Best Practices

Best Practices for Vulnerability Management
4 Steps to Reducing Risk with Vulnerability Management

Is Your Vulnerability Management Process Meaningful To Your Business?
The vulnerability management process can be very useful and provide great return on investment when implemented
carefully, monitored for effectiveness, and adjusted regularly. However, security professionals often report a long list of
implementation, management, and operational challenges inherent in previous-generation vulnerability scanners. But
new technology is transforming vulnerability management into an effective risk reduction tool—and it’s easier than you
think. Here are four best practices to re-invent your vulnerability management process.

Discover Analyze Prioritize Remediate & Track

1 Continuous Vulnerability Discovery: Fresh Data Keeps The Network Secure
Most organizations today use traditional active scanning to discovery vulnerabilities, which requires a remote scan of
each network-attached device. But this approach to vulnerability assessment is often constrained:
• Limitation of access—Some assets and services are so critical that you may be hesitant to access them to
scan because it may impact availability. This becomes the paradox of vulnerability assessment; the assets that
need it the most are the ones we are the most reluctant to assess.
• Distribution of assets—Other assets and services are difficult to identify or access due to location, such as
cloud assets or mobile devices.
• Information overload—Vulnerability scanners drown IT security teams in data and are notorious for producing
the “300-page report” with a long and boring table of vulnerabilities with no network context, risk prioritization, or
actionable fixes.
• Not actionable—Scanner reports prioritize vulnerabilities based on asset importance and a pre-defined
vulnerability severity ranking, typically based on the Common Vulnerability Scoring System (CVSS) scoring.
This methodology does not consider network context and can lead administrators to fix the non-threatening
vulnerabilities and ignore the critical ones.

Because of these constraints, most organizations only scan portions of their networks or scan in segments, which
creates lengthy scan cycles. Both the frequency and scope of vulnerability management become inadequate.

Risk assessments are only as good as the vulnerability data they are built upon, and fresh vulnerability data is
essential. Scanless vulnerability discovery utilizes rule-driven profiling to gather and analyze information repositories
available in every enterprise—typically patch management and asset management systems—to automatically and
accurately deduce vulnerability data on all network nodes.

How can organizations determine which vulnerabilities are critical and which should be skipped? There are two approaches commonly used together for analysis: • Hot Spots Analysis: Finds groups of hosts on the attack surface with a high density of severe vulnerabilities. shielding. Unique technology advantage: Prioritize vulnerabilities by multiple factors Best Practices for Vulnerability Management 2 www. high-risk attack vectors around one or a few hosts that would require quick remediation (patching. With traditional vulnerability management using active scans only every 30 to 60 days and typically not covering the entire network. Scanless vulnerability assessment augments active scans with daily updates 2 Context-Aware Analysis: Critical Risks Are Different For Every Organization Once fresh vulnerability data is available on a continuous basis. The idea is to create a short list of action items that can be executed quickly in order to eliminate the risk of exploitation by attackers. which can be fixed en masse by broad action items. the next challenge is automating analysis of the vulnerabilities that will allow the subsequent prioritization to focus on the critical risks and not waste time chasing low-risk exposures.com . such as patching. • Attack Vectors Analysis: Uses a surgical approach that finds specific. network configuration) to eliminate exposure of specific targeted assets.Scanless detection allows both frequent and comprehensive vulnerability identification.skyboxsecurity. scanless vulnerability discovery provides a second source of vulnerability data that can keep your network up-to-date on the current vulnerability and risk status of your organization.

Traditionally. With this manageable list. Context-aware prioritization whittled that list down to 212 action- challenges a vulnerability’s severity rating. • Second. typically based on the Common Vulnerability aware analysis and prioritization and Scoring System (CVSS) scoring. and existing security controls when determining the impact of a potential attack. you need to determine whether the vulnerability is threatening an important system. For example. the business asset. This means you need to prioritize the identified vulnerabilities to target remediation For one global bank. Will it have little or no impact? Or will it be considerable. a significant impact toward reducing risk and keep the team focused on Looking at vulnerabilities within the context of your network has narrowed the list. Attack simulation can also determine the best point in the attack to deploy security controls. and the security team was able to make the impact of a potential attack.skyboxsecurity. and an isolated view of any of these steps could appear innocuous. including attention. taking down a critical system or extending to other assets? Today’s attacks often incorporate multiple steps that cross several different network zones. asset criticality. Attack simulation finds risks that can be exploited Best Practices for Vulnerability Management 3 www. Attack simulation technology automatically looks at the holistic network and identifies what would happen if the steps were put together. Attack simulation technology looks at network context. if an asset runs an application that is crucial to maintaining the business and requires continuous availability. business metrics. you need to determine what will happen if the vulnerability is exploited.000 vulnerabilities. a medium-level vulnerability that threatens to disable this asset might be a high-level risk to this particular business. The based on asset importance and a pre-defined vulnerability security team then used context- severity ranking. scanner reports prioritize vulnerabilities reported 128. But this doesn’t prioritize the vulnerabilities within your network. an active scan efforts. • First. existing security controls. threat data. 3 Prioritization: Focus Needs to Be on Vulnerabilities that Actually Pose a Significant Risk Odds are you have limited IT resources. But how do you prioritize from there? critical activities.com . asserting that the able items that needed immediate criticality of a vulnerability depends on several factors.

4 Remediation and Tracking: Options Must Go Beyond Patching The final step is remediating critical vulnerabilities.? • Will system changes remediate the vulnerability? For example. Dashboards to monitor and track progress Best Practices for Vulnerability Management 4 www.skyboxsecurity. are there other security controls that may provide protection such as firewalls. you might prioritize easy-to-remediate vulnerabilities over ones that are resource intensive. For example. are you able to reconfigure the network or change access controls to mitigate the vulnerability? • Are there other security controls available? If a patch is not available. availability requirements. and the availability of security controls should be part of the prioritization process. and integrated workflow should generate and track remediation actions across these teams. For effective vulnerability management. Feedback on the effectiveness of your vulnerability management should be used to refine your processes. but network operations teams remediate.com . when you have a list of critical vulnerabilities for your organization. custom application limitations. Learn whether your approach is succeeding as a whole and where and when to apply resources for improvement. Your vulnerability management process should enable effective communication with the relevant IT operations teams. location. remediation should be integrated into the solution and should consider all security controls: • Is there a patch available? Can you deploy a patch or is it “unpatchable” due to system integration issues. Follow these best practices and implementing a meaningful vulnerability management program that actually improves your security will be easier than you think. or other defenses? Remediation should consider all security controls. IPS or anti-malware signatures. etc. not just patching. This would allow you to get the most protection in the shortest amount of time. security teams find the vulnerabilities. In most organizations.

visit the Skybox Security website. otherwise. www. Skybox solutions provide a context-aware view of the network and risks that drives effective vulnerability and threat manage- ment. you can view a product demo online.Next Steps Implementing these four best practices for vulnerability management can reduce risk across your network. Skybox is a trademarks of Skybox Security. Inc. six of the top 10 global banks and six of the 10 largest NATO members use Skybox Security for automated. To learn more about Skybox Security’s solution for vulnerability management. Find a vulnerability management solution that automates and integrates its processes to support the capabilities outlined here.skyboxsecurity.com/contactus.skyboxsecurity. and continuous compliance monitoring. etc.skyboxsecurity. Skybox Security customers are some of the most security-conscious organizations in the world. integrated security management solutions that lower risk exposure and optimize security management processes. With the right tools. operations.com | +1 408 441 8060 | www. analyze. Skybox Security provides the most powerful risk analytics for cyber security. generating an actionable remediation list—even breaking down the tasks by group (security. BP_VulnerabilityManagement_EN_01162014 . with mission- critical global networks and pressing regulatory compliance requirements. or contact your local Skybox Security representative to schedule a demo at www. and prioritize automatically. All other registered or unregistered trademarks are the sole property of their respective owners.com/contactus Copyright © 2014 Skybox Security. California. Today. About Skybox Security Established in 2002 and headquartered in San Jose. Skybox Security is a privately held company with worldwide sales and support teams that serve an international customer base of Global 2000 enterprises and large government agencies. All rights reserved. the tools gather. firewall management. Inc.). giving IT security management and network operations the tools needed to eliminate attack vectors and safeguard business data and services. you will set some guidelines for prioritization and.