Vulnerability Scanning & Vulnerability Management is not Hardening

By John Gates, on April 26th, 2022

As a CISO or Security Manager, you understand your organization’s need to remain one step ahead of cybercriminals searching for gaps in your security posture. The market is flooded with solutions for dealing with vulnerabilities and the challenge continues to be understanding the ways to best prioritize and manage the vulnerabilities. But first, to keep your organization safe, it’s imperative that you understand the differences between the three main types of security solutions: vulnerability assessment, vulnerability management, and vulnerability remediation tools.

 

Vulnerability Assessment

 

The first step to fixing security vulnerabilities is knowing that they are there. Vulnerability assessment tools identify gaps and loopholes in networks, endpoints and applications.

 

Although they provide important information for engineering and security teams by scanning and matching data against a vulnerabilities database, a side effect of vulnerability scanning is often slower network performance. To solve this, many organizations schedule their vulnerability scans to run over the weekends, and some only once every couple of weeks. This performance/security trade-off leaves organizations exposed as the pace of new vulnerabilities disclosed continues to increase each month.

 

Vulnerability Management

Detecting vulnerabilities is only the first step; dealing with them, and managing them, is not as straightforward by any means.

 

With the number of security flags raised by scanners every day, it’s important to know which ones need to be fixed first. The questions of how to focus on vulnerabilities and “cut through the noise and focus on only those vulnerabilities that matter,” is the question Adam Boone asked.

 

Part of the answer for vulnerability management includes introducing best practices into the organization. In fact, there are many vulnerability management methodologies and products to choose from. Some identify risks on the organization’s networks and provide an ever-growing database of potential scenarios. Others enable loading and deploying historical attacks or mirroring networks with the aim of finding soft spots and weaknesses.

 

Vulnerability management includes the following:

 

  • Knowledge: Stay continually updated about new security threats associated with known vulnerabilities. Security product vendors will send notifications, system updates, and threat intelligence reports.
  • Discovery: Know what’s on your networks, who owns it, where it is saved, who can access it, and how.
  • Configuration: Set clear rules and practices. Have standard configurations for similar technologies.
  • Assessment: Schedule frequent periodic and surprise assessment scanning sessions to identify new vulnerabilities.
  • Prioritize: Analyze the effect of each vulnerability on your organization and then prioritize the order in which you will resolve them.

 

The problem with vulnerability management tools, though, is that they focus only on security management and not on the bigger picture at hand. As vulnerability management correlates directly to patch management – a task outside the realm of the security team – it is unreasonable to have tools that manage vulnerabilities but do not take into account organizational constraints and behavior. While this does have some value, it is a slow and reactive approach that still puts the organization at risk of a potentially costly breach.

 

Vulnerability Remediation

 

Designed as a strong and ongoing line of defense, for vulnerability remediation to succeed, it must be organized, innovative and actual. Remediation begins with analyzing the connection between the vulnerability and its solution. Once the impact of the solution on the organization’s digital environment is known, manual tasks need to be automated to enable remediation at scale. Communication with DevOps, IT and R&D tools is essential to ensuring that effective remediation practices are applied.

 

Vulnerability remediation is, in effect, the final piece of the puzzle, and the most important part of protecting and securing your organization. But most vulnerability remediation policies require joint efforts by multiple parts of the organization (IT Security, R&D, QA, DevOps, etc.) and is therefore a slow and cumbersome process. When organizations can’t keep up with the pace and constant flow of new, evolving threats, they are in danger of becoming an easy target.  Unfortunately, most existing tools and vendors cannot provide comprehensive and effective solutions to overcome these critical hurdles.

 

Configuration hardening – the optimal stance

 

Challenged by the continual and growing number of threats to your networks, the optimal stance is recognizing that while scanners and management tools are important, you can’t take your eye off the ball as with configuration hardening. Using hardening automation tools you won’t need to write a single script or have any specific expertise. They have all the capabilities of Security Configuration tools and Compliance Scanners in addition to the capability to perform impact analysis.

 

Both CIS security controls and the NIST cybersecurity framework recommend, that once a new server or application is installed or updated, the most important security control is to configure them with a decent security policy and ensure continuous adherence with this policy.  This means hardening the servers in real-time.

 

 CalCom’s Hardening Solution (CHS) can help with your configuration hardening. It will automatically implement your desired policy over your entire infrastructure, from a centralized management point while keeping your assets continuously hardened.