Only the truly committed ever reach the summit of anything. This sentiment holds true for vulnerability management. An organization cannot reach the summit without a serious commitment to fund and staff the program appropriately across the organization.

Reaching ML:5 means tying the program to the business. Everyone must be aligned with the metrics and be ready to find the root cause of any misses so that mitigations can be implemented to alleviate this miss in the future.

Business alignment is key at this level because if all the groups do not agree on the goals, then there will be a lot of disagreement and accusations.

Some example areas of alignment to consider:

  • What risk level is considered acceptable when it comes to vulnerable assets? Does it differ depending on the asset?
  • What is the SLA for fixing a critical vulnerability? Does it differ depending on the network, locale, or use of the asset?
  • What is the process for fixing a vulnerability on a critical asset that may impact the business? Is there a process for emergency change control windows?
  • What is the process for allowing new assets on the network that have vulnerabilities? How are they assessed?

Next, there needs to be alignment on enforcement.

When an asset does not meet the agreed-upon metrics and standards, what happens? The asset should be removed or quarantined from the network until the risk has been mitigated to an acceptable level. This will become a sticking point because Murphy’s Law dictates that this will happen at the worst times: a critical server will have a new exploitable vulnerability on the last day of the quarter, the CEO’s laptop will need to be quarantined while he is traveling out of the country for some reason, or a zero-day vulnerability becomes public on Christmas Day.

(Read more...)