Markus Ritter, Managing Security Consultant of usd HeroLab and responsible for VMS, answers the most frequently asked questions on the topic of vulnerability management.
What Do We Mean by Vulnerability Management?
IT infrastructures are becoming more and more complex, threats more and more critical. This makes it all the more important for companies to have a comprehensive overview of their own security situation, to identify vulnerabilities as early as possible and to deal with them in a structured manner. This must not only work in theory, but also in practice and be designed efficiently - and it is precisely these issues that vulnerability management is all about:
- Which assets (worth protecting) are there in the company?
- Which of them are accessible via the internet?
- How are vulnerabilities in these assets identified and, if so, in what cycles?
- Where and how are the vulnerabilities recorded?
- How are the vulnerabilities dealt with?
- Where and how is the status of vulnerabilities tracked?
In a managed process (see image), these questions can be answered in a structured way.
What Are the Drivers for Vulnerability Management?
In addition to the desire for a structured overview of one's own security situation, compliance requirements from various sources, such as PCI DSS, KAIT or KRITIS, can also be decisive for a company to decide to operate a vulnerability management system. Furthermore, vulnerability management is often an integral part of information security management systems (ISMS).
What Role Do Vulnerability Scans and Pentests Play in Vulnerability Management?
An essential part of vulnerability management is the identification of vulnerabilities - because if vulnerabilities are not known, they cannot be addressed and associated risks cannot be assessed. This is where scans and pentests, as well as other technical security analyses, can come into play as a building block of vulnerability management. Vulnerability management aims at working with the results of these analyses in the medium to long term - after all, any vulnerabilities found must be documented and fixed professionally. If remediation is not readily possible, resulting risks must be derived and evaluated. It is also important to identify the source of vulnerabilities and, if necessary, adapt systems or processes to eliminate the risk of re-entry in the future. The real work for a strong security level thus only begins after the scan or pentest results have been received.
How Much Effort Does Vulnerability Management Mean for Companies?
Of course, a vulnerability management project t usually means a not inconsiderable effort for companies, especially at the beginning. The larger the company, the more sources of potential vulnerabilities there are - and thus the development and implementation of an efficient vulnerability management system also becomes more time-consuming. As always, when it comes to medium- and long-term efficiency, you have to invest at the beginning. Ultimately, an appropriate vulnerability management system leads to a significant and long-term increase in the level of security and thus to a significant reduction in the risk of falling victim to a successful attack. If one becomes a victim of such an attack, there is often much more work to be done by the company's employees, especially in the short term, which can hardly be calculated. In addition, the costs incurred are often many times greater than the costs for vulnerability management.
Companies can provide relief by hiring professional providers for vulnerability management services. These should already provide advice in the initial phase but also later in continuous operation and ideally provide practical support in the company's daily work. As a rule, many processes can be automated. This keeps the permanent effort and costs manageable and frees up resources to concentrate on the essentials.
What Do usd’s Vulnerability Management Services (VMS) Cover?
Within the framework of Vulnerability Management Services, we can support our customers in all facets of vulnerability management. Depending on what is needed at the moment, we offer comprehensive support during the entire process cycle but also in the operational business. The VMS services of usd include, among others:
- Creation of policies and processes
- Selection and introduction of suitable tools
- Improvements in the use of existing tooling
- Operational support in the daily handling of vulnerabilities
- Vulnerability assessment
- Evaluation of reports
- Follow up of the treatment status
- Planning and coordination of security analyses
- Advice on the elimination of weak points
- and much more
Of course, the technical security analyses can also be carried out by usd. Thanks to the wide-ranging expertise of the entire usd, which our VMS team can access at any time, we can map everything from individual aspects to full service.
How Do We Get Started on a Vulnerability Management Project?
Even if there are orientation frameworks and best practices, there is no "one right solution" or "one right tool", especially in practical implementation. Many of the measures are very individual and depend, among other things, on the size of the company, risk tolerance, existing processes and tool landscapes, external requirements and other wishes and requirements.
We therefore usually start with a kickoff meeting where we want to understand where a company stands on the subject of vulnerability management and where it wants to go. In a way, this is similar to the gap analyses that are carried out in consulting projects for PCI DSS or ISO27001. We have developed a maturity model to assess the status quo and discuss target models. This helps both us and the customer to interpret the current state and to understand in which direction the vulnerability management should be developed in each case. Not in every case are big leaps necessary. Especially at the beginning, small, targeted measures can already achieve a significant improvement in the security level.
Vulnerability management exists in many forms and under very different conditions. In upcoming articles, you will find out what practical implementation can look like in individual cases and what challenges are associated with it.