Banner image

Business and Technology Insights

Vulnerability Management – A Numerical Approach

 
March 12, 2018

The 2017 NopSec State of Vulnerability Risk Management Report indicates that threats and attacks can be predicted based on analyzed data. The report indicates organizations of diverse sizes and businesses struggle to effectively and accurately prioritize risks, and are not doing enough with respect to vulnerability management. It also highlights a strong need for vulnerability management programs with correlated threat intelligence, for which the numbers/metrics play an important role.

The security breaches of an enterprise and intensity of damage is vocalized by the number of Personal Identifiable Information (PII) records stolen, loss of dollars’ worth and decrease in its market value. The prime reason for a breach being a vulnerable IT landscape, is attributed to the number of security issues – both known and unknown. Most of the organizations, invest in costly commercial tools and scanners, conduct periodic security assessments, take up internal and external compliance audits. Yet, IT walls are being breached. It’s necessary to devise an enterprise strategy, which is easy to implement, cost effective, and which renders visible results within a quick timeframe.

Here’s a simple four-step strategy for vulnerability management, which is baselined on numbers, to enhance a company’s security posture and standard.

1. Prioritize: Every enterprise is bound to have more vulnerabilities at any point of time than the ones that can be immediately fixed; hence prioritization becomes important. Make a record of your IT assets in terms of their business value and impact potential if breached, and prioritize the most valued ones from the least. Categorize them into two broad types – the high priority assets and the low priority ones.

2. Assess: High Priority assets should undergo frequent and more intrusive rounds of assessment, compared to the low priority ones. The more valued assets can undergo quarterly security tests in comparison to the low valued ones, which can have a semi-annual or annual frequency depending on the company’s IT budget.

3. Analyze: The soul of this numbers based framework is this stage of analysis of the metrics associated with the vulnerability management process. The various parameters to look for are:

  • Number of tests conducted and their periodicity: Calculate total number of tests conducted on a specified group of assets in a specified timeframe, plan to schedule security tests for the prioritized inventory, etc,.
  • Type of IT assets affected and number of such assets: Make a list of affected web applications, thick clients, servers, work stations, etc., and their count.
  • Type of security issues: Identify the type of OWASP top 10 or SANS 25 issues if web applications. If network infrastructure, then record issues of configurations, patches, versions/upgrades.
  • Hours expended: Measure the average time spent by a security analyst to identify, analyze, and report an issue in the application or network element across varied severity levels.
  • Count of issues across severity levels: Record the number of occurrences of a specific issue across severity levels affecting the IT landscape. For example, 25 Issues of cross site scripting across 30 applications (high severity), 30 instances of misconfiguration across 40 servers (medium severity).

This analysis will provide a multi-faceted perspective — identifying the most vulnerable assets, observing the pattern of issues, and their repeated occurrences across severity levels. This in turn will help a security analyst or consultant to identify the root cause and formulate suitable remediation solution(s).

4. Remediate: The remediation activity could be to implement pointed technical fixes across the vulnerable IT landscape, suggesting measures to address technical and functional gaps in design, development, and secure implementation of the solutions, or even filling the skill gap of developers/application team by providing trainings, best practice guides, secure coding checklists, etc,. It’s also necessary to set aside certain time for internal quality assurance, which would be an icing on the cake, to ensure appreciable client satisfaction.

This methodology ensures a thorough and exhaustive assessment of the known and potential vulnerabilities. These numbers and results, when reported in the form of regular dashboards helps the leadership assess the organization’s security health at any given time.

Be it quality defects or security flaws, quantification helps security analysts and  other stakeholders to quickly understand the gravity of the problem, identify the weak areas and be able to implement the solution, to achieve results with a quick turnaround.

[1] http://info.nopsec.com/sov

 

Dinesh Sawrirajan is an Information Security Consultant & Delivery Lead with the Cyber Security Practice at Tata Consultancy Services (TCS). He has more than nine years of experience in application security, risk management & data security. He has worked with leading customers including one of the big four audit & consulting firms, a large government sector customer in the UK and a leading Australian retailer. Dinesh is a mechanical engineer and holds double masters degree in management - Operations, Marketing & Finance.