. However, I also want to ponder one specific bit.
Imagine the following situation:
You have… | …and you can | …to get … |
1000 vulnerabilities | fix all 1000 | A WIN [but no organization is in this position, NONE, 0] |
1000 vulnerabilities | fix any 10 of them | Nothing, since your overall risk posture is probably unchanged |
1000 vulnerabilities | fix any 100 of them | Unknown and likely small risk reduction |
1000 vulnerabilities | fix some 900 of them | Significant risk reduction, but very likely at a significant cost |
1000 vulnerabilities | fix 100 of them that are called CRITICAL (via CVSS, vendor, etc) | Some risk reduction, for sure. But often not as much as expected |
1000 vulnerabilities | fix 100 of them that are of absolute highest risk to this organization | I’d argue that there is a decent chance that this delivers the best risk reduction / cost! |
Note that in no situation “JUST PATCH FASTER!” is the right advice! IMHO, most organizations should “patch smarter” (which really means “prioritize what to patch better”), because frankly most cannot patch faster.
The tough question is of course: how *EXACTLY* do we rank the vulnerabilities for maximum risk reduction for your particular organization at this time? We have seen many methods come and go, some effective, but onerous, some both ineffective and onerous, and some effective but unrealistic…. while some based on wishful thinking (read: AI)
Past posts on vulnerability management:
- Our Vulnerability Assessment Vulnerability Management Research Publishes (2017)
- Vulnerability Management #1 Problem – After All These Years!
- Vulnerability Management: Have We Reached a Best Practices Plateau? (by Augusto Barros)
- Revisiting Vulnerability Assessment and Vulnerability Management Research
- My Updated Vulnerability Management Practices Paper Publishes (2014)
- Cannot Patch? Compensate, Mitigate, Terminate!
- What is Your Minimum Time To Patch or “Patch Sound Barrier”
- Patch Management – NOT A Solved Problem!
- Next Research Project: From Big Data Analytics to … Patching
*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/05/14/we-scan-and-we-patch-but-we-dont-do-vulnerability-management/