Q: How do you plan and rank vulnerability checks? What factors help you decide what to handle first?
Grant Barnes: CVSS traditionally has been used by many professionals to try and bring some prioritization to vulnerabilities and security misconfigurations.
However, as time progresses and technology evolves so do these weaknesses, reviewing metrics on the CVE.org page it is clear that year on year we are discovering more CVE’s than the year prior, so prioritization is essential to run an effective vulnerability management program.
Within programs created by me I will utilize different tooling to understand the severity, exploitability and mitigating controls in effect, Security validation tooling is capable of telling us about weaknesses that are not just discoverable but actually exploitable and map to the MITRE ATT&CK framework for understanding on how to remediate or mitigate the attack path.
Once the program has all this information available, we are able to split the outstanding tasks into different workstreams:
Governance related weaknesses – Vulnerabilities and security misconfigurations that effect the governance of standards the company must adhere too to conform, such as Cyber Essentials + and ISO27001 (ensure updates are applied within 14 days if severity is critical or high and that no software in use is unsupported).
Confirmed Security related weaknesses – Vulnerabilities and security misconfigurations that have been confirmed attractive and exploitable by a malicious actor.
Confirmed Security related weaknesses take priority as these are confirmed attack methods/routes into the business that could evolve into larger managed incidents.
Second confirmed Security related weaknesses from pentest activities performed by a third party as these are also confirmed methods/routes.
Governance related weaknesses will be the next priority as failing to adhere to these standards will possibly result in audit issues/urgent requests.
Once these three areas have been prioritised the remaining tasks are prioritised by their Vulnerability tooling specific metrics (Tenable is VPR, Qualys is VMDR Prioritization), these take into consideration public knowledge around the exploitability and if it is being actively exploited in the wild, however not all CVE’s have this metric so finally we then resort to the CVSS model with what is remaining.
Q: How do you use threat intelligence in managing vulnerabilities? Can you give an example where this helped stop a threat before it became an issue?
Grant Barnes: Threat intelligence can be applied to various aspects of our cyber and non-cyber workflows.
Specifically, in vulnerability management, it helps us understand active threats, trends, and our organization’s current exposure.
Once these factors are understood, we can adjust the level of prioritization to match the revised severity.
For example, within many “living off the land” write-ups aligned with the MITRE ATT&CK framework, it is common to find vulnerabilities such as a lack of SMB signing or security misconfigurations related to spoofing, like default IPv6 configurations.
Although these issues are often categorized as medium or low severity, threat intelligence demonstrates that they are frequently exploited in attacks.
Q: How do you work with other IT security teams to respond to vulnerabilities?
Grant Barnes: In the constantly evolving vulnerability landscape, there is a growing need to engage with different areas of IT support to ensure that the workload is evenly distributed and remains manageable.
I have specified that the sysadmin roles are responsible for making the patch/fix available and automating its delivery to both the server and EUD estates.
However, once the success criteria of the change control are met, the remaining affected devices are then further diagnosed by remote support teams.
This is just one way of utilizing multiple IT teams collaboratively to achieve the desired results.
Other examples include working with an IAM team to remove identified excess permissions or dormant accounts.
Q: How do you update your methods for managing vulnerabilities with new security trends and tech?
Grant Barnes: Automation is key.
If there is something I have learned from working with operational staff and being able to successfully deliver a vulnerability management solution, it is that if you bog your sysadmins and operational staff down with administrative tasks, it will be a lot harder to motivate them and communicate the requirements you have.
I have configured different CPSM, VM, and identity management solutions to communicate with a common ITSM tool over an API.
The tooling will automatically discover the finding, raise a security incident in the ITSM, and remove it from operational view once resolved.
This ensures that operational staff are only ever exposed to what is required of them.
This has helped me overcome the human element of resistance, and it also assists in future-proofing the process/procedure.
As the tooling changes and the feeds evolve, the general operational interaction will remain the same, delivering results in the same way despite evolving tooling.
Q: How do you tell upper management about vulnerabilities and their risks? What reporting style and timing do you find works best?
Grant Barnes:In short, monthly reporting is what executive board members are generally used to, and it works well in regard to the timing of the delivery to ensure it has impact.
Too often, it becomes samey; too infrequently, and you’ll have to constantly remind them of any specific acronyms or knowledge relating to your tooling and infrastructure.
In reference to the reporting style and how to deliver this information, “data does not lie”; because of this, I report in two different ways: what the vulnerability management tooling is stating and what our ITSM statistics say regarding resourcing input.
Together, these different statistics paint a picture of the level of risk we are currently living with in regard to our exposure, as well as how much resource effort we are spending to resolve the vulnerabilities, giving executive boards all the information they need to be able to confidently invest in or accept the level of risk currently.