Vulnerability assessment scanning has been the primary means for the majority of organizations to attempt to determine their security posture against an external threat environment. Essentially the security group will scan the environment against a database of known vulnerabilities and then request the operations team resolve the vulnerable conditions.
Many companies I talk to are still stuck with the never-ending, non-actionable, false-positive laden, non-environmentally aware, slow, cumbersome, disruptive, snapshot in time approach to improving their security by attempting to understand what their security posture looks like against an ever-changing threat environment. The problem is that information security must evolve beyond just simply having a catalog of tens of thousands of unique vulnerable conditions that the tens of thousands of organizational assets possess. Vulnerability assessment scanning has many limitations and certainly needs to evolve as I discussed in an earlier post (here). Honestly what does a large organization do with 600 pages of unique, distinct vulnerabilities?
Generally they do one or more of the following:
- Nothing, they simply scan periodically, note the results and move on.
- Focus their efforts only on critical vulnerabilities, of course there are problems with this, most notably the list refreshes on a fairly regular basis and to truly know what is critical in a large, complex, globally distributed environment against a dynamic and increasinlgy hostile threat environment requires a tremendous amount of foresight.
- They struggle through the list with the security team coercing operations to fix this, patch that, disable this and uninstall that, of course the list changes, the network changes, the threats change, most organizations are far too dynamic for this to be even remotely effective.
- They scan only for a small set of new critical vulnerabilities, say on a given Tuesday or when exploit code appears in the wild, and then they attempt to rapidly patch systems, but in this case what exactly is the role of vulnerability assessment scanning? Patch validation tool? Seems like an expensive and inefficient way to give the security team a warm fuzzy.
Effective vulnerability management requires organizations to move beyond the endless cycle of vulnerability assessment scanning and patching and gain control of their environment by defining the desired configuration state of environmental assets against a security configuration standard, auditing the environment to identify non-compliant elements and enforcing compliance by remediating non-compliant systems (here)
Define policy -> audit against policy -> enforce policy = elimination of a significant percentage of vulnerabilities and exposures
Any system that is deployed, or will be deployed in the future, should adhere to a common security configuration baseline, of which organizations like NIST, NSA, CIS, and vendors such as Microsoft and Cisco have already defined templates with settings for common operating environments and network elements. With the introduction and adoption of XCCDF, an XML specification for instantiating security configuration baselines and checks (here), it is becoming increasingly easier to adopt a security configuration management approach.
Security configuration management, unlike vulnerability assessment scanning, provides operationally useful and actionable output since the orientation is towards maintaining system integrity by ensuring system compliance with a defined gold standard. This ability to describe deviations from policy in terms of remediation activities, as opposed to a big list of unique, distinct vulnerable conditions provides a level of efficiency that cannot be obtained through vulnerability assessment scanning. For example if you perform a vulnerability assessment against a system running an old version of IE the result would be hundreds of vulnerabilities, do these matter? Is it important to understand all these conditions? What exactly would the operations team be expected to do in response to such a list? If the organization has a policy that states all systems running IE must be running version 7, then it is immediately clear what action should be taken by the operations team, and coincidentally the hundreds of vulnerabilities are resolved in the process. Extrapolate this out to other system attributes, such as ports, protocols, services, patches, as well as applications and it becomes clear that tens of thousands of vulnerabilities can more easily be expressed as resolutions in the form of security baselines.
Organizations looking to achieve effective vulnerability management, and honestly who isn’t? Should move away from the outdated scan and patch approach and implement security configuration management, then if required or chosen, vulnerability assessment can focus on those conditions that are outside of the SCM scope, this greatly reduces the excessive noise VA creates and supports an organizations move towards a higher level of operational and security maturity.