[Seth] “The journey of a thousand miles begins with a single step.” “Beginning is half of the whole.” You can’t wish improvements to security; you have to take action. Whether that’s making a plan or taking the next step in the plan, the important thing is to do something.Some things are more easily accomplished than others. In vulnerability and compliance management, is there ONE THING you can do this week to improve your security program? If you gave it some thought you could probably come up with a half-dozen near-term accomplishments.
[Seth]But it’s not enough to take some action. You have to demonstrate not only that you’ve done something, but that what you’ve done has the desired effect. Whether this is a report to the executive committee or a chart for the technical staffs, you have to demonstrate that the work being performed is worthwhile, effective, and important to folks who are paying for it and folks who are performing it.In the context of vulnerability and compliance management, this means reporting. What data are you collecting about your program, and what information are you communicating to the program’s stakeholders? What improvements can you make in the reporting process so that it will be easier for you to show future successes?
[Bill] Refresh your memory: why did you implement a vulnerability and compliance program in the first place? Is your current process meeting your needs? If not, it’s time to change the game. Where are you on the maturity model? Are there improvements you can make to any one of the six components that will drive you towards the original goals?
[Bill] This represents a capability maturity process area focused on vulnerability and compliance management. There are six general categories that should be monitored. Moving clockwise around the spider graph:Coverage: are all your assets being scanned for vulnerabilities and compliance? Are there segments of your network environment that are off limits or otherwise outside your view? Do new networks and new devices get added to scan profiles promptly?Scan Depth: are you using credentialed scanning to get an “inside look” at the assets? This is advantageous to determine the actual security posture of the device.Frequency: how often are you scanning? More frequently = better intelligence.Reporting: are your reports provided to all levels of management and across your lines of business? Do they convey accurate information that will promote the desired response?Remediation: is your organization prepared to remediate the vulnerabilities and noncompliances found by the assessments? How responsive are the groups tasked with this mission?Currency: do you keep the scanning profiles and vulnerabilities databases up to date to ensure you’re scanning for the latest vulnerabilities?
[Bill] This is the vulnerability / compliance process wheel. It starts with a design, goes through planning and execution, and then reporting and remediation of found vulnerabilities and noncompliances. Based on the lessons learned during one cycle, the design is refined, new capabilities are introduced, and the cycle begins again.Key to the success is appropriate communication at all stages.
[Seth]Your work as a security professional can seem invisible – especially when you have no crises. It’s important to ensure that you’ve got the appropriate level of visibility – and for the right reasons – at all times. Reporting can be an effective way to communicate your goals and the performance of your security program – whether it’s to highlight successes and share praise, or to focus on an opportunity for improvement and areas that need attention. It is vital that the reports both reach and are target to specific audiences – an overly-technical report may not be suitable for inclusion at an executive board meeting, for example. Likewise, a high-level report will not give your security practitioners and other technical staff actionable information that will help them achieve your security program goals.
[Seth]This is an example of a maturity model report covering two quarters. It is appropriate for senior management and will show both progress towards some of the maturity goals you’ve set as well as the gaps where you might need some help from other stakeholders.In this example, the program has seen great progress in remediation, currency, and coverage, but needs to improve scan depth – perhaps by using credentialed scans. Frequency of scans has actually decreased in effectiveness from the previous quarter, so some analysis would probably be of benefit there. Reporting continues to be ok but improvements are certainly possible.
This is a high level representation of total vulnerability score – called the “Waher index” after its creator, AlexWaher. Here, it provides feedback on the relative vulnerability risk and remediation effects across two networks within the company: the business side and the operations network. Key messages are provided at the right, but the conclusion is clear: the effort spent remediating vulnerabilities in the operations network since September has resulted in a huge decrease in the vulnerability score (and, by implication, the associated risk on that network).This report is good to provide a quick snapshot of activity and progress to peers who have staff members involved in scanning and remediation activities.
This report breaks out average vulnerability scores by technology and by location, and is intended for use by IT management. At a glance, it is clear that Toronto needs some help reducing vulnerabilities in its Windows server environment, while San Francisco and Munich need to concentrate on both Windows and UNIX. In addition, it appears that the endpoint security program in San Francisco is not as effective as it is in Toronto and Munich.Reports like this can help get resources aligned across location and business/technology functions.
This report is intended for IT staff – both security and operations. It provides a quick list of the most significant vulnerabilities within an environment based on the relative weighted risk (vulnerability score multiplied by the number of hosts, as a percentage of the total vulnerability score across all hosts and vulnerabilities). It is intended to help prioritize remediation resources to focus on the most critical issues first, and will allow security analysts to take a “macro” view as suggested by the key messages; in particular, that strong credentials represent 4 of the top 10 and almost 55% of the total vulnerability score, and that applying 4 Windows patches would provide an immediate score reduction of almost 12%.