How Agencies Can Strengthen Cybersecurity with Vulnerability Management

Buried in the millions of lines of code that run everything from operating systems to applications are the next generation of vulnerabilities, waiting to be discovered and exploited.

Left unaddressed, these vulnerabilities jeopardize the confidentiality, integrity and availability of government data and information systems.

Luckily, vulnerability management tools can identify these risks and help spare information systems from coming under attack.

The best such solutions identify, catalog and remediate vulnerabilities quickly and efficiently. These tools provide a roadmap for security teams to evaluate their technology infrastructure’s current vulnerability status, remediate systems and promptly react to new vulnerability announcements.

The vulnerability management marketplace is mature and populated with time-tested tools to provide security staffs with the information needed to stay ahead of the curve.

A Wide Range of Security Options

Tools from Tenable Security and Qualys are all more than 15 years old and reflect a solid understanding of vulnerability management, backed by expert research teams.

These solutions provide a strong base, leaving evaluators free to focus on the more complex features of the products and their usability.

When evaluating and weighing different products, agencies will need to make three chief decisions. The first will be where to locate the scanning platform. Vendors offer on-premises, cloud-based and hybrid approaches.

Agencies should consider their own technology environments when selecting a platform. In particular, agencies may benefit from a hybrid approach that combines scanners located inside federal data centers with offsite scanners hosted by the product manufacturer in the cloud.

This approach provides two important and unique perspectives on an agency’s environment. Internal scanners give a comprehensive look at vulnerabilities that an insider might exploit, while external scanners provide an attacker’s view of an agency’s technology footprint. This lets IT teams quickly prioritize vulnerabilities from external exposures, due to their higher risk of exploitation.

Second, agencies must decide if they prefer agent-based or agentless scanning. Agent-based scanning requires installing software on each monitored system that reports configuration information back to the vulnerability management platform. This improves the accuracy of scans, but requires administrator involvement.

Agentless scanning, on the other hand, performs remote network-based system scans that are easier to administer but often result in more false positive reports.

Finally, agencies with compliance obligations should consider how a vulnerability management solution will fit within their regulatory requirements, given the systems that an agency operates. The Payment Card Industry Data Security Standard, for instance, requires both regular internal network vulnerability scans and quarterly external scans from an approved scanning vendor. But not every agency takes payments and might not have to accommodate PCI requirements.

Some vulnerability management practices leverage a hybrid platform approach to meet these requirements: using on-premises scanners for internal scans and then vendor-maintained scanners for required external compliance scans.

Prioritizing Risks 

The initial results from a newly installed vulnerability scanner can intimidate security administrators. The results often reveal a large number of potential vulnerabilities that require action within the agency.

To manage this deluge, agencies will need to prioritize and triage both their information assets and the vulnerabilities uncovered. Risk will be the driving factor, as agencies prioritize new-found vulnerabilities based on importance and likelihood of exploitation; for example, a critical security vulnerability in a public-facing e-commerce server would take priority over a low-impact security vulnerability on an internal server with no public network access.

Vulnerability management platforms typically include tools that assist with prioritization, drawing upon information in industry databases and correlated against asset information from the agency’s security team. Administrators can use the results to mitigate the most critical vulnerabilities first.

Scanning for Vulnerabilities Periodically 

Once an agency mitigates the initial scan results, technology leaders can turn their attention to the operationalization of an ongoing vulnerability management program. This program should include routine, periodic scans for vulnerabilities in agency systems and the business processes used to interpret and remediate scan results.

Some platforms provide a complete vulnerability workflow process that will let agencies automatically route newly detected vulnerabilities to the appropriate technical staff members for remediation. These workflows include automatic resolution checking so that a rescan can validate that the vulnerability no longer exists, or escalate system problems to management when a vulnerability is not remediated after a certain time.

Gaining Visibility into Threats 

Agency managers will also want to build metrics for their vulnerability management process. Commonly used measures include the number of critical vulnerabilities that exist in the environment; median resolution time; and the number of existing vulnerabilities that exceed a resolution time service-level agreement. Agencies may add in environment- specific measurements, say, to monitor and report about specific high-security environments, important devices or agency-specific mission areas.

Vulnerability management programs can give technical staff and agency IT leadership important visibility into security and risk factors. Taking time to select and implement a solution now may remediate vulnerabilities that could allow security breaches later on.