Vulnerability Management System was implemented as a practice within the Organization across the Global Business Unit (India, Middle East & Africa). The implementation included Vulnerability Assessment and Remediation. The assessment is made based on Severity Levels (Actual & Potential) obtained through vulnerability scanning of all devices connected to Internet, Intranet & Service Network. Evaluation of Weighted Intrusion Rate (WIR) through a formula gave values which are required to be kept below a pre-decided threshold value for each of these network. These values provided the vulnerability status for the region and thus also formed the KPI for this assessment. The project was covered over a period of three months after an elaborate testing and assessment. This implementation improved the efficiency of security team in terms of reduction in time, efforts and cost. Formation of a Vulnerability Monitoring Team made the practice more effective in terms of reduction in time taken for remediation of vulnerabilities.
(Read more: Can your SMART TV get hacked?)
Checklist for Vendor Evaluation:
It has been invariably experienced that no single vendor provides solutions for all components that can support a vulnerability management system. Therefore, it is necessary that prior deciding on a tool the capabilities and shortcomings are well understood. A sample checklist that can help during evaluation is as follows:
- Asset Management: The capabilities and limitations of the technology to provide asset inventory database or extend the support for additional fields or ability to integrate with other asset management repositories
- Versatility: Ability of the technology to operate against series of Windows OS, diverse platforms, applications and devices
- Ability to Aggregate: The product must be inter-operable with other security technologies including Internet Security Systems E.g. IIS Scanner, MS MBSA, Nessus, Foundstone, Retina, BindView etc. In other words the product should be able to aggregate vulnerability data from multiple and dissimilar sources
- Vulnerability references: The technology should be able to identify source of information and comply with Common Vulnerabilities and Exposures (CVE)
- Ranking: The tool should be able to rank/ prioritize remediation efforts
- Enforcement of Policy: The product should be capable to designate the identified remediation at different enforcement levels i.e. from mandatory (needed) to forbidden (acceptable risk) through an interface which is centralized and policy-driven.
- Management of remediation groups: The tool should permit grouping of systems in order to manage remediation and control accesses to devices
- Remediation: The product should be able to tackle vulnerabilities induced by a system misconfiguration and vulnerabilities occurred due to inappropriate patches. E.g. Deploying changes to the OS or applications such as disabling/removing accounts (i.e. accounts with no password or no password expiration), disabling and removing unnecessary services etc, deploying patches on OS or applications, ability to harden services for NetBIOS, anonymous FTP, hosts.equiv etc
- Integration Capability: The ability of product to include or integrate existing patch management tools
- Maintain distributed patch repository: The product capability to load balance and distribute the bandwidth associated for patch distribution to repositories installed in various strategic locations
- Patch Installation Failure Info: The tool should be able to report if a patch installation has been unsuccessful/ needs re-installation
- System of Workflow: The product should be able to follow a workflow system that must assign and track issues. It should be able to assign tickets based on defined ruled sets (e.g. vulnerability, owner, asset classification etc) automatically. It should be able to interface with other products like Remedy, HP Service Desk etc, which are common corporate workflow products
- Usability: The tool should be able to participate actively in the network services with minimal or no impact to business operations with an instinctive user interface
- Report Generation: The tool should be able to generate reports determining remediation success rate and trending remediation efforts. The reports generated must be in detail and customizable
- Appliances: It must be known whether the tool is based on software or appliances. A software based solution is affordable and may be able to operate on existing hardware thus reducing the upfront capital expenditures while appliance based solution provide performance and reliability advantages
- Deployment of Agents: The application’s deployment of agents and its capability to leverage existing agents on the system. Capability of simultaneously deploy these agents on group of assets, to reduce deployment constraints.
( Read more: How to choose your Security / Penetration Testing Vendor? )
- Standard Configuration: Availability of a predefined security configuration template to assess the technology as in some cases defined templates support regulatory requirements like SOX, HIPAA, ISO/ IEC 27000 series.
- Vulnerability Research Team: The vendor must have own vulnerability research team and he should be an active participant within security community via identification and release of security vulnerabilities. The vendor must practice responsible disclosure. The vendor must release checks for vulnerabilities that he has discovered prior to OEM remediating it. Methodology adopted by vendor to respond on vulnerabilities of own products
- Frequency of vulnerability updates releases: Frequency of release of vulnerability updates by vendor and its distribution. The distribution mechanism must leverage industry recognized security communication protocols
- With Murli Menon,Atos on How To Evaluate Vulnerability Management System Vendors ClickToTweet
Do share your views on vulnerability management tools in comments below.