Vulnerability Management Principles

1.Vulnerability Management Overview

---

O que é o gerenciamento de vulnerabilidades?

Vulnerability management is an ongoing program that uses a variety of technologies and tools to identify cyber risks across your entire organization, align them with your operational goals and objectives and then remediate vulnerabilities in a timely manner to secure your network and keep your operations safe.

Vulnerability management is not a single tool or resource. It’s an ongoing program with people, policies and processes that work together toward common goals to ensure your attack surface and cyber risk are as small as possible.

Fixing vulnerabilities across your entire attack surface is a daunting task. The reality is, the volume of assets in most organizations, coupled with more than 200 potential attack vectors, makes it challenging for security teams to patch and remediate them all.

It’s even more challenging when you consider most organizations don’t have the right tools to gain insight into all of the assets across your entire organization—from traditional IT, to cloud, to mobile, to containers or serverless, to web applications and operational technology (OT) assets.

Add that to the reality of the real world problem that many assets have multiple vulnerabilities and before you know it, your security team is buried under a mountain of vulnerabilities.

The more vulnerabilities that exist and the more disparate remediation functions are, the more likely it is attackers can exploit your attack surface.

That’s where vulnerability management comes in.

What does vulnerability management entail?

There are five core steps for effective vulnerability management. These steps align with your Cyber Exposure lifecycle.

Etapa 1: Descobrir

Identify and map all of your assets across all of your computing environments

Etapa 2: Avaliar

Understand exposure of all of your assets including vulnerabilities, misconfigurations and other security health indicators

Etapa 3: Priorizar

Understand your exposures with context so you can prioritize remediation based on asset criticality, vulnerability severity and threat context

Etapa 4: Corrigir

Prioritize which exposures to address first and then use the appropriate remediation process

Etapa 5: Calcular

Measure and then benchmark your exposure so your teams can make better business and technology-related decisions

What's the difference between vulnerability management and vulnerability assessment?

Vulnerability management and vulnerability assessment are different, but complementary practices.

Vulnerability management is an ongoing program that uses a variety of tools and processes to help you identify all of the assets and vulnerabilities across your attack surface. It also helps you plan how you will mitigate issues, remediate weaknesses, and improve your overall security posture.

Vulnerability assessment, on the other hand, is a one-time project you conduct on a regular basis to identify all of your assets and vulnerabilities.

Generally, vulnerability assessment, which is not the same as a vulnerability scan, has a specified beginning and end date. It’s a snapshot of your attack surface at a specific point in time.

Vulnerability assessment is part of your overall vulnerability management program, which helps you continuously identify and address your cyber risks.

How is vulnerability management different from risk-based vulnerability management?

Traditional vulnerability management practices, which we refer to as legacy vulnerability management, give you a theoretical view of vulnerabilities and risks. It uncovers threats a vulnerability could introduce into your environment, but it doesn’t discover threats that pose real risk.

Without clear insight into actual risks, your security team can get bogged down trying to remediate vulnerabilities that may not pose actual risk and can miss finding and remediating critical vulnerabilities more likely to impact your organization.

Adding a risk-based approach to your vulnerability management practices can help you better understand risks—with threat context—so you have insight into the potential business impact of weaknesses across your attack surface.

2.Assets and Vulnerabilities

---

O que é um ativo?

An asset is hardware or software within your IT environment. This can include traditional IT assets such as servers, networks and desktop computers, but also other devices like smartphones, tablets, laptops, virtual machines, software as a Service (SaaS), cloud-hosted technologies and services, web apps and IoT devices.

Continuous asset discovery, evaluation and management are important components in your overall vulnerability management program.

O que é superfície de ataque?

A modern IT attack surface consists of multiple exposure points (your IT assets) in your network that attackers can potentially exploit. These exploits often lead to breaches where attackers can exploit your attack surface. Historically, an attack surface consisted of traditional IT assets such as servers and networks, but today’s attack surface is vast and ever-growing. It now also includes mobile devices such as smartphones, desktops and laptops, virtual machines, cloud infrastructure, web applications, containers and IoT devices.

Many organizations have challenges keeping up with visibility into all assets across the enterprise. It’s further complicated by additional challenges of mitigating and remediating the vast volume of vulnerabilities discovered by most vulnerability assessment programs.

That’s why it’s important to build a robust and scalable vulnerability management program, one continuously discovers and assesses all of your assets and vulnerabilities to decrease cyber risk.

Here are some tips to help you assess your attack surface as part of your vulnerability management program:

1. Identify all of your assets, regardless of type.
2. Determine where each is located.
3. Determine who manages each asset and who has access.
4. Indicate asset type: cloud, mobile, traditional IT, IoT, etc.
5. Determine if the asset is critical to business operations and prioritize accordingly.
6. Evaluate what could happen if a vulnerability affects each critical asset.

O que é uma vulnerabilidade de segurança?

A security vulnerability is a weakness in hardware or software attackers can exploit to compromise systems. In more common terms, they’re “bugs” or programming mistakes.

Some vulnerabilities are remediated by patching, which essentially repairs issues within code. The more complex a system is, the more lines of code it will likely have, meaning there’s a greater chance of programming mistakes somewhere in that code.

Vulnerabilities can also be found when systems are misconfigured, creating additional opportunities for attackers. These vulnerabilities can often be remediated by fixing misconfiguration issues.

Here are some other ways attackers target security vulnerabilities and weaknesses:

• Exploitation of misconfigurations and unpatched systems
• Phishing: Sending fake emails that look like they're from real sources to trick people into revealing sensitive information.
• Credential stealing: Attackers attempt to collect usernames and passwords from one breach and then use them to access other sites.
• Malware: Malicious software gives attackers system access.
• Denial of Service (DoS) and Distributed Denial of Service (DDoS): Flooding attacks to use up bandwidth so systems can’t respond to service requests.
• Cross-Site Scripting (XSS): Malicious code on websites to target visitors.
• Man-in-the-Middle (MitM): Compromising users through unsecure networks such as public WiFi.
• Structured Query Language (SQL) Injection: Malicious code on a server that uses SQL to access sensitive information that otherwise wouldn’t be accessible.
• Zero-Day Exploits: Exploit of a system after a threat is publicly announced but before a patch or fix is released.

3.Verificação de vulnerabilidades

---

What is a vulnerability scanner?

A vulnerability scanner is an automated tool you can use to discover vulnerabilities across your attack surface.

There are two main types of vulnerability scans,:

• Credentialed: Scans that use login credentials to discover detailed information about security issues within an asset, system or network
• Non-credentialed: Scans that do not require credentials and target open ports, protocols, and exposed services on a host

Also, your organization can choose to do:

• Internal vulnerability scans: Scans performed inside your organization to discover ways attackers can move through your network
• External vulnerability scans: Scans performed outside of your organization to discover vulnerabilities

Routine vulnerability scanning is an important part of your vulnerability management program and continuous vulnerability scanning can help you further decrease your cyber risks.

Active Scanners

Active vulnerability scanning creates a detailed picture of your network and assets at a specific point in time to identify system misconfigurations, vulnerabilities and other security issues within your attack surface.

Active scanning generates network traffic and interacts with devices on your network. It sends packets to a remote target, which creates a snapshot of your network at that moment.

Active services and applications are then compared to a plugin database to see if any vulnerabilities are present.

Unlike passive scanning, which we’ll discuss below, active scanning gives you additional insight including open ports, installed software, security configuration settings and known malware.

Other types of active scanning variants include

• Unauthenticated scans
• Authenticated scans
• Agent-based scanning

Active scanning is ideal for IT devices operating in your converged IT/OT environment. It will give you insight into which assets are on your network, which applications, libraries and services are installed, any vulnerabilities within your system and details about users, groups and installed software.

Active scanning can also help you with configuration assessments and uncover use of default usernames and passwords for critical systems and applications. It’s also useful for malware detection and can help you uncover backdoors and bad file hashes.

Active scanning is integrated into Tenable.io.

With Tenable, you can select from a variety of active scanning options including:

• On-demand, which is manually launched by the user.
• Scheduled scans, which can be set to automatically launch daily, weekly or monthly.
• Dependent scans, which launch when a scheduled parent scan completes. Dependent scans can be daisy-chained to other dependent scans.

While active scanning is an important part of your overall vulnerability management program, it’s only a capture of your attack surface at one point in time. It doesn’t include other devices such as tablets, smartphones, or laptops, that may only periodically appear on your network.

There is another challenge for active scanning—potential disruptions.

While active scanning can help you pinpoint where you may have vulnerabilities, you shouldn’t use them on any assets that can experience an outage if they’re scanned. That could include, but is not limited to, systems that are critical to your organizational infrastructure, medical devices and industrial systems.

Credentialed Scans

Credentialed scans, which are also known as authenticated scans, remotely login to devices to examine them from the inside-out. These scans allow you to examine devices from the inside out. Credentialed scans gather additional information about your configuration settings and whether or not software has been infected by known malware.

You don’t have to install software on an asset to conduct a credentialed scan, but the scan may still cause some disruptions because they could use network bandwidth and processing power.

Credentialed scans may be better suited to IT systems in upper layers or your OT environment. These scans can often be used together with unauthenticated scans so you can get better insight from both inside-out and outside-in.

Agents

Agent scans provide detailed information and look at each device from an inside-out approach. These scans are generally conducted on control environment systems and are installed on a device or server to function. Agent scans are a good idea for devices that are not frequently connected (or connected at all) to your network.

Agent scans can be used to find malware on the device, look for misconfigurations and uncover any vulnerabilities.

While agents are usually easy to install on devices and generally are not intrusive, there are a few drawbacks to agent scanning, specifically related to resources. Because they are on-device, they use up power, bandwidth, space on your disk and memory. Also, on-device installation means you should always carefully analyze the agent and test it before you selectively install it on devices, especially in OT environments.

Registro de imagens

Image registry is a security process you can use while your software is in the build/development stage of your lifecycle. When you create an image registry, it can hold and then scan images for assets including public cloud instances and containers. The benefit of image registry is it helps you discover potential security issues before your new software gets deployed. You can also use image registry for any open-source software or components your organization uses.

4. Network Monitors

---

O que é um monitor de rede e como ele ajuda a gerenciar vulnerabilidades?

A network vulnerability monitor helps you find vulnerabilities, misconfigurations and other security issues within your traditional IT infrastructure, including networks, servers, operating systems and applications.

Web application scanners are similar, but focus on web applications. Web application scanners are used not just for third-party applications, but can also be used to test in-house apps.

Monitoramento passivo da rede

When an asset connects to your network, you should be able to quickly determine if it’s authorized and if not, react.

Passive network monitoring gives your team continuous insight into applications and operating systems used in your network, who is connected to your network, from where and to where data is transferred, which hosts are active, when a new host becomes active, which ports/services are active and your inter-asset connections.

Passive network monitoring uses deep packet inspection to analyze network traffic. It is ideal for IT and OT devices operating in a converged IT/OT environment and can help you discover and identify active network assets and vulnerabilities, as well as active installed applications and services.

Passive network monitoring is an important part of your overall cyber health. Sometimes, active scanning isn’t an option and you have to avoid it because it could disrupt operations. Instead of relying only on active scanning or agent monitoring, passive scanning keeps you informed of what’s going on across your attack surface, giving you more visibility.

One of the great things about passive network monitoring is its near real-time asset discovery means you can eliminate blindspots you might otherwise have by doing only periodic active scanning.

Passive network scanning is also great for seeking out vulnerabilities in your Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA), both of which can be disrupted by active scanning.

Nessus Network Monitor

With Tenable, you can use Nessus Network Monitor (NNM) to passively analyze your network traffic and eradicate blind spots for complete visibility into your entire attack surface. It’s a safe and non-intrusive way to discover and monitor your sensitive systems.

Nessus Network Monitor is included as a sensor with Tenable.io and Tenable.sc.

Here are some benefits of using NNM:

• Non-intrusive continuous monitoring and assessment of your network
• Network traffic monitoring at the packet level for visibility into server and client-side vulnerabilities
• Scalability for future asset discovery and vulnerability monitoring for all of your devices, including virtual systems and cloud services
• Automatic infrastructure and vulnerability assessment
• Vulnerability detection on communicating systems, including protocols and applications
• Identification of application compromise
• Comprehensive asset discovery of all your devices, including OT devices and applications, servers, endpoints, web apps, network devices, virtual- and cloud-based devices, BYOD/mobile devices and jailbroken iOS devices

Which passive network monitoring tools are right for my organization?

Here are some tips for evaluating which passive network monitoring tools may be best for your organization. Your passive monitor should:

• Provide complete visibility into your network traffic
• Sensors should be able to connect to a physical TAP or SPAN port. For virtual traffic, like in a cloud environment or within your virtual infrastructure, your passive network monitor should be capable of running on a properly configured virtual machine
• Support common protocols for TCP and UDP
• Support all of the protocols your system may use: SCTP, ICMP, IPIP, IDP and OT—BACnet, CIP, DNP3, Ethernet/IP, ICCP, IEC 60870-5-104, IEC 61850, IEEE C37.118, Modbus/TCP, OPC, PROFINET and Siemens S7.
• Be able to recognize all of the assets across your attack surface that use your protocols
• Be able to identify all the known vulnerabilities that affect your assets
• Be equipped to send alerts to your Security Information and Event Management (SIEM) solution whenever new assets are discovered.

In Tenable Nessus, passive network monitors, which are monitoring sensors, enable continuous discovery of all active network assets and facilitates vulnerability assessments. Nessus Network Monitor is also integrated into Tenable.io.

5. Gerenciamento de patches

---

What is patch management?

Patch management is the process you use to update systems and software throughout your organization. Patching is an important part of vulnerability management and an effective way to mitigate risk for your organization.

Because of the volume of systems and applications within your attack surface, and because vendors are constantly releasing new patches, you likely struggle to know which patches you should do first and then how to prioritize the rest.

Patching priorities is directly related to the risk rating associated with vulnerabilities. If your scoring system ranks a vulnerability high or critical for impact, start there, then work your way down your list for lower ranking vulnerabilities.

Like asset discovery, it can be difficult to get a comprehensive look into your patching needs without the help of a vulnerability management platform. This is another place where Tenable can help.

Tenable.io dashboard, for example, can show you which patches your assets need. With Tenable’s Vulnerability Priority Rating (VPR), you can see which patches are most critical for your organization and where you should focus your attention.

You can even filter the patch list for a closer look. For example, if you want to know how many patches were published in the past 90 days, you can filter your view and see that, including which are most critical for your organization.

Some patches can cause problems for your organization, so you may want to pre-test a patch before deploying it in an active environment. This will give you an opportunity to see if there are conflicts or problems before it negatively affects your real-world operations.

Is your patch management system effective?

Here are some questions to ask to help you evaluate the effectiveness of your patch management system:

Does your team apply all security patches?

It’s up to your organization to adopt a policy about whether or not your teams should cover all security patches. If you do, Nessus and Tenable.sc can help you determine if your patch system works or not. If your organization does not require 100% coverage, it may be helpful to do an external audit to find security risks that have not been addressed by your patching processes.

How quickly do you apply patches?

Your organization should also create a policy to address the timeframe in which patches should be installed. You can use Nessus and Tenable.sc to test for discrepancies within your policy and report on progress.

Do you include new hosts in your patch management program?

You should include new hosts in your patch management processes. As you add servers or desktops to your infrastructure, you can use Tenable.sc to monitor your patch cycle for those devices.

What about embedded devices?

Security issues also exist within embedded devices such as switches, firewalls, routers, and printers. You can use Nessus and Tenable.sc to find patch issues in your embedded devices.

To learn more about patch management effectiveness, check out, “Testing the Effectiveness of Your Patch Management System.”

Why do some patches fail?

Even with an efficient patch management system, sometimes patches just fail. Here are a few examples of why this can happen:

• Your device, like a UNIX or Windows server, may be too secure. It can be configured in a way that a remote user account or local user agent pushing the patch doesn’t have the rights to do so.
• If your server has out-of-date network settings, for example, a stale DNS server or local router that looks alive but is stale, your patch could fail because of limited network access.
• Firewall rules can affect systems and cause patch failure.
• There could be patch dependencies that were not considered.
• If you have limited space on your drive or partition, the patch may fail. This is also true for self-extracting patches.
• You may have limited bandwidth that prevents the patch from delivery and installation.

Want to know more about patch management and potential fail points? Check out this blog.

6. Soluções de gerenciamento de vulnerabilidades

---

Why do I need vulnerability management?

With more than 200 potential attack vectors, countless assets and ever-changing work environments (people, locations, technology, etc.), security teams can’t patch and fix every vulnerability, but attackers are continuously looking for ways to infiltrate these weaknesses.

In 2020, between Jan. 1 and the first week of August, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), analyzed almost 12,000 new Common Vulnerabilities and Exposures (CVEs).

While few of these vulnerabilities will likely be used as a real-world exploitation method, any could be targeted at any given time.

And while vulnerabilities marked high/critical get the most attention, attackers don’t care about scores, they care about the easiest way to get into your network.

With increasing opportunities for attackers to target your organization, it has never been more important to understand the value of vulnerability management, explore best practices and adopt tactics you can put to work today to protect your network.

And that’s why having a vulnerability management program—one that focuses on prioritizing risk and increasing remediation efficiencies—is important for all organizations, no matter how large or small.

How do I choose a vulnerability management solution?

While your organization will have unique needs when it comes to selecting a vulnerability management solution, there are some core considerations applicable across industries.

Here are six things to consider when evaluating a vulnerability management vendor to meet your current and future needs.

1.Descoberta contínua de ativos

Your vulnerability management solution should offer a wide range of coverage, including continuous asset discovery and complete visibility into your attack surface.

Consider a solution with:

• Network scanners
• Agents for endpoints frequently off-network, for example, laptops or mobile devices
• Passive network monitors to continuously discover assets and vulnerabilities
• Cloud connectors and pre-authorized cloud scanners to monitor and assess cloud instances
• Image scanners for static container images before deployment
• Web app scanners
• Integrations with cloud, CMDB, CI/CD, ticketing/SOAR and other technologies

2.Assessment Beyond Static Scans

Asset assessment should be more than running a scan. Your vulnerability management solution should facilitate collection and assessment of data to identify security issues.

Consider a solution with:

• Container assessment before deployment with integrations into developer workflows
• Cloud workload assessment needs with API-based visibility
• Passive detection for IT and OT devices that won’t impact system performance and availability

3.Advanced Prioritization

Your vulnerability management solution should leverage machine learning to help your team synthesize vulnerability data so you can uncover blind spots and hidden patterns to better understand organizational risks.

Consider a solution with:

• Priorização de vulnerabilidades
• Data inputs for prioritization
• Research and data teams
• Automated asset scoring that can scale

4. Automated Reports and Benchmarking

Your vulnerability management solution should provide out-of-the-box reporting for your basic needs and include a powerful and well-documented API to customize and automate reports for your team needs, business goals and compliance.

It’s also a good idea to choose a solution that includes benchmarking metrics so you can evaluate your vulnerability management program success internally and against peer organizations.

5. Simple Pricing and Licensing

Your vulnerability management solution should have simple and straightforward pricing. Consider a solution with a licensing model that doesn’t penalize you for things like using an API or prioritizing threats.

6. Dimensionamento

Your vulnerability management solution should be able to scale as your organization grows and changes over time. Look for a solution that can keep up and adapt with you.

7. Vulnerability Management Best Practices

---

Vulnerability management best practices

There are many ways attackers can exploit weaknesses within your attack surface. A single security breach can have devastating impacts on your organization.

Here are a few best practices you can apply to your vulnerability management program to facilitate success:

Asset Identification and Management

First, identify all of the assets within your organization and then determine where each asset is located, how it’s used, who is responsible for it and how critical it is to your organization.

Next, track and record asset relationships and dependencies with other assets in your network. If an attacker compromises one, what path does it open for additional exploits? Even if one asset isn’t ranked critical, check for interdependencies that could put you at risk.

You should also evaluate when each device connects and disconnects from your network. You can get this insight through a Network Access Control System, reviewing DHCP logs, reviewing DNS server logs and installing vulnerability scanning agents on devices to routinely scan them.

Vulnerability Identification

Once you have insight into your assets, you can begin assessing each for vulnerabilities, including the severity risk for each weakness.

Take a close look at how easy and likely it is for attackers to exploit each vulnerability and potential damage if successfully attacked. Once you understand vulnerability criticality, then you can prioritize how to mitigate and remediate each security issue.

Routine Vulnerability Management

Traditionally, vulnerability management relied on periodic point-in-time vulnerability discovery and assessment scans, but to improve your security posture, you should consistently and continuously scan your attack surface to discover problems and remediate them to decrease the likelihood of an attack.

Continuous scanning prevents blind spots between manual scans and can help you find new security issues that can happen at any time. By scanning more often and remediating routinely, you may discover fewer vulnerabilities during each single scan.

Risk Assessment

You likely have a large volume of diverse assets across your organization and each device doesn’t have the same level of security.

That means you need to determine the security level for each asset so you can plan steps to take—and the priority—to fix it. Determining how valuable each asset is to your organization and exposure level will help you better understand what you need to do to protect it.

Change Management

Because devices on your network change frequently (and that creates new security issues), it’s important to develop a vulnerability management program that is flexible and that can discover and address changes whenever they happen. This could be when applications are updated, when hardware is added, or when software gets upgraded.

Effective change management will help you create processes to ensure new security issues are addressed and dealt with quickly.

Gerenciamento de patches

Because of the volume of vulnerabilities traditionally discovered during vulnerability scans, it can be challenging to effectively deploy patches without significant downtime or disruptions. Your vulnerability management program should integrate patch and release management processes to facilitate timely patching for critical assets.

Integrate your patch management processes with your change management processes to ensure your updates and patches are applied consistently, in a controlled manner, correctly and that the patch addresses the vulnerability exposure.

Dispositivos móveis

Today, mobile devices may make up a significant part of your attack surface. While these devices bring flexibility to your users, they can add additional and unique security risks for your organization. This can be further complicated if your organization supports Bring Your Own Device (BYOD) instead of using corporate-issued devices. Mobile Device Management (MDM) systems are good, as well as agent deployment on mobile devices.

Mitigation Management

Your organization may have vulnerabilities that don’t have available patches or fixes when you discover them. So what do you do? Your vulnerability management program should include alternate ways to manage those vulnerabilities until they can be fixed. Some effective approaches could include increasing log monitoring, updating IDS attack signatures or changing firewall rules.

Resposta a incidentes

One measurement of vulnerability management program effectiveness is how quickly you respond to incidents. The faster you respond to a security issue, the greater chance you have to decrease organizational impact. Incident response isn’t just a reaction to a breach. Adopt a proactive approach so you’re always prepared to respond. Continuous security monitoring, process automation and alerts help facilitate rapid response.

Automação

Automation helps you quickly and accurately discover, assess and remediate vulnerabilities across your attack surface, especially for larger systems where there is a constant flow and change of data across your network. Automation helps you work through data in less time and with fewer errors.