- A Guidance Framework for Developing and Implementing Vulnerability Management – A guide for the implementation of a vulnerability management (VM) program, from early planning and scope definition to vulnerability remediation and mitigation actions. Essentially, this is a guide on how to really do VM.
- How to Implement Enterprise Vulnerability Assessment – This document complements the above VM guidance document providing detailed guidance for the vulnerability assessment (VA) process. This is a guide on how to really do VA, a critical part of VM.
- A Comparison of Vulnerability and Security Configuration Assessment Solutions – This document provides an overview of the vulnerability assessment solutions market and compares the five the main vulnerability assessment tools out there. This is a document about VA tools and their capabilities.
In more detail:
“How to Implement Enterprise Vulnerability Assessment” has these juicy quotes:
- “VA is a critical part of the VM process, and integrating VA with the next steps in the VM cycle is as important as operationalizing the scanning process.“
- “The very first step in any VA effort is defining what is expected from the process and what the process will cover (which networks and assets, and which types of vulnerabilities and applications).”
- “Less mature organizations […] may start with a “let’s start scanning first” approach, only to find out that sorting through the massive output of the scans, identifying asset owners, recognizing false positives and dealing with reporting idiosyncrasies require time and resources.”
“A Guidance Framework for Developing and Implementing Vulnerability Management” contains these gems:
- “The most critical point in a VM process is the handover of identified vulnerabilities to the team responsible for remediating them.”
- “No matter how hard you try, you cannot go to a store and purchase vulnerability management (VM). Security processes, unlike appliances, software and services, cannot be acquired in exchange for cash. They can only be established by an organization and then matured to an appropriate level.”
”A Comparison of Vulnerability and Security Configuration Assessment Solutions” features bits such as:
- “The VA market comprises a clear set of enterprise-ready products that compete for enterprise security budgets. The vendors of those products mostly compete with each other and not with the “long tail” of the remaining VA players.”
- “Although VA tools have existed for nearly 20 years, selecting the one that will work for your particular environment remains a challenge. Aspects such as architecture, assessment methods, technologies covered and integration options vary from vendor to vendor, and selecting one that fits organization requirements is critical to implementation success.”
Now, back to SIEM research! 🙂
Past posts on vulnerability management:
- Vulnerability Management #1 Problem – After All These Years!
- Vulnerability Management: Have We Reached a Best Practices Plateau? (by Augusto Barros)
- Revisiting Vulnerability Assessment and Vulnerability Management Research
- My Updated Vulnerability Management Practices Paper Publishes (2014)
- Cannot Patch? Compensate, Mitigate, Terminate!
- What is Your Minimum Time To Patch or “Patch Sound Barrier”
- Patch Management – NOT A Solved Problem!
- Next Research Project: From Big Data Analytics to … Patching
Blogs posts with recent paper publications:
- 2030: Have They Social Engineered Your AI?! [our Maverick piece published]
- My “Evaluation Criteria for Security Information and Event Management” 2015 Update Publishes
- My “How to Monitor the Security of Public Cloud Resources” Publishes
- My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes
- My “How to Work With an MSSP to Improve Security” Paper Publishes
- Our “Selecting Security Monitoring Approaches by Using the Attack Chain Model” Publishes
- All My Research Published in 2014
- All My Research Published in 2013