Remediating Vulnerabilities? Here’s What You Need to Know

Written by CISOSHARE

December 21, 2016

25 min read

Following a vulnerability assessmentpenetration test, or other company-wide assessment of your security program, it’s wise to take these findings to put together a security vulnerability remediation plan. 

A good security vulnerability remediation plan will address a range of issues, from large-scale system patches on vulnerable systems to addressing a lack of security-related processes like third-party risk management or incident management. 

Whether you’re a security executive or a newcomer to security program development, our experts have put together a few tips to help you remediate the vulnerabilities in your environment. 

Tip 1: Differentiate between tactical and foundational planning 

Tactical and foundational remediation

Tactical remediation efforts are any one-time tasks that need to be performed. This can be something such as addressing specific, identified vulnerabilities on a handful of systems. 

Foundational remediation, however, is often associated with setting up and establishing repeatable processes or standards that can be used in future remediation activities. This includes policies and processes related to system patching, for example.  

Tactical efforts typically provide a one-time benefit while foundational activities are meant to prepare your organization’s security program for continued progress over time. 

Tip 2: Focus on both tactical and foundational efforts during vulnerability remediation planning 

Whenever your organization is developing a vulnerability remediation plan after an annual pen test or following a customer assessment of your environment, find a balance between tactical and foundational efforts. 

Structure your vulnerability remediation plan based on your business’ current needs so that your remediation items can be done in the most cost-effective manner. Build the foundational elements where you anticipate needing them in the future and prioritize the tactical efforts that are critical to your environment. 

Tip 3: Have your vulnerability management standards and processes solidly in place 

Every security program should have their set of standards and processes, which is often defined in your security program’s policy and process documentation. If your documentation is out of date or your policies and processes were never properly established, this is where prioritizing foundational work efforts comes into play. 

An effectively designed vulnerability management program should guide and inform your security team’s vulnerability remediation. Identified vulnerabilities that have been analyzed and classified should be reported to stakeholders and other interested parties, which can help identify which vulnerabilities should be prioritized for remediation. 

Tip 4: Divide the work and utilize your processes 

Security Vulnerability processes

When you evaluate your environment, your team might find that many of the tactical efforts that need to be done involve large amounts of repetitive tasks. Think about patching the systems in your environment — you could have over 20,000 systems to patch. 

Instead of trying to finish all these patches at once, focus on building a repeatable process for executing these tactical items and complete a small number of them. You can use this smaller number of patches to evaluate the processes you’ve established and  

As your team executes remediation and mitigation projects, the progress and results of these should also be documented to create an evidence trail. This can be especially helpful for potential audits, troubleshooting, and future compliance. 

Don’t let vulnerabilities go unaddressed in your organization.