Centric security management
Jose Varghese, EVP and head, Managed Security Services at Paladion Networks, discusses vulnerability and threat management.
Security management is about running two applications: vulnerability management and the threat management program.
Depending on the size and complexity of the environment, these programs get executed using a combination of automated tools, people and processes. It is common today to have vulnerability scanners like Nessus and BurpSite and threat monitoring tools like Arcsight or Qradar. As we get busy with managing the details, sometimes we forget to check if these software programs really improve the security status?
Detection is essential for both threats and vulnerabilities. However, detection by itself does not improve the security (of course, it will increase compliance), unless you remediate what was detected. If there is no plan and process for remediating a detected vulnerability, what is the real benefit of the vulnerability management programs?
Know your assets
Many at times there is no proper asset database which captures what servers, databases and firewalls are running in your environment. You need to know who owns these assets, who can take action if there is a security issue detected on any of these.
Without a proper asset database, no meaningful action can be taken. Maintaining an asset database is not the responsibility of the IT security team, but if the IT organisation is not having one, it may be worthwhile for a security team to build it and not blamethe IT team for not having it.
Automated ticketing system
Tracking remediation status on emails and excel sheets do not work anymore. There is a need for a proper ticketing system, which has your asset database populated along with their owners and security issues can be linked to one of the assets.
Still better, if the ticketing system can auto-escalate if no action is taken and can provide statistics on open tickets, age of ticket that can be helpful.
Before you invest in automated vulnerability and threat management tools, put in place a proper ticketing system. Most importantly, remember not to have a separate ticketing tool only for security.
Involve Asset owners
It is important for asset owners to recommend how the vulnerability and threat management programs should be run instead of security teams dictating the terms and conditions. Their active participation at an early stage will increase their buy-in to the whole programme. Remediation steps require understanding the impact of changes and no one knows the impact of changes in IT environments better than the people who manage it daily.
Security teams sometimes get so caught up in the details that they forget that the vulnerability and threat management tools are enablers for asset owners to improve the security of IT systems.
Process is vital
It is important to ensure that the defined process will manage the full lifecycle of the threat and vulnerability and not stop at detection. It is important to define processes for vulnerability and threat management. Companies which have robust processes with defined roles and responsibilities, do better in improving their security posture over time than companies that just have lots of complex security tools.
Enable more, enforce less
Security teams like to take a hard stance and often impractical route when it comes to remediation. We need to apply all critical patches within 30 days. While policies and guidelines are necessary, we need to understand that “some security is better than no security”. Taking a hard stance sometimes puts security teams at loggerheads with IT teams as both are trying so hard to outsmart each other rather than working together. Have you seen stock piles of risk acceptance documents floating around with no remediation and just documentation? Many smart organisations are providing flexible security controls, thereby promoting a culture of improving security over time than making security controls a zero or one situation. At the end of the day, you either have it or you don’t.