Vulnerability Management Maturity

"In order to efficiently protect an IT environment you must know how to efficiently attack one"

the inverse is also true

"In order to efficiently attack or compromise an IT environment you must know how to build and protect one".


The Battlefield

Why do I call it a battlefield? The void in which an Organizations Executives, Management, and Technical Experts meet with intention of distributing organizational resources is indeed a battlefield - full of politics, rogue agendas, and large quantities of money. Unfortunately this creates an environment in which one with the intention of protecting and doing good for an organization must use tactical decision making in order to keep everyone protected and working efficiently. It is indeed a tough business these days in the IT world, seems everyday someone wants the new wizbang whistle-bell 3.0... How do you provide end users with the cutting edge technology they need to increasingly gain an effective edge on there jobs while still protecting them from the harsh world outside your firewall? - Unfortunately I don't have an all inclusive answer to that but I may have a piece of the puzzle...


Vulnerability Assessments vs Vulnerability Management

The idea of assessing vulnerabilities within your environment and managing those vulnerabilities are two very opposing view points... for example: "Okay so I ran a vulnerability scan on server1 and it came back with x CVS's; I then completed Microsoft patches - situation managed" or "Crap it's patch Tuesday! looks like we need to roll out patches again." That is likely the mindset for junior technical staff that are on the front lines of an organizations vulnerability assessment and or patching processes is like. This is because they don't see the larger picture behind Vulnerability Management, it is up to leadership and senior staff to bring up this mindset into a more mature and advanced mindset.

The Vulnerability Management Maturity Model has been floating out there for a while now, I have taken a graphic from one of these sources and modified it to portray my perspective on the matter. As you can see below we have a simple right to left progress curve starting at level 0 and ending at level 5 (for simplicities sake).



Level 0: Non-Existant (Ignorance is Bliss)

At this stage of development (or lack of) of the TVMP (Threat Vulnerability Management Plan) the organization likely has no VA (Vulnerability Assessment) tool implemented and are completing VA's manually using less than optimal resources and means. The patching methodologies and practices are likely elementary and basic. On top of sub optimal VA initiatives (or the lack entirely) as well as spotty and immature patching, there is likely little to no process documentation and metrics to review and trend against in order for the organization to learn.

Management Maturity during this stage or level of development is essentially 0, zero, null, and nothing...

Level 1: Scanning

The beginning of the end - at this point the organization has taken some step in the direction of wanting a TVMP, Great News! Money, effort, and resources are expended and some VA tools, and fledgling processes start to emerge. A proper VA solution is put in place, basic metrics are being collected and published. As well as the processes for patching and VA becoming clearer and starting to change for the better.


At this point the organization will find themselves in a whirlwind of Vulnerabilities, Missing Patches, CVE's, etc ... This is where the the Maturity Model really kicks in... The organization NEEDS to take appropriate steps in order to take the investments they have made and bring them into completion.

Level 2: Assessment & Compliance (Whoa! The Information Age!)

It is crucial to the organization that all the information and data collected by the recent improvements to the TVMP be prioritized and acted on appropriately. So the next steps for the organization is to work toward regulations, processes, and standard operating procedures that will drive their vulnerability assessments and response to those assessments via IR (Incident Response), IRE (Incident Response Escalations), along with the patching and C&A (Certification & Accreditation) processes.

Management Maturity during this dynamic time the organization will begin to collect a LOT of metrics that will be difficult to measure or analyze with any effectiveness - but it is heading in the right direction!

Level 3: Analysis & Prioritization

Now the organization has more data and information then they know what to do with... Time to start sifting. Data points and metrics should be looked at holistically as an organization in order to apply a priority matrix on the systems and assets the organization is protecting. The end game here would be for the organization to develop a 'risk-based' approach to analyze the data collected and respond to the issues in an organized, methodological, and measurable way.

Management Maturity at this point is starting to become clearer for the organization. Metrics are starting to turn into trends and the organization can start to conceive a real world picture of their IT security and Abilities to handle what is out there.

Level 4: Attack management

Now that the organization can clearly see the threat-scape and attack surface in and around their IT infrastructure more focus can be placed on IR and IRE's. Additional countermeasures and VA's can be placed on the highest priority TV's (Threat Vectors) within the organizations environment. Advanced heuristic monitoring metrics can be applied to the analysis of collected data in order to produce perspective in which to drive and improve processes. Patching and IR / IRE processes will become driven by the data machine and become a hardened operating procedure with less and less misses, false positives and compensating controls will be placed on SSOP (standard security operating procedures).

Management Maturity is becoming very clear able to efficiently affect change within the organization. Hardened policies for information security are able to be supported by real and measurable data. Executives are able to assess through reporting the reality of their IT infrastructure - the threat scape and attack surface they pose; this will drive business decisions to be made with security in mind and overall lead to a more productive and secure environment in which the organization can do and maintain business.

Level 5: Business-Risk Management (Always Evolving)

At this stage the organization can be proud of the accomplishments and progress it has made in the way of their inclusive TVMP and all associated processes and SOP's. True threats and risks are aligned with business needs and goals, Assurance that TV's are scanned and monitored in accordance with priority and risk. Patching, IR, and IRE processes are advanced and regularly reviewed and maintained for relevancy to the organization and the ever evolving threat-scape. The enterprise can clearly assess and respond to the analytics and reports produced by the TVMP.



At this point the Threat Vulnerability Management Model has ended but that is by no means the organization that adopts this model is done with their TVMP. Threats and Vulnerabilities are changing everyday, and everyday business continues to grow and improve - this means more IT growth, expansion of business and that means more threat vectors and additional attack surface that needs to be accounted for and integrated into the enterprise standard security operating procedure.

It is important to note that no model, idea, methodology, technology or piece of software can solve and remediate 100% of security vulnerabilities and risks. But an affective team of professionals given the appropriate level of resourcing and support can apply business relevant countermeasures, compensating controls, and heuristic monitoring metrics against threat vectors in order for business to continue smoothing with absolute assurance that the organization is protecting itself the best that it can.




Credits and Thanks

- check out Core Security White Paper