Vulnerability management programs exist to identify security vulnerabilities and provide the data necessary to perform remediation. Traditional vulnerability management focuses on tracking live vulnerabilities, and remediation validation takes it one step further and focuses on also tracking closed vulnerabilities – and explains why they’re now resolved.
Remediation validation is important to assess the success of your remediation efforts and whether site objectives have been met. It also enables your company to systemically document your conclusions, decisions, and rationale for remediation plan.
In addition, you may also be subject to regulatory requirements, like PCI DSS, which seeks confirmation that independent verification was performed, by someone other than those that implemented the fixes, and can produce a deliverable that confirms that remediation was successful.
Organizations organically work through the following stages:
The ultimate goal of vulnerability management is to remediate vulnerabilities.
Yet, industry standard tooling focuses on showing how poor an environment is performing. Alongside this comes a risk score and other performance indicators and pretty charts, all distracting from the main point. Too often organizations get lost tracking vulnerabilities in pretty dashboards, excel spreadsheets, JIRA, ServiceNow, etc. rather than focusing their attention on reducing risk.
Time is spent searching for and integrating security tooling to achieve that ‘single-pane-of-glass’ view. But unless you’re tracking remediation efforts, the vulnerability data is stale as soon as it enters the tracking tool.
Don’t tell me how bad it is, tell me how good i’m doing.
Scoring tools, attack simulation, breach emulation, none of it matters if the organization is not identifying real vulnerabilities and remediating them in a timely manner. A better question to ask yourself is “are we remediating?”. If so, where and how? Nobody wants to see a list of a hundred open issues. Everyone – including your corporate board – likes to see lists of resolved issues.
Remediation management is a return on investment.
Remediation shows the health of an organization’s vulnerability management program, and how quickly issues are being resolved. Sticking to the point, we identify vulnerabilities in order to remediate them. A return on investment for vulnerability management is remediation management. When cybersecurity is typically a loss center, remediation tracking and proof of resolution is a clear signal of success.
Organic vulnerability management maturity levels.
No visibility
The organization has identified that vulnerability scanning needs to take place, this is the start of the vulnerability management program. As it stands, the organization is blind to security vulnerabilities, and does not have an understanding of the current risk exposure. The NIST CSF, CIS controls, or other audit, governance, and compliance framework is identified for alignment.
Vulnerability scanning
The first hurdle, a vulnerability scanning tool must be identified, purchased, deployed, configured, and maintained. A non-trivial amount of domain knowledge is required to setup the scanning software correctly. This must simpler in newer environments that are cloud deployed, and traditionally much more challenging when organizations have multiple sites, data-centers and cloud environments. The next challenge is inevitable: dealing with the volume of issues generated by tools.
Issue tracking
Making sense of the volume of issues generated from vulnerability scanners is a tale as old as time. Year-over-year there are more new CVE’s published, with increasing criticalities. Its not uncommon for scanners to report hundreds, thousands, or tens of thousands of vulnerabilities, across varying severities. Organizations at this stage look to procure yet another tool for issue tracking, or fall back to the tried-and-true solution: Excel spreadsheet (Google Drive if you’re hip). The next challenge? It’s only logical, given X number of issues, what should be actioned first?
Risk-based prioritization
Leveraging vulnerability and threat intelligence platforms to augment CVSS scores and CVE data, adding real-world risk factor to vulnerabilities, such as: current active exploitation, use in ransomware, presence in the CISA known exploited catalog, and exploit prediction scoring system scores (EPSS). Ultimately, the goal is to provide some sane method for prioritizing the vulnerabilities identified from vulnerability scanning so that they can be reviewed for remediation. Risk based vulnerability management tools go by many names, including RBVM, unified vulnerability management (UVM), and vulnerability prioritization tools (VPT).
Remediation validation
At the end of the vulnerability management lifecycle: the vulnerability scanner identified the issue, it was tracked in the issue tracking solution, it was cross-referenced with threat and vulnerability intelligence data to perform risk-based prioritization, and an analyst/engineer has applied the patch, reconfigured the service, etc. Now what? Traditionally, organizations must run another scan, and review the results to make sure that the vulnerability was not identified in the new results. This is the challenge of remediation validation, with the volume of vulnerabilities, it’s impossible to manually validate that each individual instance is remediated.
How VULNERA helps.
VULNERA helps organizations to continuously monitor for open and closed vulnerabilities. When you remediate, we confirm that the issue is resolved and tell you why. Our single-pane-of-glass requires no additional tooling or integration. That means once we start, all you need to do is remediate, we take care of the rest.
Get started now, monitor and track vulnerabilities, services, and assets in your external, internal, and cloud environments.
