Many businesses mistakenly assume that by complying with industry standards and legislation, their systems are as secure as they can be. They don’t see the need to go above and beyond what’s laid out in the minimum requirements contained in most standards. But just being compliant isn’t enough in today’s business environment. Companies need to employ vulnerability management and remediation—and they need to do it wisely.
Vulnerability Management and Remediation
While many companies use some sort of vulnerability management, these often have serious shortcomings. For example, many standards recommend an annual system scan for vulnerability reporting, which is sufficient for compliance, but insufficient to ensure your systems are truly secure. Continuous vulnerability management is becoming more popular as businesses realize they need to scan more frequently. Since the operating environment can change on a day-to-day basis, it’s important for companies to monitor their systems more often.
But simply scanning for vulnerabilities is only half the story. Once you’re aware that your system has vulnerabilities, you need to do something about it. Eliminating these risks is known as vulnerability remediation. The process works to eliminate and suppress vulnerabilities before anyone else can find them.
The Problem of Remediation: What Do You Fix?
Anyone who has looked at a typical vulnerability monitoring scan will know exactly how daunting remediation can be. Scans often report hundreds, if not thousands, of vulnerabilities. Typically, the results are sorted into high, medium, and low-risk categories. However, these scans oversimplify levels of risks: they don’t offer much in the way of context, such as which assets are critical or confidential, or even what type of asset is affected. Even if you tell your IT department to remediate all of the high-risk items, they could be working on low-priority risks while higher priority vulnerabilities go untreated. You could ask your employees to simply fix all of the vulnerabilities the scan finds—but that could involve remediating hundreds of low-risk and low-priority items. Is that really the best use of time and labour?
A New Approach to Remediation
Rather than giving your employees blanket directions like, “Fix all the high-risk vulnerabilities” or having them pick through a lengthy vulnerability scan, have your team engage in vulnerability remediation using a risk-based approach. This approach takes into account contextual information, such as where an asset is physically and on the network, and who is responsible for the asset. This opens up a wide range of possibilities for approaching remediation in more cost-effective and efficient ways.
The Benefits of the Risk-Based Approach
The additional information provided by the risk-based approach to vulnerability remediation allows you to make any number of specific rules to determine priorities. For example, you can prioritize assets of a certain type, such as your servers. You can also decide to fix high-level risks in a certain physical location, on assets running particular applications, or assets owned by a particular person. For example, instead of simply dictating that you want all high-level risk items in the scan report fixed, you might remediate all high-risk items affecting the servers in your Vancouver location. Deciding what to fix has never been easier.
Obviously, being able to pinpoint which items to fix has several upshots. One of those is that your IT team will be more efficient in applying remediation. Since the scope of the remediation activities is narrower, they can more swiftly attend to the truly worrisome risks affecting your systems. Not only that, but they’ll likely be more motivated to complete these tasks, since they know that their work has a high likelihood of improving security. Since the team is working faster, you’ll also notice they spend less time—and thus less money—on remediation.