My Updated Vulnerability Management Practices Paper Publishes

With much less trepidation than usual (since this is an update), I am announcing the publication of my “Vulnerability Assessment Technology and Vulnerability Management Practices” paper. This is an update to my 2012 paper on vulnerability management (VM) with a significantly expanded section on remediation and patch management (yes, really!)

Abstract: “Vulnerability Assessment (VA) tools play a critical role in enterprise Vulnerability Management (VM). These tools are being expanded to cover security configuration assessment, large-scale prioritization, and cloud, mobile and virtual environments. This document focuses on today’s VA technology and VM practices in complex, large-scale IT environments.”

A few fun quotes:

• “VA tools are products, while VM involves people, process and technology. VA tools are a critical part of VM, but they’re not the whole of it.”
• “Organizations should ensure that VM not only covers missing patches, but also discovers misconfigurations, policy noncompliance, inoperative security mechanisms and unauthorized services and that it can do this in emerging virtual, cloud and mobile environments.”
• “No matter how hard you try, you cannot go to a store and purchase “vulnerability management.” Gartner defines VM as “the key process for finding and remediating security weaknesses before they are exploited.” “
• “Security processes, unlike appliances, software and services, cannot be acquired in exchange for cash. They can only be established by an organization and then mature to an appropriate level.”
• “Given that the technology for the VA and SCA assessment of virtual environments (as well as virtual environment use in enterprises) continues to evolve, enterprises should look for virtualization-specific features in their VA tools. Simply assuming that a virtual machine is just another system will not be sufficient because virtual systems will often not be scanned during scheduled scan windows, and too many security issues will be missed.”
• “Despite a long evolution of vulnerability scoring that has come from high/medium/low to the current state of elaborate scoring algorithms (often ambitiously called “risk scoring” by vendors), the überproblem of figuring out what vulnerabilities and what system to fix first remains a critical challenge for enterprises. “
• “Developing a policy as well as operational procedures for vulnerability prioritization is an important task that has to be handled by the security team.”

FYI, this GTP report is practices-focused and not vendor-focused, but it has a vendor-focused companion document that I am currently updating. If you are one of the “VA vendors that actually matter”, feel free to brief me on your newest technology (I do have all the 2013 VA MarketScope materials, of course)

Recent posts on patch management:

• Cannot Patch? Compensate, Mitigate, Terminate!
• What is Your Minimum Time To Patch or “Patch Sound Barrier”
• Patch Management – NOT A Solved Problem!
• Next Research Project: From Big Data Analytics to … Patching
• On Nebulous Security Policies (featuring “we patch all systems within 30 days” boondoggle)

Other documents I’ve recently written:

• My Security Solution Paths Published: Threats and Vulnerabilities
• Our “Security Information and Event Management Futures and Big Data Analytics for Security” Paper Publishes
• My Incident Response Paper Publishes
• My Paper on Endpoint Tools Publishes
• All My Research Published in 2013