Our updated Vulnerability Management Guidance document has just been published. It is a refinement to the guidance framework we created a couple of years ago. The focus on this one was to include additional information on the scope of VM programs, prioritization of vulnerabilities and use of mitigation actions when remediation cannot be applied. It is very pertinent considering the whole WannaCry thing that happened a few weeks ago.
Some interesting bits from the paper:
New technologies with a high number of devices being left out of the traditional VM processes may suggest that those processes are obsolete and about to be replaced by other approaches, such as mitigation and patch-independent controls (e.g., application whitelisting or isolation). It’s important to remember, however, that legacy IT and legacy approaches are here to stay. While cloud adoption, DevOps and other IT delivery disrupters are happening, IT inertia is a powerful force, and in many regards a large chunk of the future will look just like the past. Similarly, the “scan and patch” cycle is here to stay for a diminishing but still very large share of IT.
The definition of a prioritization method for your organization depends on a few factors: from the size and complexity of the environment to the context data available. Prioritization must allow an organization to maximize the use of the available remediation and mitigation capacity and achieve maximum possible risk reduction. For example, if 1,000 vulnerabilities are found during the latest scan and there is IT operations bandwidth to fix 100 to 150 of them (depending on the specifics of the vulnerable systems), the main reason for prioritization would be to identify the set to be acted on to reduce the risk by aiming for reduced incident likelihood and reduced potential incident cost.
- Mitigation actions:
Given that organizations today face multiple challenges with patching vulnerabilities in software and code running on various devices (ranging from printers to mobile phones to IoT devices), mitigation measures (also sometimes called “shielding”) are growing in importance.
Mitigation measures are often defined as temporary solutions to be used until the vulnerability is remediated, but for some scenarios, they might end up being permanent solutions. For example, a web application developed by a contractor may have vulnerabilities that simply cannot be fixed by the organization, since the original contractor may not be available anymore. In this case, a web application firewall (WAF) may become a permanent mitigation measure. Some vendors even call this “virtual patching” to hint at a permanent nature for such “fixes” at some organizations.
And as we’ve been doing for all our papers, please provide feedback with your thoughts/suggestions here.