Professional Documents
Culture Documents
www.pwc.ch/cybersecurity
Content
1 Introduction 3
1.1 Vulnerability management scope............................................................................................ 4
3 Methodology 6
3.1 IT governance and risk management as a foundation........................................................... 6
3.2 Process integration................................................................................................................. 9
3.3 Tooling and tool integration.................................................................................................. 10
4 Approach 11
4.1 Step 1: Scope, IT governance and sourcing......................................................................... 11
4.2 Step 2: Process integration................................................................................................... 13
4.3 Step 3: Tool integration......................................................................................................... 14
Summary 19
Contacts 20
1 Introduction
A number of factors are making vulnerability management To fill this gap, regulatory bodies are now requiring
an increasingly pressing issue. In addition to industry corporates that process sensitive data to address vulner-
good practice standards such as the NIST Cybersecurity ability management. As a result, auditors are also hav-
Framework, ISO 27001 and COBIT, which for years have ing to verify that organisations are following a risk-based
required companies to identify critical vulnerabilities approach and managing vulnerabilities appropriately. But
and implement timely remediation measures, various what exactly do ‘appropriately’ and ‘risk based’ mean?
industry regulations are now requiring organisations
processing sensitive data such as personal identifiable As such, as a CISO and compliance officer you should
data (PII), payment cardholder data (PAN) and bank address vulnerability management for IT environments
client idendifiable data (CID) to implement risk-based where sensitive data or data with enhanced regulatory
vulnerability management. requirements are processed in order to remain compliant
and to identify and manage your attack surface.
Despite the growing awareness, recent cyber and
ransomware attacks are proof that many organisations This white paper aims to support an organisation to gain
are still failing to address known vulnerabilities with due visibility on existing gaps and to manage vulnerabilities in
care and urgency. In the majority of cyber-attacks, it’s line with industry good practice standards, as well as to
precisely these vulnerabilities that are exploited to attack comply with financial market regulations such as PCI DSS,
corporate and government IT infrastructure. Swift, Finance Market Regulation in Switzerland (Finma),
Lichtenstein (FMA), Singapore (MAS) and Europe (EBA/GL).
Vulnerability management | 3
1.1 Vulnerability management scope
Vulnerability management involves far more than merely It’s also essential to establish a common understanding of
evaluating, implementing and running a vulnerability scan- what vulnerability management means for the organisa-
ning tool. Every organisation needs transparency on the tion and what scope it covers. When IT is outsourced, for
known vulnerabilities within its IT assets to manage the example, the organisation still needs to take care of vulner-
risk of the resulting attack surface. This requires a compre- abilities in the outsourced IT environment.
hensive set-up with diverse components:
Vulnerability management might have different flavours
• IT governance needs to be in place and mature enough depending on the organisation’s IT footprint. For example,
to provide clarity on who’s responsible for compliance if the organisation develops its own software code or uses
of the organisation’s IT estate and to patch a system partners to develop bespoke software, the scope of vul-
within a defined timeframe. If – for whatever reason – nerability management might be extended to cover more
this doesn’t work or it takes longer than the defined than just the known and published vulnerabilities for com-
timeframe to patch, compensatory remediation meas- mercial off-the-shelf IT products. Vulnerability manage-
ures must be applied, or the relevant management role ment has to cover the entire technology stack, including:
must formally accept the residual risk.
• IT and cyber risk management helps business and IT • IT infrastructure: network appliances (switches,
leaders understand the potential business impact and routers, load balancers), smart devices (printers,
take the right actions. When they accept a risk, leaders scanners), IoT/OT and building control etc.
need to understand the potential threat and the busi- • IT platforms: operating systems, databases
ness impact that comes with it. and storage.
• IT service management process integration is
• IT applications: web servers, Java Runtime, middle-
required to integrate vulnerability management in the
ware and standard tools such as web browsers and
existing IT service management and IT security man-
Acrobat Reader.
agement process framework. The focus should be on
aligning vulnerability management with IT asset and All this means that vulnerability management isn’t just an
software life cycle management, monitoring and event aspect of IT hygiene, but an essential part of IT risk and
management, and incident management. This allows compliance management, and key to establishing and
critical vulnerabilities to be handled in due time and if maintaining trust in IT services. A vulnerability scan verifies
necessary escalated as a security incident. whether patches (or other mitigation measures) are applied
• IT and security tool landscape integration enable within the defined timeframe. To apply patches and other
vulnerabilities to be assigned to the appropriate peer remediation measures, change and patch management
group, use to be made of orchestration and automa- procedures need to be executed by the relevant teams.
tion to concentrate on the critical vulnerabilities for The assessment results in an overview of the application
the organisation in question, different viewpoints to be landscape and its associated data processing, providing
consolidated, and the SOC team to be provided with you with a comprehensive picture of your applications,
relevant information on the attack surface. prioritised by operational importance and dependencies
(risk based approach). This approach ensures prioritisation
Given these complex and interlocking requirements, many of your resources across the organisation’s applications,
organisations are struggling to bring vulnerability man- so you can start by addressing the highest risks in relation
agement to the next level – not just to identify vulnerabili- to data minimisation.
ties, but also to agree where and within what timeframe
remediation measures will be applied and how to handle
exceptions where no patch is available or the patch can’t
be applied.
4 | Vulnerability management
2 Terms and definitions
Term Definition
CI Configuration Item
IP Intellectual Property
Vulnerability management | 5
3 Methodology
Figure 1: The vulnerability management process
1. Prework: IT governance as
Prework
Vulnerability Management Scope a foundation to identify what
IT Governance framework IT assets are in scope and to
Tooling & tool integration have clearly defined roles and
Process Integration
Sourcing Options responsibilities to establish
and maintain ‘compliant data
processing’.
Triage / assignment
Rescan Prioritize
ify
Eva
Tooling and tool integration are essential to get the best seamless integration into the IT service management
value and benefit from vulnerability management. For (IT ticketing) system and the IT asset register/CMDB, and
optimum integration, consider combining vulnerability use automation capabilities and playbooks rather than
scanning tools with an orchestration solution for designing workflows in many different tools.
6 | Vulnerability management
Figure 2: The three lines of defence in governance according to COSO
Sets organisation’s
Organisations board objectives
E
S
NC
G
ON
IN
IA
I
RT
AT
L
MP
ER
PO
BUSINESS UNIT
CO
OP
RE
FUNCTION
Contol Environment Framework used to
ENTITL-LEVEL
DIVISION
manage risk and
Risk Assessment control to accomplish
objectives
Control Activities
Monitoring Activities
Security Organisational
structure to
Management Internal Control Risk Management Internal execute risk and
Controls Measures Audit control duties
Quality
Inspection
Compliance
Vulnerability management | 7
Figure 3: IT and security governance – in a nutshell
Regulations & LOD 2 IT security policy & roles LOD 1 (IT) – Security standards
standards
Identify regulatory requirements and define a Define a security architecture with a set of
• FINMA strategy WHY cybersecurity & data protection is technical and organisational controls
• PCI DSS required and how to measure & mitigate risks Apply the control sets in IT/IT OPS:
• EU-GDPR • Client & server end-points
• E-Health Define policy framework to define WHAT needs • Application & platforms
to be done by WHOM to protect data and IT • Network infrastructure
• Etc.
• User identities
8 | Vulnerability management
3.2 Process integration
Vulnerability management is not a process on its own.
It’s a dedicated viewpoint on IT service management and
IT security processes.
Figure 4: Process steps of vulnerability management as part of your IT service management process landscape
management
2. Run 3. Analyse & 4. Map & split 5. Prioritise 7. Create 8. Triage & plan
1. Discover 6. Decide/
Start vulnerability apply environment findings to IT vulnerabilities incident for remediation
network zone whitelist
scanning rating asset/CI for remediation vulnerability actions
• IT asset and configuration management: In this • Incident management: All events that need a timely
process the context and scope of vulnerability manage- reaction must be escalated as a security incident.
ment are defined. The organisation should start with IT As an example, the Windows team operating several
assets where (business) sensitive data and data with hundred servers should receive one security incident
enhanced regulatory requirements are processed. This ticket indicating what server needs to be patched. The
means that clear mapping of IT infrastructure compo- ticket should have either a link or information on what
nents to IT services is required. vulnerability was discovered and what remediation
measures are suggested. Incident management ensures
• If your organisation processes bank client data or
that an incident is processed within a defined timeframe
PCI cardholder data, it must have an inventory
and, if necessary, triaged or escalated to another team
of IT applications and application components
or management function.
processing sensitive data.
• The IT platform components (operating system,
databases and data storage) and the IT infrastruc-
ture components (physical data centre, server,
storage, firewall and network appliances) underneath
the IT application need to be mapped in order to
understand what regulatory requirements apply to
the IT components. This is usually maintained in a
configuration management database (CMDB).
• The software packages used by the organisation
should be split into standard SW packages and non-
standard SW. For standard SW packages a defined
and tested version is provided, and a dedicated
operation team is assigned (e.g. Windows Server,
Linux Server or Oracle Database). For both standard
and non-standard SW, clear responsibilities need
to be defined to ensure a process is established to
acquire and deploy the latest security patches for all
installed SW packages in the organisation.
• Event management: On the basis of IT asset discovery
and vulnerability scanning, events are created and
stored. These events need to be processed in a way
that vulnerabilities with potential to cause a high impact
to the organisation if exploited are identified. Here the
main challenge is to split the identified vulnerabilities
between the relevant operation teams and to group
them in such a way that a vulnerability can be prioritised
in the context of a specific organisation.
Vulnerability management | 9
3.3 Tooling and tool integration
Effective and efficient vulnerability management requires The following graphic shows an example of how the
an integrated tool landscape. On the basis of our experi- relevant tools might be integrated:
ence, we strongly recommend making use of an orches-
tration tool rather than trying to integrate each individual
security and compliance management tool with the IT
service management tools.
Figure 5: Example of architecture building blocks and data flows for vulnerability management
IT asset discovery & vulnerability Orchestration & automation Response & remediation tools
scanning tools
IT service management tools
External scanners SOAR Tool for orchestration Incident/ticket system
(PCI DSS Asv Scan) and automation
Change management
Internal scanners
Problem & exception management
Agent-based
Network scanner
Reports & logs
IT asset inventory
Admin/management system Vulnerability
Management reports
Server management
Vulnerability
DB / Storage Management dashboards
IT asset IT service/ Inventory
inventory/ application of data Audit evidence
Network management CMDB inventory collections
preservation
PAM tool/password manager
The following building blocks enable optimum integration • SOAR: This allows the aggregation and enrichment/
with the tool landscape and automation of vulnerability grouping of data and is ideally done in a dedicated
management processes: SOAR tool so that different scanning tools can be
combined if needed.
• PAM tool: A privileged access management (PAM) tool
allows agentless scanning with credentials, without the • Response & remedation tools
credentials of privileged accounts having to be stored • Ticketing tool: For each vulnerability detected,
in the tool (e.g. CyberArk). This tool is not necessary if
a security incident is opened and assigned to the
agents are used.
corresponding support group. Exceptions can be
• IT asset inventory mapped in the same tool (e.g. as a problem workflow)
• CMDB: The CMDB is the (universal) configuration or in another tool.
management database, containing all IT assets/ • Change management tool: This shows when a
configuration items (CIs) in the system with a unique patch/update is to be tested and rolled out in the
identifier and a person to contact. This is important different environments (DEV/TEST/UAT/PROD).
to be able to allocate an IP address’ vulnerabilities to
different support groups (for the operating system,
the database and the web application etc.) (e.g. HP
ITSM) as an inventory of network segments, the
environment rating for each network segment and the
IP ranges for each network segment.
• Data collections: This is where the confidentiality
rating of the data or IT systems is stored in order to
enrich the environment rating with system criticality.
• Scanning tool: Depending on the IT estate an
organisation manages, it might be necessary to use
more than one scanning tool. Several management
suites include functionality to verify whether the
managed estate is up to date, or even to roll out the
latest patches.
10 | Vulnerability management
4 Approach
This section describes how the methodology explained in Section 3
is applied to a specific client environment, step by step.
Vulnerability management | 11
Table 1: RACI matrix for roles and responsibilities
Security Engineering
Information Security
IT Management
Service Owner
Internal Audit
IT OPS Team
IT Risk
CSIRT
CISO
Activities
Prework Overall responsibility for compliance in terms
of data protection and cybersecurity. C A R C I C
Verify
Track end-to-end Vulnerability Status I I I R A I
Report Providing reports (Ad hoc, regularly) including
KPIs I R A I I
12 | Vulnerability management
4.2 Step 2: Process integration
Integration into the life cycle of IT assets and software To design the vulnerability management process and
(SW) packages is crucial to the design of the vulnerability align with the existing process framework, we recommend
management process. This ensures that when an IT asset/ defining use cases, which are triggered by an external
software package is deployed, it is formally integrated into event such as:
compliance monitoring and there is verification that the IT
• A new critical vulnerability is publicly disclosed by
asset fulfils the compliance-relevant security requirements.
a vendor or a national CERT (Computer Emergency
If the deployment is non-compliant, the unit that initiated Response Team).
the release process is responsible for establishing
• A major SW vendor releases patches (e.g. Microsoft
compliance or approving an exception. After compliance
patch Tuesday).
has been established by the project, the operational
organisation ensures that compliance is maintained • A new SW/IT asset is introduced in your organisation
throughout the entire life cycle. and needs to be integrated into vulnerability
management.
• An IT asset is end of life and is decommissioned.
Figure 6: Example of how the vulnerability management process might be integrated into the ITIL process landscape
SW/asset life cycle of
Remediation in time?
Existing life cycle process steps client 2
management
Run
Compliance
Security yes
discovery & incident
Existing processes for integration with vulnerability End
Vulnerability Management process
scan
no
New Vulnerability Management process
to be created by PwC Risk & 3 Security
compliance exception
reporting process
We consider the following use cases to be relevant for the 3. Vulnerability scanning: After the scan is completed,
vulnerability management process. They should be taken the vulnerabilities are analysed and assessed. To do
into account in project planning for the introduction of this, the CVSS score suggested by the vulnerability
vulnerability management: management system is enriched with an organisation-
specific factor on the basis of the network segment and
1. Onboard IT asset: A systematic process (typically the criticality of the IT system or the data processed
release management) ensures that a new IT asset with it. In addition to the scan, vulnerabilities can also
that is put into operation meets the defined security be submitted for analysis via other sources (PenTest,
requirements and does not have any vulnerabilities or Vendor Alert, ThreatIntel/OsInt, CSIRT and SOC etc.).
unnecessary software packages at the time of initial A scan is either planned to run periodically such as
operation. weekly or executed on specific events. After completion
of a scan and the analysis/assessment of the detected
2. Discover IT assets in network zone: The recurring
vulnerabilities, a report is created. If required, ad-hoc
scan (for example weekly, monthly or quarterly) takes
reports can also be created and specific scans can be
place at defined times. For this purpose, the inventory
commissioned.
contains a current list of network segments, their risk
assessment (for CVSS environment rating) and the IP 4. Decommissioning of the IT asset: At the end of the life
ranges. An IT asset register or CMDB contains an up-to- cycle, an IT asset is decommissioned and consequently
date list of the devices expected in a network segment. removed from the compliance monitoring tool.
Vulnerability management | 13
In the design of the vulnerability management process, it’s 4.3 Step 3: Tool integration
important for assessment and prioritisation, as well as the
enrichment of environment-specific parameters of detected As mentioned earlier, vulnerability management requires
vulnerabilities, to take place in one process step. This one or more vulnerability scanning tools, depending on
ensures that a manageable level of relevant vulnerabilities is the diversity of the IT landscape. Such tools can be either
assigned to the IT organisation for processing. deployed on premises or acquired on a software-as-a-
Depending on the suitability of the security process service (SaaS) basis. Vulnerability scanning can be done:
framework, either a detected and assessed vulnerability
• with an agent installed on the relevant end point (for
can be passed on to the security incident process, or
servers and clients)
adjustments still have to be made for a new security
• with a network scanner covering one or several network
incident designated as a ‘vulnerability’.
segments (FW rule needs to allow scanning of multiple
It is essential for detected vulnerabilities with a weighted
network segments if required)
risk rating of ‘critical’ or ‘high’ to be handled. For this to
• via a specific management interface to verify that con-
happen, an appropriate unit in incident management must
figuration is in accordance with vendor recommendation
regularly track incidents designated as a ‘vulnerability’ so
that they are either triaged to the right units or, if necessary, • or a combination of the above.
escalated if no solution is found by the tech teams so that
the vulnerability is either eliminated by the next scan, a After selecting the right sourcing option for the
compensatory measure is taken or an exception is approved vulnerability scanner and defining the process landscape
by the defined patch standard time objective. for vulnerability management, a solution architecture
should be drafted to assign the right tools to the building
To process the next scan cycle, it’s important to be aware
blocks as defined in Figure 5: Example of architecture
of the following questions in advance:
building blocks and data flows for integrated vulnerability
• Should an incident be opened again for a vulnerability that management. As a result, in the functional building
was already recorded in the last scan but is still open? blocks the tools that already exist or are to be acquired
• Should vulnerabilities lead to an incident in situations are represented together with the anticipated data flows
where the manufacturer has provided a security patch between the tools.
and this patch is planned in the change management
tool but has not yet been applied in all environments? Many vulnerability management tools offer some basic
workflow functions to process and triage vulnerabilities.
• How should the different patch cycles/change windows
But we suggest integrating the vulnerability scanner into
within the IT environment be handled? Do different
your service management and security operation tool
patch time objectives apply or are exceptions used?
landscape rather than building a new ecosystem to handle
• How long should an exception be valid before a vulnerabilities. To do this, we suggest using a security
vulnerability that is still open leads to an incident again? orchestration, automation and response (SOAR) tool for
• Is the IT organisation able to meet the time objective for security and compliance monitoring tasks and to gain a
a critical vulnerability (e.g. ten days) for all technologies? consolidated view of your current IT estate – ideally such
How (emergency change)? a tool is already in place in the SOC where the various
interfaces can be leveraged.
14 | Vulnerability management
• A SOAR aims to automate steps in a playbook after
humans decide that specific steps do not need to be
executed manually and tests have to be done to make
sure it works in several iterations.
• A SOAR should provide a ‘single pane of glass’ for se-
curity analysts and compliance monitoring by consoli-
dating different views of your IT estate.
• A SOAR allows replacement of a vulnerability scanning
tool if it turns out that there are more innovative solu-
tions on the market by merely re-engineering the inter-
face and continuing to use the established playbook.
This allows rapid adoption of new technology and tools.
• A SOAR allows you to implement a large portion of the
process steps in a tool so that there is accountability on
whether steps have been executed and time objectives
have been met. This allows you to provide comprehen-
sive reporting and streamline evidence preservation
for audits.
Vulnerability management | 15
5 How we can support you with
vulnerability management
We can support you in three
different ways:
Managed service
16 | Vulnerability management
5.1 Assessment 5.3 Operation
Reviewing your current status by performing a gap analysis. We offer vulnerability management as a managed service.
Our Cybersecurity & Privacy team runs the tool either
We recommend analysing the gaps between your on the client’s premises or in the cloud to ensure that
current set-up and applicable regulation for you (such as recurring scans are carried out.
FINMA, PCI DSS, SWIFT) new cyber-risk management
requirements and guidelines. This will show what initiatives The managed vulnerability service basically covers:
you have to implement to be compliant, as well as
• scanning IT components
benchmarking your organisation’s maturity.
• creating a tailored report
We suggest making a detailed roadmap including priorities • deriving relevant activities from the scanning report
for projects and deadlines. To achieve buy-in, it’s advisable
• triage of remediation tasks to the appropriate OPS team
to submit this roadmap to the executive and board of
as a security incident.
directors for approval.
The following services are also covered:
5.2 Transformation
1. Operation and maintenance/updating vulnerability
We help you define the technical architecture for the tool management tool components and interfaces for a
landscape and the integration of the defined process steps. compliance monitoring solution.
A huge part of vulnerability management is remedying the 2. Running through the discover, analyse, triage and
identified vulnerabilities and enhancing the specific solution. report steps of the defined vulnerability management
process so that the vulnerabilities that are relevant for
We close the identified gaps and help you comply with the organisation are identified, evaluated and allotted
the regulatory and security requirements. This includes to the group responsible.
conceptualising the technical scanning architecture as
well as developing and establishing the organisational and
procedural requirements for vulnerability scanning.
management
2. Run 3. Analyse & 4. Map & split 5. Prioritise 7. Create 8. Triage & plan
1. Discover 6. Decide/
Start vulnerability apply environment findings to IT vulnerabilities incident for remediation
network zone whitelist
scanning rating asset/CI for remediation vulnerability actions
processing
Tool for
Vul. Vul. Vul. scan / Vul. scan / Event mgr / Event mgr / Event mgr / Incident
scanner scanner SOAR SOAR SOAR SOAR SOAR tool
Interface
Vulnerability management | 17
In the preceding project phases, the tools are set up, • The vulnerability analyst helps the respective technol-
configured and integrated into the system landscape. ogy teams find a remediation measure acceptable to
the organisation (patching and uninstalling the software
The OPS team is responsible for operations, mainte- package etc.).
nance, troubleshooting and continuous improvement
and elimination of false positives. • Either a change request is opened with the defined
remediation measures or an exception process is
Major customisations and problems are handled in started.
cooperation with professional services at the tool
• For the start of the operational phase, we recommend
manufacturer.
having the project [team] provide ‘early life support’
so that the introduction of the new processes is
successful and the backlog of older vulnerabilities can
be processed systematically.
5.3.1 Identifying relevant vulnerabilities
(as-a-service) If required, the analyst can draw on a pool of SMEs.
18 | Vulnerability management
Summary
As we’ve seen, vulnerability management isn’t just an This is a complex undertaking. The good news is that best
aspect of IT hygiene, but an essential part of IT risk and practices are available, as well as a choice of modalities
compliance management, and key to establishing and to implement the right vulnerability management set-up
maintaining trust in IT services. An effective vulnerability for any given organisation – a set-up not just matched to
management set-up needs to go further than simply its protection needs, but also to its structures, capabilities
assuring recurring scans of vulnerabilities. It involves the and resources. A workable solution is within reach. The
following three aspects: important thing is to start thinking about it now, be aware
of the challenges, and seek expert support if you need it.
• process integration
• IT governance
• tooling
Vulnerability management | 19
Contacts
For more information please contact our experts
www.pwc.ch/cybersecurity