All right, Welcome to our next lesson. We're at less than 1.3 for building a vulnerability management program.
So are learning objectives. Today we're really gonna be focused on how you can build a cohesive vulnerability management team. What that entails. We're gonna talk about what's involved in a vulnerability management program if you don't have one again. For large organizations, that might be something you already have. But maybe for smaller and medium sized organizations, you don't have one,
uhm, and then how to implement a vulnerability management program in your organization if you don't have one? Or if you want Teoh build on the maturity in your program.
I think this is so important. Toe. Have the right team when we're talking about vulnerability management. Uh, as I mentioned in one of the previous lessons Patch Management and Vulnerability management. Sometimes I see intertwined where people think it's the same thing, but I think you really need to have a larger team when we're talking about vulnerability management,
having people from each side. So having a systems administrator, having that network administrator or engineer a swell as your security operations team or engineers and architects and then having your sister or someone else from executive leadership. Being involved can really make that big difference on helping to create,
uh, helping to create that great team, that well rounded team.
Everybody brings a different skill set, you know, from the i t side. They may understand things that from the security side they don't see on a day to day basis. Whether it's, uh, you know, certain projects that are going on with users, certain applications that they must have 100% uptime on that security may not be aware of,
um, or from the security side, you know, understanding. Hey, we've got this, you know, new exploit that's out. We really have to get this vulnerability patched
that I t might not be aware of. So it's that working together, um, that can really help to evolve a vulnerability management program. And then, of course, having executive leadership having that buy in to help push the program forward and help remediate vulnerabilities really makes all the difference.
You know, we see. I see this all the time in the industry.
Lots of articles. Lots of people talking about, you know, having the top down approach. You having that executive buying can really make the difference in a vulnerability management program program. I know I've seen it be very successful. Um, you know, having that buy in and having someone to help push the program forward really makes a difference.
So what we're talking about a really vulnerability management program. There are lots of different levels of maturity when we're talking about vulnerability management program.
Uh, again, Patch management is not equal to vulnerability management. It's a component of owner Billy management and important component. But it's not everything. So when we're talking about taking a holistic view of the environment, I know I want to see from a vulnerability management perspective.
How many systems do we have? How many servers do we have? What applications are installed on those servers?
Um, who has access to them? How many people have access to them? How many domain admin is do we have in our environment? Um, you know who has elevated privileges? All of those things are part of a vulnerability management program. Understanding your whole risk profile. Um, so that's understanding all the software hardware,
you know? Do you use do you have an on premise data center? Is everything in the cloud?
Do you have hybrid cloud What the vulnerabilities look like in the cloud? What does your identity management look like in the cloud? All those things are going to be part of the vulnerability management program
um, knowledge, inability to understand threat intelligence. It's so huge because every organization, every business is going to have different threats associated with them. So if you're in the financial industry, they're gonna be many different people targeting you that wouldn't be targeting you. If you're, say, an I T company,
you're gonna have different people who might want access to.
Let's say you build a special program special application. Maybe you have a competitor that's interested in what your what you have, Um, or maybe they just want to disrupt your services.
So understanding what? What threats are out there and what could be affecting your organization is really important to a vulnerability management program.
I try to bring threat intelligence when we're talking about vulnerability management because I think it really adds that extra maturity level, um, to your program and, uh, training people having people understand kind of what's going on out in the world can really elevate what you're doing
and then using a risk based approach
So there are many Great. Uh, there's the mistress management framework. There's some other great risk assessment tools that you can use when you're talking about vulnerability management to really help you understand what you should prioritise what you should focus on.
So when we're talking about maturity as I touched on in the last slide, you know, how do we really create an effective vulnerability management program?
You know, when some of this takes a really deep technical dive?
What is our vulnerability scanning process? Look like?
I've seen some very successful implementations and some not as successful implementations. Uh, it can be difficult to make sure that you are
discovering the right assets. What's your inventory look like? Our systems changed on a daily basis. You are eyepiece changing
our scans by I p by DNs what you know. What are we using in that vulnerability scanning process that really adds to the maturity of your program? Because if you know that for sure hey, when I'm discovering assets, I can then add them to our scans,
um, or making sure you have the right credentials. If credentials air updated or
you're going from one domain to another or something, it's really important to understand all those things to make sure that your vulnerability scanning process is successful.
And again when we're talking about asset discovery. Having that, you know, like an approved product list or unapproved software list something like that to say this these are the applications that we are allowed to install, that we know are installed and that we are willing to upgrade in patch, you know, on a daily or monthly weekly basis. However, often the patch is released,
uh, that will also help cut down on
you overhead and possibly missing vulnerabilities that you might not be aware off
eso threat detection.
So we're talking about vulnerabilities were also talking about what is a risk exposure. Uh, when we're talking about from a holistic view, all of our vulnerabilities, how are we able to detect, uh, what they are and who might be affected by them? What applications might be affected?
I know one of the questions I get a lot when I talk to people is
it's like I don't know where to go. I don't know, Uh, where to go To find out how many vulnerabilities I have. Or you know how often the patches are released, Us, cert, If you consign it for their alerts, they have great alerts that will let you know if there was, you know, a chrome patch released or Firefox.
I know I've done in the past where I've had kind of a patch management guide that basically said,
You know, these patches are released
on a quarterly basis. These air released on a weekly basis, these air released ad hoc, you know, so understanding that like, Hey, I'm coming upon this quarter. I know this patch is gonna be released. I can play on next week to download that patch install, upgrade all those things that really helps you understand your risk exposure
and the reporting and remediation. I think reporting is such a critical part of a mature vulnerability management program when you can have the appropriate reports sent to system owners or system administrators, people who are really doing the work but making them valuable reports.
So not sending a spreadsheet of 400 vulnerabilities that may or may not matter. Ah, but really helping people to understand. Hey, these are the top ones you should focus on. You know, here's the 234 That should be, You know, your focus for the next week or two. And then in the next couple weeks, I'm gonna send you an updated report to see if they've been remediated,
and then hopefully we can start working on the next ones
and I've seen it be really successful where you can cut out critical vulnerabilities. You cut out the high vulnerabilities, you're able to keep up on them. So that way you can start working on the medium vulnerabilities. It's difficult to sometimes work on medium vulnerabilities if there are so many critical zone highs. But I think the having a mature vulnerability management program,
what can really help you get to that point
where you can start remediating medium vulnerabilities.
we talked about how to build an effective team for vulnerability management,
what's really involved in the Vulnerability management program, taking a holistic view of the environment and now how to mature of vulnerability management program. So how to get you to that next level to really make sure that your remediating vulnerabilities in a timely manner, But you also understand kind of what's going on in your environment.
Here are my references. Thank you, and I'll see in the next lesson.