How we have built the Vulnerability Management
From big international corporations to small companies or even individual entrepreneurs, in our practice of work with different types of customers we always observe the same problems in trying to systematize the management of vulnerabilities.
While the company is relatively small, it is enough to have one or more scanners of vulnerabilities and one specialist, who would hold periodical inspections of the whole system, solving the most obvious and easy-to-eliminate problems.
In reality, while the company is growing, the number of devices connected to the network is growing, the new informational systems, including non-standard ones, are used, and the easy approach is not enough, because the business wants to get the answers to the questions:
While the company is relatively small, it is enough to have one or more scanners of vulnerabilities and one specialist, who would hold periodical inspections of the whole system, solving the most obvious and easy-to-eliminate problems.
In reality, while the company is growing, the number of devices connected to the network is growing, the new informational systems, including non-standard ones, are used, and the easy approach is not enough, because the business wants to get the answers to the questions:
- Which of the vulnerabilities from the scanner report (could be thousands or tens of thousands of those) are to work with and why?
- How much does it cost to operate those vulnerabilities?
- Is there an evidence that someone can use a specific vulnerability from the list, to attack the system?
- What are the risks, considering the vulnerabilities will not be fixed?
- How to make sure that vulnerability was fixed properly?
Not every security engineer or system administrator will be able to distinctly answer those questions. Also, we shouldn't forget that Vulnerability Management itself is a quite complex process and there are a lot of factors influencing on our decision:
- risks to become a victim for mass-oriented or target-oriented threat are high, if the vulnerability wasn't eliminated in time (specifically regarding outer perimeter)
- the cost of elimination for many vulnerabilities is high, particularly, when there is no ready-to-go patch or when a big number of devices is a subject to vulnerability (this often becomes a stop-factor, and as a result the problems are not being solved)
- if different people or even companies, who are in charge of different types of equipment, are not always qualified to estimate the discovered vulnerabilities properly, the process of elimination can stretch out in time or not even start
- if professional equipment or SCADA systems are used, there is a high probability of an absence of necessary patches from the developer or inability to update system at all
Because of all this the process of vulnerability management, being implemented unsystematically, looks ineffective and unclear in terms of running a business.
While considering the needs of the businesses and understanding the specifics of work with vulnerabilities in cybersecurity, we, Acribia, developed a new service.
- How much does it cost to operate those vulnerabilities?
- Is there an evidence that someone can use a specific vulnerability from the list, to attack the system?
- What are the risks, considering the vulnerabilities will not be fixed?
- How to make sure that vulnerability was fixed properly?
Not every security engineer or system administrator will be able to distinctly answer those questions. Also, we shouldn't forget that Vulnerability Management itself is a quite complex process and there are a lot of factors influencing on our decision:
- risks to become a victim for mass-oriented or target-oriented threat are high, if the vulnerability wasn't eliminated in time (specifically regarding outer perimeter)
- the cost of elimination for many vulnerabilities is high, particularly, when there is no ready-to-go patch or when a big number of devices is a subject to vulnerability (this often becomes a stop-factor, and as a result the problems are not being solved)
- if different people or even companies, who are in charge of different types of equipment, are not always qualified to estimate the discovered vulnerabilities properly, the process of elimination can stretch out in time or not even start
- if professional equipment or SCADA systems are used, there is a high probability of an absence of necessary patches from the developer or inability to update system at all
Because of all this the process of vulnerability management, being implemented unsystematically, looks ineffective and unclear in terms of running a business.
While considering the needs of the businesses and understanding the specifics of work with vulnerabilities in cybersecurity, we, Acribia, developed a new service.
What does the service represent?
We have decided that the approach to vulnerabilities management should be systematic, as any other process, as this management is nothing itself but a process, continuous and iterative, consisting of multiple stages.
Client connection
We take the responsibility for provision, setup and support all necessary tools. The client is only to provide virtual or physical server (sometimes a few of those, in cases of large and distributed networks). We will perform the process of an installation of all necessary tools ourselves and will set them up for specific tasks.
Stock-taking and Asset Profiling
To be short, the idea is to list all of the devices in the network, split them into same-type groups (the level of detail in such split can vary depending on the scale of a customer network or a presence of a large number of irregular devices), choose the groups, in relation to which the service is provided, and identify the people, who are in charge of these groups.
We have decided that the approach to vulnerabilities management should be systematic, as any other process, as this management is nothing itself but a process, continuous and iterative, consisting of multiple stages.
Client connection
We take the responsibility for provision, setup and support all necessary tools. The client is only to provide virtual or physical server (sometimes a few of those, in cases of large and distributed networks). We will perform the process of an installation of all necessary tools ourselves and will set them up for specific tasks.
Stock-taking and Asset Profiling
To be short, the idea is to list all of the devices in the network, split them into same-type groups (the level of detail in such split can vary depending on the scale of a customer network or a presence of a large number of irregular devices), choose the groups, in relation to which the service is provided, and identify the people, who are in charge of these groups.
It is important not just to hold the procedure once but to pick out the patterns, to have, in any given moment, an understanding of what is going on inside of the network, to be able to find new devices, to be able to find old devices, which changed the location, to be able to find new subgroups inside of the split etc.. This is important. Stock-taking happens regularly within preassigned periods. Based on our experience, we came up with the idea that effective vulnerabilities management is impossible without understanding the structure of given assets.
We had a long time working on an algorithm of asset profiling, every new time adding up new conditions or even redoing it from scratch. We are not going to reveal the whole amount of technical details or code lines, responsible for realization of the algorithm, but we will show the general sequence:
1.Customer provides us the map of their IP-network.
2. Using network scanner, we form the imprint for every device based on open network port and OS.
3. Profiles are being combined into groups by the device name and type (for example, Cisco Catalyst 2960 \ Network equipment).
4. When a new device appears, we look for most precise existing profile for it.
5. If the precision is not enough, we consult about the type of the device with the customer.
6. Periodically we hold the repetitive network scanning for data actualization and a search for new devices and their types.
In case of absence of accurate IP-network map (for instance, if using DHCP or by "human factor"), there is an option of prompt profiling based on the number of known IP addresses. Onwards, similar devices within the type are being identified and the profile is being upgraded.
Such approach lets us determine the type of the device with an accuracy of about 95%, but there is always space to improve. We are open to new ideas, comments and remarks. If there is anything you think we haven't taken into account, we are ready to discussion it in a commentary section.
We had a long time working on an algorithm of asset profiling, every new time adding up new conditions or even redoing it from scratch. We are not going to reveal the whole amount of technical details or code lines, responsible for realization of the algorithm, but we will show the general sequence:
1.Customer provides us the map of their IP-network.
2. Using network scanner, we form the imprint for every device based on open network port and OS.
3. Profiles are being combined into groups by the device name and type (for example, Cisco Catalyst 2960 \ Network equipment).
4. When a new device appears, we look for most precise existing profile for it.
5. If the precision is not enough, we consult about the type of the device with the customer.
6. Periodically we hold the repetitive network scanning for data actualization and a search for new devices and their types.
In case of absence of accurate IP-network map (for instance, if using DHCP or by "human factor"), there is an option of prompt profiling based on the number of known IP addresses. Onwards, similar devices within the type are being identified and the profile is being upgraded.
Such approach lets us determine the type of the device with an accuracy of about 95%, but there is always space to improve. We are open to new ideas, comments and remarks. If there is anything you think we haven't taken into account, we are ready to discussion it in a commentary section.
Scan Schedule
When we have all the needed information about the client network, we make a schedule for vulnerabilities scans depending on desired periodicity of each type of the devices. It can be any, from 1 day to 1 year. Periodicity, on one hand, depends on how promptly and how frequently the customer is willing to work with vulnerabilities of one or the other type of equipment, and, on the other hand, influences the cost of the service.
For instance, the schedule might look like this:
When we have all the needed information about the client network, we make a schedule for vulnerabilities scans depending on desired periodicity of each type of the devices. It can be any, from 1 day to 1 year. Periodicity, on one hand, depends on how promptly and how frequently the customer is willing to work with vulnerabilities of one or the other type of equipment, and, on the other hand, influences the cost of the service.
For instance, the schedule might look like this:
It should be noticed, that we recommend checking the outer perimeter of the network on every-day basis, to minimize the harm from «0-day» (just discovered) vulnerabilities. The recommendation also applies to public web-sources of a customer.
The Scanning
The week from the scheduled starting date of scanning of a particular group of devices, we contact the person responsible for that group, inform him about the dates of the scanning and send the whole list of the devices we are going to scan. On this stage, the area of the scan can be adjusted if needed. It is done to minimize the risks of incorrect recognition of a device in a network.
After the scanning is done the person in charge is being informed again. This means that the parties of interest are ALWAYS aware of what is going on.
We use a few different scanners, including specific tools to detect vulnerabilities in Web-systems. By doing this, we get more data for analysis and can potentially detect more threats.
To optimize the expenses, we can limit ourselves with representational sample of 30 to 50 %% of devices from a group of devices or 30 to 50 %% of devices from every office's location, instead of scanning the whole given group. In case of a critical vulnerability detection within a sample, we can start the search for particular vulnerabilities on the whole group of the devices. Thus, we get the widest coverage in the least amount of time.
It should be noticed, that there are several vulnerabilities that are not detected by regular tools. When we start the scanning process of the particular group of the devices, we check all publicly known vulnerabilities and make sure, that our scanners are able to find them. If we understand that the standard tools are not enough, we check for particular vulnerabilities manually or develop our own unique tools scanning for those vulnerabilities.
The most important, when an information about new dangerous threat appears in a public space, we are not waiting for a scheduled date of scan. All customers, that might be vulnerable to such threat will be promptly informed about a problem, and an unscheduled inspection would be held.
Analysis of the results of the scanning
If you ever run a vulnerabilities scanner in a corporate network of 100+ hosts, you should probably remember that feeling, which arises from look at the long list of same-type entries, the content of which is hardly understandable. Without a proper knowledge it is quite hard to make an adequate assessment of what to leave unchanged, what to fix and in which order.
We take this step on ourselves, as we look at the results, choose really crucial problems, which can do a real harm to a customer's business.
We estimate such parameters as:
- Availability of vulnerable devise/service for a potential offender;
- The presence of a public exploit;
- The complexity of execution of the exploit;
- The potential risks for a business;
- The chance of a false alarm;
- The difficulty of troubleshooting;
- Etc.
After the processing, vulnerabilities, that we "have checked and approved", are being published in an incident management system (which we will talk about separately), where the employees of the customer can look for them, ask the questions, take or decline the job in case of risk taking.
If necessary, we can appoint the consultation with a person responsible for vulnerable devices and tell in detail, what was found, what does it threaten and what are the ways to minimize risks.
After we pass the vulnerabilities into the elaboration, the customer takes the lead, and we continue the scanning with the next group of devices.
However, the process for the first group doesn't end here.
Vulnerabilities elimination management
In a system, a status and a removal deadline for any published vulnerability can be set. We track the change of the statuses, and the approach of the deadlines.
If a vulnerability was removed by a client, we can see that and run the inspection to make sure that the vulnerability is actually gone. As the inspection is running only for one specific vulnerability, it doesn't take a lot of time, and the result can be received in a day for hundreds of thousands of hosts or even within a few seconds for a small group of devices.
If the vulnerability is closed, we confirm that. If the vulnerability is still present on the part of or the whole group for devices, we return it for a revision.
The cycle of the vulnerability elaboration is closed only when we confirm that it is removed from all the vulnerable devices.
The complete scheme looks like this:
The Scanning
The week from the scheduled starting date of scanning of a particular group of devices, we contact the person responsible for that group, inform him about the dates of the scanning and send the whole list of the devices we are going to scan. On this stage, the area of the scan can be adjusted if needed. It is done to minimize the risks of incorrect recognition of a device in a network.
After the scanning is done the person in charge is being informed again. This means that the parties of interest are ALWAYS aware of what is going on.
We use a few different scanners, including specific tools to detect vulnerabilities in Web-systems. By doing this, we get more data for analysis and can potentially detect more threats.
To optimize the expenses, we can limit ourselves with representational sample of 30 to 50 %% of devices from a group of devices or 30 to 50 %% of devices from every office's location, instead of scanning the whole given group. In case of a critical vulnerability detection within a sample, we can start the search for particular vulnerabilities on the whole group of the devices. Thus, we get the widest coverage in the least amount of time.
It should be noticed, that there are several vulnerabilities that are not detected by regular tools. When we start the scanning process of the particular group of the devices, we check all publicly known vulnerabilities and make sure, that our scanners are able to find them. If we understand that the standard tools are not enough, we check for particular vulnerabilities manually or develop our own unique tools scanning for those vulnerabilities.
The most important, when an information about new dangerous threat appears in a public space, we are not waiting for a scheduled date of scan. All customers, that might be vulnerable to such threat will be promptly informed about a problem, and an unscheduled inspection would be held.
Analysis of the results of the scanning
If you ever run a vulnerabilities scanner in a corporate network of 100+ hosts, you should probably remember that feeling, which arises from look at the long list of same-type entries, the content of which is hardly understandable. Without a proper knowledge it is quite hard to make an adequate assessment of what to leave unchanged, what to fix and in which order.
We take this step on ourselves, as we look at the results, choose really crucial problems, which can do a real harm to a customer's business.
We estimate such parameters as:
- Availability of vulnerable devise/service for a potential offender;
- The presence of a public exploit;
- The complexity of execution of the exploit;
- The potential risks for a business;
- The chance of a false alarm;
- The difficulty of troubleshooting;
- Etc.
After the processing, vulnerabilities, that we "have checked and approved", are being published in an incident management system (which we will talk about separately), where the employees of the customer can look for them, ask the questions, take or decline the job in case of risk taking.
If necessary, we can appoint the consultation with a person responsible for vulnerable devices and tell in detail, what was found, what does it threaten and what are the ways to minimize risks.
After we pass the vulnerabilities into the elaboration, the customer takes the lead, and we continue the scanning with the next group of devices.
However, the process for the first group doesn't end here.
Vulnerabilities elimination management
In a system, a status and a removal deadline for any published vulnerability can be set. We track the change of the statuses, and the approach of the deadlines.
If a vulnerability was removed by a client, we can see that and run the inspection to make sure that the vulnerability is actually gone. As the inspection is running only for one specific vulnerability, it doesn't take a lot of time, and the result can be received in a day for hundreds of thousands of hosts or even within a few seconds for a small group of devices.
If the vulnerability is closed, we confirm that. If the vulnerability is still present on the part of or the whole group for devices, we return it for a revision.
The cycle of the vulnerability elaboration is closed only when we confirm that it is removed from all the vulnerable devices.
The complete scheme looks like this:
During the process of the vulnerability elimination management, 2 auxiliary subprocesses can be highlighted: management of the deadlines and the interaction with a customer representative are responsible for vulnerability removal.
Deadline Management
Let us repeat: the removal deadline must be assigned for every vulnerability. This is a parameter that clients are to set themselves, meaning we are not dictating how fast the responsible employees of the customer should be performing, but instead we are tracking the goals achievement process. If the deadline is exceeded, the person in charge of the process of vulnerabilities management on the customer side is being informed. The information about vulnerabilities, removed in time or overdue, is recorded in periodical reports with the names of so-called "A-graders" and "F-graders" listed. In addition, we track such a parameter as an average vulnerability removal speed. Thus, the client collects all the necessary information needed for deadlines planning, responsible people work upload, as well as the information about their achievements or omissions.
Interaction with i/c
Sometimes, the need to assign several distinct responsible people, to pass the part of or the whole job to a different person or just to change a person in charge, because the first one couldn't make it, took a vacation or a sick leave etc., arises. Our scheme allows to implement such instances.
The picture below shows the scheme of how a service works in terms of a single vulnerability:
Deadline Management
Let us repeat: the removal deadline must be assigned for every vulnerability. This is a parameter that clients are to set themselves, meaning we are not dictating how fast the responsible employees of the customer should be performing, but instead we are tracking the goals achievement process. If the deadline is exceeded, the person in charge of the process of vulnerabilities management on the customer side is being informed. The information about vulnerabilities, removed in time or overdue, is recorded in periodical reports with the names of so-called "A-graders" and "F-graders" listed. In addition, we track such a parameter as an average vulnerability removal speed. Thus, the client collects all the necessary information needed for deadlines planning, responsible people work upload, as well as the information about their achievements or omissions.
Interaction with i/c
Sometimes, the need to assign several distinct responsible people, to pass the part of or the whole job to a different person or just to change a person in charge, because the first one couldn't make it, took a vacation or a sick leave etc., arises. Our scheme allows to implement such instances.
The picture below shows the scheme of how a service works in terms of a single vulnerability:
Effectivity
Here is how we lined up the process and are witnessing a list of advantages and opportunities, which help to elaborate the vulnerabilities more effectively and, at the same time, solve the problems designated in the first half of the article, in our approach:
1. We take on ourselves not only the job to launch of the scanners, responsible for the search of the vulnerabilities inside of the network, but also the job to analyze their work. We filter out everything excessive and end up with a resulting list of the vulnerabilities, which are to be working with.
2. Drawing this list up and presenting it to the responsible customer's professionals, we always write two things only: a detailed explanation of the meaning of the vulnerability and its negative influence on the business, and recommendations for its elimination and risk minimization. Thus, it is always clear what is going to happen if nothing will be done about it, and it is easy to estimate the time and the costs needed to implement recommended actions.
3. If the customer still has any doubts or there is not enough reasoning to eliminate the vulnerability, we can additionally check the possibility to exploit this vulnerability in real time or close to real time conditions. After such a "micro-pen testing", it would be clear how probable and how difficult the attack is to be performed by a potential intruder.
4. Finally, when all the actions of vulnerability eliminations are done, we always do check. By doing this, we can exclude the risks of mistakes or imperfections.
At the same time, the customers get, in our opinion, valuable opportunities and can:
- concentrate on truly important groups of devices and track their statuses more often;
- concentrate on really dangerous vulnerabilities, which can bring a real damage;
- control a work on every vulnerability, tracking the change of status and deadlines;
- get individual consultations about vulnerabilities removal;
- free up the time of their employees, necessary for the launch and processing of the results of the scanning, as well as for the setup and support of all the necessary tools;
- as a bonus for a CFO – convert the capital expenses for the purchase of own scanning tools into the operation expenses for the payment for the expert services.
Here is how we lined up the process and are witnessing a list of advantages and opportunities, which help to elaborate the vulnerabilities more effectively and, at the same time, solve the problems designated in the first half of the article, in our approach:
1. We take on ourselves not only the job to launch of the scanners, responsible for the search of the vulnerabilities inside of the network, but also the job to analyze their work. We filter out everything excessive and end up with a resulting list of the vulnerabilities, which are to be working with.
2. Drawing this list up and presenting it to the responsible customer's professionals, we always write two things only: a detailed explanation of the meaning of the vulnerability and its negative influence on the business, and recommendations for its elimination and risk minimization. Thus, it is always clear what is going to happen if nothing will be done about it, and it is easy to estimate the time and the costs needed to implement recommended actions.
3. If the customer still has any doubts or there is not enough reasoning to eliminate the vulnerability, we can additionally check the possibility to exploit this vulnerability in real time or close to real time conditions. After such a "micro-pen testing", it would be clear how probable and how difficult the attack is to be performed by a potential intruder.
4. Finally, when all the actions of vulnerability eliminations are done, we always do check. By doing this, we can exclude the risks of mistakes or imperfections.
At the same time, the customers get, in our opinion, valuable opportunities and can:
- concentrate on truly important groups of devices and track their statuses more often;
- concentrate on really dangerous vulnerabilities, which can bring a real damage;
- control a work on every vulnerability, tracking the change of status and deadlines;
- get individual consultations about vulnerabilities removal;
- free up the time of their employees, necessary for the launch and processing of the results of the scanning, as well as for the setup and support of all the necessary tools;
- as a bonus for a CFO – convert the capital expenses for the purchase of own scanning tools into the operation expenses for the payment for the expert services.
Acribia Group, © All Right Reserved.
Finlyandsky pr. 4A, office 641, Saint-Petersburg, Russia, 194044
acribia@acribia.ru
Finlyandsky pr. 4A, office 641, Saint-Petersburg, Russia, 194044
acribia@acribia.ru