What Are the Key Steps to Building a Manageable Vulnerability Management Program? Part II

In the first article of this series, we introduced the foundation of building a Vulnerability Management (VM) program. Now, in Part II, we're diving into how to craft a manageable and sustainable VM program, specifically for large enterprises facing an ever-growing vulnerability remediation backlog.

The Challenge of Backlog: Why It’s Growing

Large organizations face a unique challenge when it comes to vulnerability remediation—the ever-increasing backlog. While vulnerability management tools provide useful insights into potential risks and remediation options, the backlog persists, especially when dealing with application security vulnerabilities. The question is: how do you manage and reduce this backlog while ensuring that vulnerabilities are handled promptly and efficiently?

A Key Strategy: Threat Modeling

One solution to this growing problem is threat modeling, although it’s a complex process. Threat modeling allows teams to take a proactive approach, making architectural decisions that reduce threats early in the development cycle. It’s a strategy that incorporates defensive measures to prevent exploitation of system flaws.

Common threat modeling methodologies include:

• PASTA (Process for Attack Simulation and Threat Analysis)
• STRIDE
• LINDDUN
• Attack Trees
• CVSS (Common Vulnerability Scoring System)

The SecuRetain Approach to Tackling the Backlog

At SecuRetain, we recognized that technology alone wasn’t enough to solve the backlog issue. We needed to take a holistic approach, considering the people, processes, and technology aspects of the problem. Our first step was to thoroughly understand the issue—not just from a technical perspective, but also from a governance and decision-making standpoint.

We found that while running vulnerability scanners, evaluating their results, and applying solutions were straightforward, the backlog kept growing. Why? Because attackers never stop, and the vulnerability landscape constantly evolves. This challenge requires a comprehensive strategy—not just the right tools, but the right people, processes, and governance frameworks.

Key High-Level Considerations for Building a Sustainable VM Program

1. Governance: Defining the Right Process and Ownership
1. Establish a strong governance framework with clear processes, policies, and RACI (Responsible, Accountable, Consulted, and Informed) metrics.
2. Asset ownership is crucial—without it, vulnerabilities will continue to accumulate, and decision-making will become difficult.

1. Response Strategy: Prioritize with Purpose
1. Develop a response strategy that treats high-priority vulnerabilities as emergencies. Some vulnerabilities demand immediate action, and organizations must be ready to prioritize them.
2. This strategy needs a balance: too many urgent vulnerabilities can overwhelm teams, while ignoring critical ones can lead to significant risk.

1. Asset-Based Approach: Classifying Risk
1. Implement a risk-based asset classification approach, where high-risk assets are prioritized for remediation. Identifying and classifying assets based on their value and risk to the business is key.
2. Accurate asset inventory is not only critical for risk management but also for compliance with regulations.

1. Prioritization of Vulnerabilities: Streamline the Process
1. Prioritize vulnerabilities based on their risk and potential impact. An effective workflow system is essential to ensure tasks are assigned and completed on time, which will significantly reduce risk.

1. Chain of Command & Centralized Analysis
1. A centralized approach to vulnerability management ensures that decision-making is streamlined, and a clear chain of command exists for effective management of vulnerabilities.

1. Tracking & Communication: Measure and Improve
1. A robust system for tracking vulnerabilities at every stage of the remediation process is essential. Utilizing KPIs and metrics will help gauge the effectiveness of the program and ensure constant improvement.

1. Reduce the Attack Surface
1. Reducing the attack surface is crucial to minimizing the number of potential vulnerabilities. Eliminate unnecessary applications, limit access to sensitive assets, and ensure proper configurations.
2. Attackers often target unmonitored assets—for large enterprises, these could number in the hundreds. Regularly monitoring and reducing the attack surface will significantly lower the risk.

The Power of Accurate Asset Management

For large enterprises, unknown and unprotected assets often form the weakest links in the security chain. Once a comprehensive inventory of these assets is established, it becomes much easier to understand, prioritize, and mitigate risks associated with these assets.

Leave a comment