Most organizations had vulnerability management top of mind before the pandemic, but now with millions of people working from home, keeping track of all those endpoints is exponentially more crucial.
To help us sort out how to identify and prioritize risk, and execute best practices on vulnerability management, five expert panelists joined us on our series of SecureWorld Remote Sessions for a Q&A hour. Below is a short snippet of the webcast, so be sure to check out the full episode.
Meet the vulnerability management panel
Each member of the vulnerability management panel started with opening statements on the topic. Here are excerpts.
Chris Peltz, Sr. Information Security Engineer with GuidePoint Security:
"Ultimately what most organizations are really trying to accomplish when measuring and reporting on vulnerability is to really map business risk to technical indicators, and obviously that's a very difficult problem, and kind of an art as much as it's a science."
Jon Allen, VP and Information Systems Security Officer with Catalyst Corporate Federal Credit Union:
"You definitely have to map your risks to your tools, as well as your program, and you really need to do that risk assessment and gap analysis before you do anything else, before you dive into any program or project to understand what your scope is going to be, where your crown jewels are, what your critical assets are, and really go from there."
Chad Barr, Compliance Practice Manager, Risk Management Services, with AccessIT Group:
"A good vulnerability management program is really three main parts; identification, prioritization, and remediation. A good vulnerability management program really needs to be business focused. It is aligning vulnerabilities with your company goals and what you want to achieve."
Brian Lourie, Information Security and Governance Senior Lead with Mars:
"It's all about the risk to the business, and prioritization is crucial. As you get into large companies, or even small ones that don't have a full staff, you can't fix everything these days, and it is important to know what's important to business, to identify that risk, and to remediate it appropriately."
Ken Pyle, Partner, DFDR Consulting; Faculty, IANS Research, Professor, Cybersecurity and Information Assurance:
"I can't stress enough the importance of using human testing in addition to any sort of tools and endpoint management solutions that anybody is going to give you. I find my exploits and my attacks from manual methods and automated tools, and automated vulnerability assessments are only as good as the definitions that are produced and how well you have it configured."
Now, let's take a look at a few of the questions posed to the panelists and excerpts of their responses to the questions.
Vulnerability management: In a remote workforce, what are the top things you recommend to mitigate risk?
"Multifactor is definitely number one. If you don't have a multi-factor system set up at this point, you may as well just consider that asset hacked, gone, breached. Have multi-factor applied across the board. Not just for your users, but also for your administrative accounts and anyone that has any sort of elevated privileges, etc., because those are the things attackers will be looking for to exploit from the outside.
The second thing I would press for is to enable a jump box type system for your employees to work through. You need some sort of portal that you direct your folks through that creates an audit trail for you, and it gives you the ability to start to analyze your user behavior."
"Do not forget to look at the environment that your vulnerability scanning tools are in. That tends to be one thing that gets overlooked. Remember, even your third-party vendors are not in their offices, they're remote too."
"I'd say you can eliminate 85-95% of your security risks by following four rules:
1. Make sure every account that has access to your environment has least privilege.
2. Make sure you patch your systems and applications rapidly.
3. Make sure you are rotating passwords for privileged and service accounts and you're not using the same password on all these accounts, and make sure the accounts don't have extended rights beyond what they need.
4. Train your users on the rolling security, particularly now, because the borders are a lot fuzzier.
What about human vulnerabilities due to working remotely with regards to burnout, stress/fatigue?
"You're not actually working from home. You're home due to a crisis, trying to work. Things are not normal today, expectations of what you can deliver and what you can accomplish are being adjusted within the company itself. My company has adopted the mindset that we are not here by choice, we are here because of circumstance. Let's make the best of it together and move forward.”
"All of us are human, we're not robots, and humans by default make mistakes, and stress just causes even more mistakes. Make sure your employees have down times—digital happy hours, or one-on-one time. Most of us aren't seeing our colleagues anymore, and that in itself can be stressful. Take care of your people, and they will take care of your environment."
How do we handle SaaS, log in anywhere, remote employees using personal machines, and compliance?
"Now you have all these endpoints you hopefully have control over, but you have less control than you did when employees are behind the locked firewalls and you have everyone sitting in your office. How are you going to make sure those endpoints are still secure and not an open gateway? Are you going to force them [your employees] to allow you to install software they would normally have on their corporate PC, or are you going to sandbox an environment for them that they can work from? Are you going to force them to VPN to a jump host and make sure everything they do is done from there? Those are all for vulnerability management, but also compliance reasons too."
Why is it important for companies to design an 'off-ramp' for remote access and work now?
"In my opinion, this is the most important point of all. Make sure when operations get restored back to normalcy, that we vet everything coming in. But not only that, make sure we turn off things, make sure things are secure. We are basically opening a bunch of new on-ramps into our systems [currently], but we have to make sure we turn them back off when this is over with."
What are common traits you find among organizations succeeding with vulnerability management?
"The organizations that we see succeeding are adding contextualized data to how they operate vulnerability management. Measuring how bad they are and how they should be addressed. The organizations that do the best job with this are the ones that won't sacrifice good for great."
Where do you see vulnerability management heading over the next five years?
"Being able to accommodate non-traditional assets is really where we are going. Whether that's IoT, OT, containers, etc., and how you address those, the tooling changes and the processes change. So it kind of speaks to more of a reliance on having a sound program, having a strategy that can cover things in a semi-agnostic way in a technology sense."
"I'm seeing a trend where a lot of our SaaS providers are moving into what I see as a shared compliance model. They are going to give you the tools, but they aren't going to configure them for you. More of a collaborative partnership with our business partners."
Web conference: vulnerability management in today's climate
To go more in-depth on these insights, we highly suggest you take the time to watch the SecureWorld Remote Sessions episode. You will hear each panelist's thoughts on the vulnerability management questions above and many other questions around this topic.
Thank you, Chris, Jon, Ken, Brian, and Chad, for helping serve in SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.