There is no universally accepted operational framework for organizing a threat and vulnerability management function.
Therefore, we have developed our own framework which aligns with ISO, NIST, recommendations from European Banking Authority and other bodies. In addition, we integrated our experiences from other threat and vulnerability management projects into the framework.
The framework “double-clicks” on the threat and vulnerability management function and describes five key areas that are essential to operating a mature TVM function.
What it gives you, is a head-start on designing a mature threat and vulnerability management function. A library containing process definitions, KPIs, technology implementation, SOPs, best practice and more.
Read on for an introduction to the key areas of the framework.
The five key areas in the threat and vulnerability management function:
The old adage is more true now than ever before: you can't protect what you can't see.
A foundational discipline in the threat and vulnerability management function is to discover and track all assets on our network.
This is achieved by building a separate cyber security inventory, carefully curated and managed through a set of processes designed to integrate inventory data sources. The cyber security inventory contains detailed information about all assets found on the network, with rich context used to support prioritization.
Rich context means classification of assets according to their cyber security risk. The types of assets most likely to be targeted by an attacker must be easily identifiable and tracked, done through their context. Integration between the cyber security inventory and primary CMDB is usually established, to enable asset lifecycle synchronization and vulnerability ownership assignment.
Also known as vulnerability identification, this is where the vulnerabilities are found and tracked. The operating principle is to perform a wide identification (all assets) and a deep identification (entire software stack).
The scanning tool is important, and most enterprise tools perform pretty well in 80% of scenarios. The difference lies with the integration to asset management, which allows tracking of vulnerabilities over time, and support for different technologies such as database systems, container platforms etc.
Beyond the tool, the goal is to develop a practice that predictably performs a wide scan, i.e. performs according to an SLA. For example, your SLA might state that by default, no active asset may go more than two months without a succesfull scan, and your process will be designed to track the KPI "Time since last succesfull scan" and respond accordingly.
This area concerns your capability to identify high-risk vulnerabilities, and is really about spotting the needle in the haystack.
With a working patch governance in place, your organization will have a tracked mean time to mitigation (MTTM) aligned with your risk appetite, and for ~99% of identified vulnerabilities on ~90% of your assets, there is little risk-based reason to assign priorities.
But approximately 0.4 of all vulnerabilities constitutes an acute security risk, and you want to be able to identify and validate these quickly. With a proper asset context in place, the TVM function can quickly determine if there are mitigating controls in place, or if immediate mitigation is required.
The activities under the prioritization area work together to continuously analyze threat intel and up to date vulnerability data.
The threat and vulnerability management function is rarely responsible for mitigation, but they are responsible for making relevant owners aware of vulnerabilities that need to be mitigated, and track vulnerabilities until they are fixed.
Excel-based vulnerability reporting is a thing of the past, a thing nobody will miss. Instead, your vulnerability management function should be integrated with your ITSM system - often ServiceNow - leveraging your existing processes for managing work items.
Associated activities are designed to communicate with key stakeholders, positioning cyber security as a helpful service function instead of an alienating police function.
A good threat and vulnerability management function will generate and maintain data that is of significant value to other cyber security functions - and even to other teams. The objective of the reporting area is to make this data available and understandable to anyone that needs it - and should have access to it.
There is significant opportunity in sharing data with your stakeholders, so you need to understand who your stakeholders and what value your data can bring. Reporting should be aligned to existing report tools, such as Tableau, ServiceNow reports etc., and matched to targeted stakeholders.
So now you know about our vulnerability management framework. What does NorthX actually do for our customers?
Well, we help them!
For convenience, we have grouped our consulting offers into three tiers. They may overlap, and a specific consultant may fit in one or more categories, but they will give you an idea of the skills you can expect when working with us.
Any category is not "better" than others, they do different things with different experiences.
Vulnerability Management Architect
A role that can develop and design how a vulnerability management function should work. The responsibilities, governance, specific activities within the function, system landscape and so on.
This is also the person that will analyze your business requirements and current mode of operation, and propose a organizational setup that can do what you need.
Vulnerability Management Subject Matter Expert
Also known as vulnerability management consultant, Qualys consultant and so on.
The key thing is, that this role understands the processes and is able to design and implement the process in your chosen tools.
You may define a SLA that says "No categorized server assets is allowed to go longer than seven days without a successful scan", and the SME will describe a process that accomplishes that, and configure your tools to make things work, including dashboards, SOPs and so on. The scope may cover multiple technologies and how they integrate.
Vulnerability Management Technology Consultant
This role is more focused on the technology than the process, and has experience working with Qualys or similar tools. This consultant and can independently configure, troubleshoot and document how things are done, and are valuable trainers to your SOC or vulnerability scanning team.
Together, these roles can support your information security program - from describing business requirements, translating these into processes and configuring the technologies that makes it all work, we've got you covered.
The vulnerability management framework is a valuable tool to define the end-state of your vulnerability management program. But how do you get there?
We have just the thing for you!
Imagine if you had to do your last project all over again. Would it be faster and cheaper this time, now you know the pitfalls, what worked and what didn't?
Our experience and artifacts from large-scale vulnerability management implementation and improvement projects has been distilled into the vulnerability management project model, a best practice for planning TVM projects.
This allows you to shorten the learning curve, and is malleable to fit your existing project management models.
The VM Project model defines phases and key deliverables, and is packed with examples of previous project deliverables.