It’s not fair. The big companies have the teams, the tools, and the processes required in order to run a best-in-class vulnerability management program.
But guess what? The bad guys don’t care about how big you are. In fact, non-targeted exploits accounted for 75% of the breaches from Verizon’s 2013 Data Breach Investigation Report—meaning even mid-sized companies are equally or greater subject to the same attacks that hit JP Morgan.
In a large company, there’s a security team with members who each wear different hats. But in a mid-sized company, you only have one or two—and yet, it’s equally (if not more) critical that your vulnerability management process is spot-on.
So how do you do it? Here’s how:
1. First of all, don’t cut corners on scanning.
The worst thing you can do is decide you’ll only scan quarterly (or twice a year) since otherwise it takes too much effort. Much like devops and deployments, your goal should be small and frequent changes versus trying to do it all a few times per year. In 2015, the year of the “one billion exploit,” continuous vulnerability scanning has become table stakes.
Easy for us to say? It can be done. Read on.
2. Everyone’s going to wear multiple hats, so figure out who they are.
You don’t have the option of hiring an entire team, so figure out if you can at least have a two-person team doing the work. You may have the person who does the vuln scanning as well as analyzing, but then someone in development or operations doing the remediation work. That’s a lot of work for two people, but if you have clearly defined responsibilities, it can get done.
And what’s even more important in a small team is to have a great line of communication between those two people. Take them out for a beer—be friends. You need each other.
3. Don’t just rely on vuln scanning—bring in threat intelligence and context.
What particularly matters for mid-sized companies is to be sure that their teams are prioritizing the right things. Looking solely at the output of vuln scanning won’t help, because it’ll be simply another list of vulnerabilities without real-world context. And as the saying goes, “Context is king.”
What you want to do is ensure that you have real-world context for the weaknesses you find, which will help you give exactly the right things to your remediation partner. You’ll want to understand which attacks are successful in the wild, the volume and velocity around those attacks, which industries and geographies are more likely to suffer from particular exploits and vulnerabilities, and the importance of vulnerable technology assets and any mitigating controls that may be in place. (And when you’re a two or three person team, this is critical. Don’t be the person who dumps a 300-page PDF and runs for the hills).
Having real-world context for the output of vuln scanning is a key strategy for ensuring you’re fixing the right things and not just spinning your wheels.
4. Keep management’s attention on what you’re doing.
It’s so easy for security to be an “afterthought” at the mid-sized level, but as previously mentioned, mid-sized companies are as subject to serious attacks and exploits as the big guys. You want to ensure that management keeps its focus on security as a priority issue. So communicate what you’re doing relentlessly—show your risk posture via dashboards and reports but do it in the language of management. In other words, your reports need to be business-friendly; don’t speak in technical or security jargon when you’re trying to truly communicate to the business.
Rather, focus their attention on risk, not on counts. In doing so, you’ll be equipped to get an allocation of budget and resources, so your two-person team blossoms into a full vulnerability management program as soon as possible.
5. Fit into existing processes and tools.
Just like dumping a 300-page PDF report on the system admin’s desk doesn’t help you reduce your risk any faster, neither does changing the process in regards to how your remediators work. Is your development team using a bug tracker to log and track issues? Reuse that same tool to manage remediation efforts. The same can be said of trouble ticketing and change management; if you can fit your efforts into the existing processes of the business, you’re likely to get more accomplished.
6. Don’t go it alone.
Here’s the critical piece: being a small team (or even a one-person show), you don’t have the luxury of relying on manual processes to get all of this done.
Fortunately, it’s 2015, not five years ago, and you don’t have to. There are platforms designed for medium-sized businesses that can help you consume and analyze your scan data, integrate with threat feeds, and push everything into dashboards. The work of the five-person team can be done with one or two. If a mid-sized company is NOT using these new platforms, they may find themselves trying to do the impossible.
Just as marketing uses email automation systems to launch campaigns, and Sales uses Salesforce to log deals, and customer service uses Zendesk to work with customers—well, security pros need to use the cloud-based solutions available to them to ensure that they’re able to get tons of work done with minimal effort.
Summary
You don’t have to be IBM to have a world-class vulnerability management program. With the right planning, processes, and tools–as well as small group of people who work well together and know their responsibilities inside and out–your mid-sized company can develop a fantastic approach to vulnerability management.
Are you putting together your first vulnerability management program for your mid-sized company? Interested in tips on making your current vulnerability management program world class? Read more about running an effective vulnerability management program even if you aren’t IBM in our latest white paper.
