
Remediating Vulnerabilities? Here’s What You Need to Know
Written by CISOSHARE
December 21, 2016
25 min read
Following a vulnerability assessment, penetration test, or other company-wide assessment of your security program, it’s wise to take these findings to put together a security vulnerability remediation plan.
A good security vulnerability remediation plan will address a range of issues, from large-scale system patches on vulnerable systems to addressing a lack of security-related processes like third-party risk management or incident management.
Whether you’re a security executive or a newcomer to security program development, our experts have put together a few tips to help you remediate the vulnerabilities in your environment.
Tip 1: Differentiate between tactical and foundational planning
Tactical remediation efforts are any one-time tasks that need to be performed. This can be something such as addressing specific, identified vulnerabilities on a handful of systems.
Foundational remediation, however, is often associated with setting up and establishing repeatable processes or standards that can be used in future remediation activities. This includes policies and processes related to system patching, for example.
Tactical efforts typically provide a one-time benefit while foundational activities are meant to prepare your organization’s security program for continued progress over time.
Tip 2: Focus on both tactical and foundational efforts during vulnerability remediation planning
Whenever your organization is developing a vulnerability remediation plan after an annual pen test or following a customer assessment of your environment, find a balance between tactical and foundational efforts.
Structure your vulnerability remediation plan based on your business’ current needs so that your remediation items can be done in the most cost-effective manner. Build the foundational elements where you anticipate needing them in the future and prioritize the tactical efforts that are critical to your environment.
Tip 3: Have your vulnerability management standards and processes solidly in place
Every security program should have their set of standards and processes, which is often defined in your security program’s policy and process documentation. If your documentation is out of date or your policies and processes were never properly established, this is where prioritizing foundational work efforts comes into play.
An effectively designed vulnerability management program should guide and inform your security team’s vulnerability remediation. Identified vulnerabilities that have been analyzed and classified should be reported to stakeholders and other interested parties, which can help identify which vulnerabilities should be prioritized for remediation.
Tip 4: Divide the work and utilize your processes
When you evaluate your environment, your team might find that many of the tactical efforts that need to be done involve large amounts of repetitive tasks. Think about patching the systems in your environment — you could have over 20,000 systems to patch.
Instead of trying to finish all these patches at once, focus on building a repeatable process for executing these tactical items and complete a small number of them. You can use this smaller number of patches to evaluate the processes you’ve established and
As your team executes remediation and mitigation projects, the progress and results of these should also be documented to create an evidence trail. This can be especially helpful for potential audits, troubleshooting, and future compliance.