Use Cases for Vulnerability Management
Operating systems and software applications comprise the bulk of any organization's attack surface. While there is no such thing as an invulnerable environment, the practices of vulnerability and patch management are the only way to continually minimize opportunities for attackers.
Below are a few use cases to help you evaluate your need for a vulnerability management program:
1 Do I need vulnerability management?
In a word, yes. It’s not feasible or sustainable for an IT Manager or even a handful of security engineers to manually track vulnerabilities in an enterprise scale infrastructure. The cost of VM tools and a managed services group to operate them could quickly appear to be a bargain compared to the mess that can occur with an inadequate program or the price of full-time dedicated engineers.
2 Patching vulnerabilities can often break stuff. Is it necessary?
This question must be answered with every vulnerability that's published. While a critical zero-day vulnerability may result in an unavoidable incident response cost, published vulnerabilities are more an actuarial calculation. What’s the potential for breach or loss of data? What’s the potential downtime of services from an attack? These consequences have dollar values attached to them that may justify the risk of breaking a system with the security patch.
3 What should I want out of a Vulnerability Management program?
First and foremost, the benefit of VM is actionable data – meaningful insights derived from vulnerability data, asset scans, and prioritization of findings. There are always going to be a lot of vulnerabilities, so to act with efficiency takes some expert analysis. This should be a provider's first service deliverable for you.
Secondly, a provider should seek to understand the unique risk of your business. If your industry exposes infrastructure and services in a particular way, then the approach to vulnerability management should reflect that. For example, infrastructure that runs critical systems like a nuclear power plant may warrant a more judicious hand.
Ultimately, a managed services provider should be able to examine your unique scenario and advise on a precise strategy for remediating your vulnerabilities.