What is Vulnerability Management?

00:00

Ari Hi and welcome to less than 1.2 of the Executive Vulnerability Management course. This lesson is gonna be focused on what is vulnerability management.

00:11

So are learning objectives today? Pretty simple. We really want to understand what vulnerability management is. Ah, one of the biggest things I think is so important in this course that I'm going to talk about a little bit is the difference between vulnerability management and patch management. Sometimes I hear those terms interchangeably and

00:28

vulnerability. Management is a much larger piece. Patch management is a component of that.

00:33

Um, so we're also going to talk about why prioritization of vulnerability remediation is an essential step in this process. Um, I'm really gonna talk a lot about that, making sure prioritization happens because if not, you're just trying to remediate everything and that's not gonna work.

00:49

Uh, and we're gonna talk about how risk response is in important concept in vulnerability management.

00:58

So what is vulnerability management? Really? What? What does it entail? Ah, we're really talking about the identification classification remedy, and then the cult, ultimately the mitigation of those vulnerabilities.

01:11

So it's really important to understand the risks so that we can provide patch management or other solutions

01:19

when it comes to understanding what vulnerabilities we have in our environments

01:23

on and then, you know, to really understand what vulnerabilities are there anything from security configurations to patch is out of date firm where I mean it can really be. We're talking about so many different things when it comes to vulnerabilities. You can talk about physical risk, physical security management where

01:40

ah, vulnerability could be not having a camera pointed in the right direction.

01:44

Eso these air Really, all the things that we're talking about, We're talking about vulnerabilities. It's not necessarily just patches, although that's a component of this

01:53

continuous information security risk management. This is such a big deal because Patch management you know it's ongoing practices were always gonna find new vulnerabilities in our systems. When we implement new software, we might be introducing risk. So it's really important to have that continuous monitoring that continuous

02:12

ah, look into what our risk management and vulnerability management practices are,

02:16

uh, and executive leadership and security management. They really helped to drive the process. I've seen vulnerability management be really successful when executive leadership

02:28

is really heavily involved on and can help, uh, help the security team healthy. I t team understand how important it is to their business practice and functionality.

02:39

So prioritization, um,

02:43

a really big part of being able to prioritize vulnerabilities is toe have an accurate discovery process. If you don't know what vulnerabilities you have, you can't prioritize them properly. So it's really important when you're running those security scans,

02:57

they're authenticated. You know, that's that's really how you're gonna find vulnerabilities. You know, if you have an unauthenticated security scan,

03:04

you may just be seeing really basic unauthenticated vulnerabilities like SSL, vulnerabilities or anything that the security scanner could reach

03:14

without having to log in. Esso having those authenticated scans having the right ports open, All those things are really important to make sure that we understand holistically Web vulnerabilities. We have,

03:25

um, and then to remediate vulnerabilities. We need to really understand what vulnerable vulnerability scoring is. So we have CBSS that helps us to

03:36

give a score to vulnerabilities, which is is really important. Ah, but then it really it's up to the organization and up to the security and I t teams to determine

03:45

you know what are my critical assets. What do I really need to protect those who are going to be? Maybe at a higher risk, you know you want to make sure? Well, if this server goes down, you know the vulnerabilities on the server.

03:57

We need to get those done first. You know, we can leave this internal server for later, but we need to fix this, you know, external facing server first. Because if that was compromised, that could cause a much more serious attack. Eso It's really that understanding that vulnerability scoring is a component of that. But then to really understand what you're organizational risk is

04:16

on top of that

04:17

and then what is the low hanging fruit? So

04:21

a great example of this is, let's say you've got a patch. It's a high vulnerability, but you haven't across all workstations.

04:30

Well, one patch deployment could fix all those high vulnerabilities on all of those systems. So you could be really getting You know what we call like the big bang for the buck.

04:40

One patch deployed and maybe, you know, 9000 vulnerabilities fix just with one patch. So that's you know what I would consider low hanging fruit Or maybe if you have a security miss configuration, you know, making one simple change. Checking one check box could really make ah, huge impact in your environment.

04:59

And then we were talking about how maney systems air affected versus the impact of the vulnerability.

05:05

So let's say we have 5000 vulnerable workstations

05:10

or we have one or two Internet facing servers. Web servers, Web servers that we are you know we're hosting are really critical applications on. And let's say we have a sequel injection on their or a cross site scripting.

05:27

Um, that could be really that could be a big impact

05:30

to the organization if that was compromised. So it might be better for the organization, depending on what their, uh, risk management or the risk profile is to say you want. Let's fix those Web app service. First, we can patch the workstations tomorrow. Let's do this first, so it's really about

05:47

understanding uh, what the impact of those vulnerabilities might be.

05:54

So as I mentioned continuous vulnerability management, you know, this is such a big deal because, uh, pet patches, hot fixes roll ups. There are so many released every day. Uh, it's it's something I'm gonna keep talking about as we go through this, because you can't patch everything all the time.

06:12

There are plenty of big organisations that can,

06:15

but for smaller and medium sized businesses, you know it can be difficult to make sure that patches air installed on time. You know, if there's, let's, say, a feature Packer service pack for an application, it might require additional testing, which then might slow up

06:30

installing additional patches. So it's important to understand that, um, you know, they're released all the time.

06:36

We just have to do our best to try to keep up,

06:40

um, and then really getting an understanding of what applications are in your environment. So

06:46

I think it's really important to have an accurate and up to date application list. So really understanding what Softwares in your environment, um, you know, I've seen before. If you have kind of an organization within an organisation, are several organizations within an organization they may each have their own budget. They may each have their own

07:04

resource is

07:05

in different needs. So I've I've seen where you know two different organizations will by different financial software.

07:14

Well, that adds to administrative overhead because then you're talking with your I t teams. They've got a patch to different types of software instead of just patching one. If they if they were able to say, Hey, we found one piece of software that means both of our needs

07:28

We can just upgrade this on a regular basis instead of trying to upgrade to eso. It's having that the ability to understand what applications you have might help with remediation efforts. It might help with consolidation. Eso It's a really important component of vulnerability management,

07:46

Uh, and you have to have a continuous plan to keep up with and stay ahead of possible issues. It's it is really difficult. It can be really difficult to get a handle on vulnerability management if you haven't had the resource is to keep up with it.

08:01

So it's really important. Teoh

08:05

kind of, you know, really dig deep. Figure out what patches, what vulnerabilities you're missing, Um, and get an idea of that and then really come up with a plan. Because if you can spend a month, you know, remediating some of the more serious vulnerabilities getting rid of end of life software. Those kinds of things that will help keep down the keep up

08:24

as you go along. So that way, Aziz administrative overhead will be a little bit lower,

08:28

then trying to constantly patch over and over and over again, so that can really help. Having a continuous plan in place

08:35

on that will help keep your risk profile lower. So we're talking about risk profile. We're talking about you across the enterprise.

08:43

How many vulnerabilities do we have?

08:46

And then again talking about a critical criticality of assets. So with our continuous monitoring and management of those vulnerabilities that will again, that will help to keep down the vulnerabilities, which will help to keep down a risk, lower our risk

09:01

and then when we do have zero day patches and hot fixes, things that come out that we must patch immediately things that

09:09

you know. If a registry key was released that really needs to be updated, you know, we can talk about spectra melt out. That's one of those things that has been a continuous issue. They've had several patches, registry keys, driver's associated with that vulnerability, and it's important when you have those kind of ad hoc

09:26

updates that you need to install. If you have your regular patching down,

09:31

it's not as difficult to deal with those critical issues because you've remediated a lot of the low hanging fruit on. And then it's it's much easier to patch those critical patches.

09:45

So risk response.

09:46

This is kind of the the second part of vulnerability management.

09:50

You. How do we address known risks? You know, if we really need to understand what the risks are to our environment, and there's some really great information out there on threat modelling. So understanding what are the risks to my organization, my specific situation so that you can then remediated those risks, mitigate them,

10:11

um,

10:11

or accept the risk. You know, there are many different ways that you can talk about risk. Um,

10:18

you can remediate so immediate those vulnerabilities get rid of them. Or you can say, You know what? I don't have the resources of the time, so I'm going to accept this risk for now. Maybe I can fix it in six months. So it's that really understanding how you're going to respond if you can't fix every vulnerability.

10:35

Um,

10:35

so we're talking about missing patches? Well, I have to install this update. You know, security, we've got installed this update. But what if it breaks my environment? There are plenty of patches that come out that could effects operating systems or applications. It's really important about really important to have that test environment. Or maybe test machines you know I've seen

10:56

could be very successful where you can have a team.

10:58

Ah, whether it's i t or security that you can say, Hey, I'm pushing this patch out to you guys now. It was released today. Let me know if you have any issues or having a POC from each department that could be part of that testing environment s so you could have someone from accounting. You could have someone from HR

11:16

someone that you know, you could say, Hey, is it okay if we deploy this patch you early

11:20

just to make sure that it doesn't break anything. Friend of your specialty applications. That really gives you that apples to apples approach so that you can

11:28

you can say OK, I know I've checked my box. I know that it will not affect each organization. Let's deploy on. That helps to

11:37

That helps to avoid any potential issues and then having that potential issues in the future. When you say, Hey, I need a patch and they're like Oh, no, no, I might break something. Eso really having that test environment where you can go apples to apples makes a huge difference.

11:52

So in today's video, we talked about what's vulnerability management and the associated life cycle.

12:00

Ah, why prioritization is so important in vulnerability management and all of the components that go with prioritization.

12:07

And then what risk response means to vulnerability management.