Remediation! Remediation! Say ... er … Do that a million times without blabbing!
Yes, I went there. I showed what most VM practitioners will feel when you talk about managing a VM program - ‘out of depth’. The process of managing a vulnerability program can feel a lot like trying to manage an impossible task. If it’s not a Heartbleed vulnerability, it’s Dirty Cow, or Bluekeep, or PrintNightmare … who names these vulnerabilities anyway?
Hopefully, if you are reading this article, you have Cisco Vulnerability Management (formerly Kenna Security) on your side. Although we can’t make all these vulnerabilities vanish, we offer you a scientific approach to priority-based vulnerability management which helps bring focus to your program and reduces the scope of the vulnerabilities you should be most focused on. Think of this as reducing the task from raking the seashore to a standard task of mowing the law-- though a day at the beach sounds nice, you don’t have to guess which of these 2 tasks I’d vote for! Even with this reduced scope, the vulnerabilities can still feel like a horde of Zombies coming to get you, and a question we keep getting is:
“What are Cisco's recommended strategies for remediation?”
We get it, because for something as complex as a VM program, with stakeholders from multiple disciplines across the organization, there is no silver bullet to remediation. Here are some of the recommended strategies you could use with Cisco Vulnerability Management.
Most severe vulnerabilities
At its core, the Cisco Vulnerability Management Platform gives you scoring which prioritizes the vulnerabilities with the highest probabilities of exploitation. To tackle the most serious of vulnerabilities, set up a risk meter with vulnerabilities greater than a certain threshold e.g. vulnerability_score:>80. This risk meter will capture all vulnerabilities that have a risk score of over 80, and as long as you have vulnerabilities to fix here, you know they are at the top of your list to get knocked out of your environment. As you fix these severe vulnerabilities, and your program becomes more mature, you can progressively reduce the threshold to catch lower severity vulnerabilities.
Celebrity vulnerabilities
Above I mentioned some of the most popular vulnerabilities in the last decade. We recommend creating risk meters from these vulnerabilities (e.g. CVE:2019:0708) to track when they show up in your environment and make sure you remediate them when they do. Furthermore, you can create a dashboard of all these celebrity vulnerability risk meters, so they are organized in one view. You know what they say, out of sight is out of mind … not like we can get these vulnerability names out of our mind .
Best Bang for your buck … aka ‘Top Fixes’
Most know this situation too well. Teams are doing a lot of excellent work, but your risk score refuses to drop, and you want to show tangible improvements to senior leadership and stakeholders. Top Fixes was created for that purpose. Where applicable, Cisco Vulnerability Managment provides up to 10 different Top Fix Groups for a risk meter/asset group, each with up to 3 fixes per group. Each fix group shows you how much risk score reduction you would achieve by applying those fixes. Applying these fix group suggestions gives you marked score reductions of your risk meters and overall risk. There are some caveats to note, however, so use Top Fixes in conjunction with other strategies. To learn more about Top Fixes and caveats, check out this article.
Exploit categories
As part of standard processing of data within Cisco Vulnerability Management, the platform categorizes vulnerabilities into buckets that directly speak to the threat and/or exploitability of a vulnerability. Popular categories are Easily Exploitable, Malware Available, and Active Internet Breach. You can set up an initiative to track down and have vulnerabilities in one or more of these categories tracked, fixed, or mitigated.
All of these strategies can be used individually, but the best remediation practice is to use them in combination with one another. There are more strategies that can be employed, but this can be a good starting point. Hopefully, these will help you feel less like you are raking the entire seashore and more like it’s just another day of mowing the front lawn.
Have you tried any of these strategies; do you have more tried and tested solutions? We would love to hear your feedback and/or success stories in the comments.