Page 17 - Cyber Defense eMagazine - June 2018
P. 17
VULNERABILITY MANAGEMENT
Once a vulnerability has been determined to have impact, analysis and remediation will
follow. Typically, an organization’s vulnerability management program will have defined
remediation time windows based upon severity. Time windows can vary widely across
organizations. I’ve seen expected remediation times for common severities defined
anywhere along the following spectrums:
• Critical severity: ASAP to thirty days.
• High severity: a few weeks to over sixty days.
• Medium severity: sixty days to six months.
• Low severity: ninety days to no commitment at all.
Those time ranges are diverse enough that they really call into question the primary
motivation. In my observation, the approach to defining remediation time windows often
derives from what efforts are considered nonintrusive and can be absorbed comfortably.
While desirable to set goals that can be feasibly accomplished, if remediation arrives
too late and fails to thwart attacks, those goals are at best a placebo, which eventually
will fail.
Furthermore, there’s a big difference between defining remediation time windows, and
consistently remediating within those time windows. The definition is irrelevant if actual
remediation times fall outside of those windows.
If I had to give an organization only one piece of security advice, it would be to become
exceptionally efficient at consistently remediating vulnerabilities within tight time
windows. The ability to remediate vulnerabilities quickly is the difference between
preventing an attack, and having that vulnerability exploited (and all of the aftermath
which may follow, including complete organization compromise). Preventing attacks,
breaches, and destructive impact is the objective, and vulnerability remediation time
windows should be defined to that end. If not successful defensively, a vulnerability
management program is prioritizing style over substance.
GOAL: SET TIGHT VULNERABILITY REMEDIATION TIME WINDOWS.
REORGANIZE OPERATIONS TO BECOME EXTREMELY EFFICIENT AT
CONSISTENTLY REMEDIATING VULNERABILITIES AS QUICKLY AS POSSIBLE.
17 Cyber Defense eMagazine – June 2018 Edition
Copyright © 2018, Cyber Defense Magazine, All rights reserved worldwide.