Vulnerability Management

NCSC Vulnerability Management Guidance

An overview of NCSC (National Cyber Security Centre) guidelines to create an effective vulnerability management process. It highlights a number of steps must be put in place, and clearly understood, both to understand what vulnerabilities exist in your environment and in turn, to mitigate those vulnerabilities.

Introduction

The NCSC (National Cyber Security Centre) earlier this year published a document with their guidance and recommendations for those UK organisations who have a requirement to address vulnerability management.

In reality, this, of course, means every single organisation in the UK.

All systems contain vulnerabilities.  These vulnerabilities can range from a software vulnerability requiring a vendor patch to be applied to the system, through to configuration vulnerabilities, or perhaps even undiscovered vulnerabilities for which there is no mitigation available.  In order to create an effective vulnerability management process, a number of steps must be put in place, and clearly understood, in order, both to understand what vulnerabilities exist in your environment and in turn, to mitigate those vulnerabilities.

The five keys steps are:

  1. Put in place a policy to update by default
  2. Identify your assets
  3. Carry out assessments by triaging & prioritising
  4. The organisation must own the risks of not updating
  5. Verify & regularly review your vulnerability management process

Put in place a policy to update by default

The default policy should be to update systems and software as soon as possible, and ideally on an automated basis.  By automatically updating software as soon as possible, it ensures that you have the ability to manage the updates, rather than being forced and rushing the updates.  You should also ensure that the updates are from trusted sources, usually the vendor website.  It is these recommendations which inform the requirements for Cyber Essentials & Cyber Essentials+.

vRx can schedule the automatic update of hundreds of different applications, as well as managing Windows, Mac OS & Linux, also ensuring that the updates are from trusted sources.  The updates can be scheduled to deploy to different groups of assets to allow for managed deployment of updates, to permit testing prior to deploying across the board, and to stage the updating of assets.

Identify your assets

It is absolutely essential that you have a clear picture of the systems and software in your environment.  This may include legacy applications which may no longer be under vendor support.  In addition to this, it is also important to ensure secure and consistent configuration across the systems, to prevent exploitation of configuration vulnerabilities.

vRx can help with the identification of assets to be managed on your network, as well as performing a full inventory of the applications installed on your endpoints.  vRx can also identify configuration weaknesses and mitigate those identified weaknesses.

Carry out assessments by triaging & prioritizing

Vulnerability assessments highlight vulnerabilities and configuration issues to be aware of.  The NCSC recommendation is to run an assessment at least every month.  Typically these vulnerability assessments contain many hundreds or thousands of vulnerabilities identified.

There will often be occasions where installing a software patch will not fix a vulnerability (or vulnerabilities), or there may not even be a patch available to address the issue.  There may also be occasions when the decision is made not to update the system.

In these instances, the degree of risk to the organisation must be determined.

As vRx is an agent based platform, real-time visibility into the vulnerability status is provided, and contextual analysis is used to provide risk scores both for assets and for applications.  This provides an immediate mechanism to prioritise the highest risk applications and assets.

In addition to this, our Virtual Patching technology provides a mechanism to protect applications from being exploited where there are no patches, or the patch cannot be applied.

The organization must own the risks of not updating

Where a decision is made not to update, this should be driven as a senior-level business risk decision, and not an IT decision.  Some of the factors to take into account are:

  • Risk prioritisation.  Decisions should be made on the overall level of risk of an application or asset, and not simply the severity of a vulnerability (e.g. the CVSS score)
  • Potential impact on the system or service.
  • Potential reputational damage
  • Direct cost (e.g. replacement of obsolete systems)
  • Availability and cost of a short term fix
  • Cost of incident response and recovery

As mentioned above, vRx can assist both with the risk prioritisation process, and the contextual analysis we provide, as well as with the Virtual Patching ability, to put in place a fix where no patch is available (or cannot be applied).

Verify & regularly review your vulnerability management process

The vulnerability management process should be constantly verified, and always evolving, using a feedback loop to understand its efficiency and effectiveness.  Improvements could include reduction of update timescales, and ensuring asset discovery is completed and audited more frequently.

A verification process should be included to ensure that where a vulnerability has been mitigated, the vulnerability no longer exists.

vRx provides real time visibility into the effectiveness or otherwise of the mitigation tools used.  Where patches (both vendor patches and virtual patches) are applied, and vulnerabilities resolved, the risk score decreases.  Where configuration changes are implemented, the vulnerability can be scanned to ensure the configuration vulnerability no longer exists.

Register here to run a trial of vRx and improve your approach to Vulnerability Management & risk reduction.

Agnayee Datta

Agnayee runs marketing at Vicarius

Subscribe for more

Get more infosec news and insights.

Related Posts

Vulnerability Management

Challenges of Vulnerability Remediation

It is essential to remember that the end result of vulnerability management is remediation. One of the vital KPIs of a vulnerability management program is how many high-risk vulnerabilities are neutralized or removed before essential assets, confidential data and systems are compromised.
Vulnerability Management

What is Vulnerability Remediation?

Vulnerability remediation is the process of discovering IT vulnerabilities and assessing their risks to develop viable countermeasures and remedies. This assessment is a proactive strategy to addressing the vulnerabilities and, if feasible, eliminating the risk.
Vulnerability Management

Three Important Steps for Your Vulnerability Remediation Process

Over 5,000 vulnerabilities make their way to headlines every year. The number will continue to grow, considering that the publicly disclosed vulnerabilities encourage the hackers in their devious acts. This is why having a vulnerability remediation process is not too much for any organization with its reputation and customer safety to protect. This guide will explain the 3 significant steps of vulnerability remediation that any organization should know. But first, let's analyze what the process encapsulates:
1000+ members

Turn security converstains into remediation actions

SOC for service organizations
Copyright © Vicarius. All rights reserved 2024.
Linkedin
X
Youtube
Instagram
Privacy Policyterms of use