Vulnerability management is like a bottomless pit for security leaders inside the enterprise. As new apps come online and older systems are updated, vulnerabilities continue to flow. For a long time, it seems that the loopholes are endless, how can not finish repairing. Vulnerability mining and vulnerability management is like a bottomless pit, a pit that can never be filled. The concept of vulnerability management has been put forward by the industry for a long time, but there has been no particularly good practice case. To sum up, the reasons for this situation are mainly as follows:
1. The most important point of security management is to constantly find their own weaknesses and strengthen their own, so using a variety of means to find their own network weaknesses, is a crucial link. With the deepening of enterprise security construction, the channels of vulnerability discovery are becoming more and more. These include: system vulnerability scanners, web vulnerability scanners, code auditing systems, baseline checking tools, POC vulnerability validation scripts, manual penetration tests, and even SRC’s that are built on their own or hosted by third parties.
2. There are many people involved in repair
In the work links of vulnerability security management, such as vulnerability discovery, vulnerability verification, vulnerability repair, vulnerability tracking and acceptance, there will be personnel on various positions to participate. Including: third-party security vendor security service outsourcing personnel, internal security management team, internal product research and development team, third-party product research and development team, security responsible person and superior leadership of the security department. The work of communicating and coordinating with people in various links is quite complex and consumes a lot of energy.
3. Data of work results are mixed in the process of enterprise security management, and security vulnerability management is a complicated and cumbersome matter, which is followed up, processed, verified and repaired through the whole cycle. During this period, there will be numerous documents, including vulnerability description documents, vulnerability verification documents, vulnerability repair suggestions documents, all kinds of vulnerability repair process documents and communication information of each link. Thousands of pieces of information will appear. It takes a good approach and skill to do this, or it can leave you feeling tired and powerless.
4. Docking with manufacturers and brands to provide multi-third party security services has always been the most invested part of safety management. The work of vulnerability mining involves a lot of scope, involving many manufacturers, personnel and equipment types. The management of outsourcing work is complicated, and how to scientifically evaluate the capabilities of manufacturers needs complete data support.
5, security management platform multiple situational awareness, SoC, SIEM and other systems need a lot of data. Most of them are platforms centered on traffic, log and alarm. However, the management data of vulnerabilities have many dimensions and various sources, so it is very complicated to incorporate such data into the unified management platform and maintain them. Want to do a good job of automatic scheduling is involved in complex work content.
In the specific vulnerability management work, we are faced with far more problems than the above. So what kind of self-cultivation does a good vulnerability management platform need to solve these problems? In the author’s opinion, a good vulnerability management platform should have the following characteristics: comprehensive and open, automation and process, timely response and data-supported decision to deal with the above problems.
1. Comprehensive and open: comprehensive collection of vulnerability related data, so that a platform covers all vulnerability related data. First, it has the capability of asset detection, which can fully cover the assets under its jurisdiction without omitting any possible weak links. Whether it is hardware or software, whether it is application or data, these need to be recorded through clear assets ledger, and assign clear security responsibility. To ensure the coverage of vulnerability detection objects;
Second: Be open to vulnerabilities from various sources, and accept vulnerability data from all brands and sources, including vulnerability scanners, baseline detection, code auditing, grey box detection tools, risk assessment, penetration testing, crowd testing, enterprise SRC and other platforms. Data sources cover a comprehensive range;
Third: open and establish accounts with corresponding identities for the tripartite security service providers that do penetration testing, code auditing, vulnerability scanning and baseline detection for enterprises, so as to facilitate the work of the tripartite security service providers based on the vulnerability management platform. In addition, various vulnerability detection tasks can be uniformly distributed to third-party service providers through the vulnerability management system, so as to form a more efficient collaboration mode, improve efficiency and facilitate management.
Fourth, asset and vulnerability data can be opened to the internal unified security management platform to provide the ability to input asset and vulnerability related data for the unified security management platform.
2. Automation and process: First, automatic scheduling: equipped with various scanners that can automatically schedule and automatically collect vulnerability data. The work of data collection is not only transmitted through tables, but also based on historical data, which is convenient for searching and subsequent vulnerability management.
Second, automated tasks: proper periodic scanning can not only help companies find vulnerabilities faster, it can also help them greatly reduce network risk. Have the ability to make planning tasks flexibly, according to the rhythm of vulnerability verification and repair to make planning tasks, so that the vulnerability scanning task can be executed in a low-key and silent manner;
Third, the disposal process: the vulnerability is released through the existing working process of the customer, so that the cooperation of the security management team and other business departments can be synchronized into the internal working process of the enterprise as far as possible, and the vulnerability management platform can operate in a low-key manner without opening another process, so as to prevent the increase of the internal cooperation cost of the customer.
3. Timely response: First, timely 1day vulnerability response ability, which can quickly filter through various fingerprint conditions of asset ledger, locate affected assets and make timely decisions;
Second, through the vulnerability response center of SaaS, it can quickly report and synchronize the POC of new vulnerabilities to assist customers to quickly verify whether vulnerabilities exist in the internal assets of the enterprise. For major vulnerabilities with details of vulnerability utilization disclosed, the corresponding POC response time should not exceed 24 hours, so as to respond to new vulnerabilities in a more timely manner.
4. Data support decision: First, all vulnerability data can be clearly counted, and key indicators such as those to be verified, repaired and accepted can also be counted based on various dimensions such as business scenario, system management department and problem disposal time. So that the security team can drive and report based on the data. Make the decision of vulnerability management work rational and evidence-based;
Second, the account of third-party outsourcing personnel is issued through the platform, and the results of security service work such as penetration test, vulnerability scanning, baseline detection, risk assessment and code audit are all recorded into the system, so that the work progress can be better viewed. You can also output unified report documents through the platform. There are many kinds of security services with strong periodicity and many data documents. Whether the work results of a service provider are good is no longer judged by several times of excellent performance, subjective feelings and relationships, but can be comprehensively evaluated based on the cumulative overall data with reasonable evidence.
Third, the asset data and vulnerability data should be combined with the business scenarios to make a more comprehensive analysis to find out which parts need to strengthen the defense strategy, and adjust the priority of the vulnerability repair strategy based on the judgment of business importance and vulnerability severity.
Conclusion: A good platform can make vulnerability management easier and more effective, so that more energy can be put into the construction of how to strengthen the ability of exploiting vulnerabilities and improving the ability of responding to security incidents.