VULNERABILITY MANAGEMENT
               Once  a  vulnerability  has  been determined to have impact, analysis and remediation will
               follow.  Typically,  an  organization’s  vulnerability  management  program  will  have  defined
               remediation  time  windows  based  upon  severity.  Time  windows  can  vary  widely  across
               organizations.  I’ve  seen  expected  remediation  times  for  common  severities  defined
               anywhere  along the following  spectrums:


                   •  Critical severity:  ASAP to thirty  days.
                   •  High severity:  a few weeks to over sixty  days.
                   •  Medium severity:  sixty  days to six months.
                   •  Low severity:  ninety  days to no commitment  at all.

               Those  time  ranges  are  diverse  enough  that  they  really  call  into  question  the  primary
               motivation.  In  my  observation,  the  approach to defining remediation time windows often
               derives from what efforts are considered nonintrusive and can be absorbed comfortably.
               While  desirable  to  set  goals  that  can  be  feasibly  accomplished,  if  remediation  arrives
               too  late  and  fails  to  thwart  attacks,  those  goals are at best  a placebo, which eventually
               will fail.

               Furthermore,  there’s  a  big  difference  between  defining  remediation  time  windows,  and
               consistently  remediating  within  those  time  windows.  The  definition  is  irrelevant  if  actual
               remediation times fall outside of those windows.


               If I had to give an organization only one piece of security advice, it would be to become
               exceptionally  efficient  at  consistently  remediating  vulnerabilities  within  tight  time
               windows.  The  ability  to  remediate  vulnerabilities  quickly  is  the  difference  between
               preventing  an  attack,  and  having  that  vulnerability  exploited  (and  all  of  the  aftermath
               which  may  follow,  including  complete  organization  compromise).  Preventing  attacks,
               breaches,  and  destructive  impact  is  the  objective,  and  vulnerability  remediation  time
               windows  should  be  defined  to  that  end.  If  not  successful  defensively,  a  vulnerability
               management  program is prioritizing style  over substance.

               GOAL:       SET     TIGHT      VULNERABILITY        REMEDIATION         TIME      WINDOWS.
               REORGANIZE         OPERATIONS         TO    BECOME        EXTREMELY         EFFICIENT      AT
               CONSISTENTLY  REMEDIATING  VULNERABILITIES  AS QUICKLY  AS POSSIBLE.












                   17    Cyber Defense  eMagazine – June 2018 Edition
                         Copyright © 2018, Cyber Defense Magazine,  All rights reserved worldwide.