7 Steps to a Proactive Vulnerability Management Plan

By |Published On: September 6th, 2022|Tags: |

Don’t wait until something is already vulnerable and being exploited–have a plan in place on the steps needed to remediate a vulnerability quickly. Being proactive about your vulnerability management will give your organization a significantly faster response time–and will help ease any sense of panic when an attack occurs. 

Looking for more information? Check out our related resources below!

Don’t Panic

Here are a few key areas to take into consideration when developing your vulnerability management program:

1. Know your network

You’re only as strong as your weakest vulnerability. When developing a vulnerability management program, it’s critical that you know every device on your network. Once you have a map of devices on your network, you’re ready to get started. This device list / map should be referenced every step of the plan to help categorize assets, criticalities, and impact. 

Note this list should also be updated on a regular basis. The size and complexity of your environment will dictate the frequency–a smaller infrastructure needs yearly updates while a very large one needs weekly discovery scans–but regardless of your needs, be prepared to schedule updates for reviewing your network. 

2. Classify your data

Data classification can be utilized to prioritize remediation. In order to properly classify your organization’s data, take the following into consideration:

  • How sensitive is the data and how important is it that it remains confidential to those outside of the organization? (Or even to certain groups within the organization)
  • What impact would disclosure of this data, a compromise on its integrity, or its unavailability have on your organization and/or your clients?
  • How necessary is the availability and integrity of the data to your organization’s daily operations?
  • Is the data recoverable?

3. Shields up

Once you understand the layout of your network, including your ingress and egress points, it’s important to talk through remediation steps. Depending on the nature of the vulnerability and the availability of patch, you may be limited to blocking traffic for CNC to prevent further lateral movement in your network. 

If there’s a patch available, it’s critical that policies are in place for how those patches are validated and applied to hosts. Nothing worse than pushing a bunch of patches that take down your servers! 

4. Always Monitoring

In a perfect world, a patch is all you need! However, on-going monitoring is critical to help detect threats (patched or not) against your network, as well as having historical data to see what hosts may have already been compromised. Some of the monitor to have in place should be:

  • Use an intrusion detection system (IDS) or even an intrusion prevention system (IPS) to monitor for possible intrusions on your network. 
  • Using a SIEM to review historical data to look for signs of compromise when indicators of compromise (IoCs) are released for a new zero day. The SIEM can also be used to alert on those same IoCs as they occur to shorten your mean time to detect (MTTD). 

5. Assign ownership

Who on your team is responsible for overseeing your vulnerability management program? 

Assigning responsibility for this plan and establishing a regularly-scheduled review–whether that’s weekly, bi-weekly, or monthly–where they look at the vulnerability reports they’re receiving or (if you have a well-established asset inventory in place) look at new disclosures to see what’s applicable to the environment. 

Vulnerability management programs are only successful if they’re regularly being reviewed, patches are staged, and all stakeholders understand the steps needed to keep the network secure. 

6. Going Rogue

Having rogue device detection on your network is critical–it will help you catch any devices you didn’t identify in your asset inventory that might contain vulnerabilities or even be performing unauthorized activity. Using a vulnerability scanner or even your SIEM in conjunction with DHCP logs, you can detect and alert on new devices being added to your network

7. Use compensating controls

If you can’t remediate, look at the CVE for more information on workarounds to put in place. For example, if a vulnerability relies on using a particular port, you can block that port number at the firewall. You can also check your Web Application Firewall for your servers to see if there are ways to block malicious attempts to  exploit the vulnerability. These are temporary fixes (or they could be permanent) that you’ll use to provide security in lieu of remediating the vulnerability.

Conclusion

Being proactive about your organization’s vulnerability management is key to responding quickly to suspicious activity and attacks. Keep these steps in mind–and if you need support improving your security stance, contact us! We’re here to help!

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.