Lessons Learned: Vulnerability Management Policy
The COVID-19 pandemic has created a need for security teams to make sudden adjustments to many of their processes. This article focuses on vulnerability and patch management processes specifically, and discusses how companies can ensure that these programs keep their digital environments and assets secure while dealing with a larger than ever remote workforce.
WFH Challenges and Opportunities
First, let’s look at both the vulnerability management challenges and the opportunities raised by the WFH paradigm. Those challenges and opportunities can be divided into two main layers:
- The production systems and services at the core of a company’s IT environment
- The user edge devices, or endpoints, being used to access those production systems and data centers by employees working remotely
Production Systems and Services
The main vulnerability management challenges for core services and systems in a WFH scenario are:
- Patching coordination is harder. Patching always requires a high level of coordination across multiple teams (development, operations, security, business units, and so on). This coordination is even harder to achieve when all of these teams are, themselves, working remotely.
- 99.99% uptime is required. Every disruption to production systems and services undermines business continuity and productivity, including scheduled downtime for patching. Identifying patching windows becomes close to impossible when significant numbers of employees are working from home.
- Patch verification/rollback is not an option. Patching teams often rely on console access to user machines in order to verify that the patch is proceeding as planned—and to rollback if anything goes wrong. This option is no longer feasible when there are so many diverse user endpoints that connect to the data center across highly distributed geographies.
However, because some platforms, products, and systems are used less frequently when employees are working from home, the WFH scenario presents key vulnerability management opportunities, including:
- More flexible patch windows for remediating vulnerabilities. Vulnerabilities that, for example, sit on the office LAN can be dealt with at this time.
- The ability to perform major system upgrades. These would otherwise highly disrupt ongoing business activities.
The plethora of user endpoints in a WFH scenario is a challenge in and of itself. The vulnerability management team is suddenly faced with scanning and patching devices that use a wide range of OSs and versions and are not configured uniformly. They also have less visibility into these remote devices than into the official office-bound machines.
These user endpoints create the following vulnerability management challenges:
- Scheduling. Scan and patch schedules need to be adapted to the WFH reality, and they need to be conducted at relevant times.
- Connectivity. The home networks that the user endpoints connect to can have connectivity issues in general and VPN issues in particular. Network disruptions can interfere with scanning and patching.
- New vulnerability priorities. Threats that are critical to the remote workforce must become the focus of vulnerability management. For example, a bug in a recent version (13.4) of Apple iOS threatens the privacy of VPN connections. This kind of vulnerability must be given high priority in the WFH scenario.
- Laptop unavailability. Unlike the docking stations used in the office environment, laptops used at home are typically open when the employee is working and closed when they are not. This intermittent availability makes it hard to find suitable scan windows and even harder to find fix windows.
On the positive side, WFH scenarios present these endpoint opportunities:
- “House cleaning.” During these times, vulnerability management teams have clear mandates to enforce better and more frequent scanning and patching schedules in order to mitigate the risks posed by unpatched, vulnerable devices.
- Implementation of endpoint-driven compensating controls. EDRs and VPNs can enforce hygiene on unpatched platforms by, for example, blacklisting vulnerable applications or blocking network access for unpatched PCs.
How to Win the Vulnerability Management Game in a Time of Remote Work
This section provides best practices that can help you close the vulnerability management gaps created by a sudden increase in employees working from home.
Rebuild Scanning Effectively
Your regular scanning schedules will be disrupted by altered work patterns. Here’s how you can rebuild your scanning processes:
- For remote user workstations: Plan to scan when users’ machines are on but not necessarily being used, such as during lunch time. Make sure to let employees know that they need to leave their laptops open when scans are scheduled.
- For production systems and data centers: Shift the scans to times when they are being accessed less frequently by the WFH workforce.
- Choose your battles. In some cases, scanning compromises will have to be made. In other cases, you’ll need to be more aggressive than usual with your scans. Identify the most critical applications and employees, and scan them more frequently than others.
Operations teams are likely to be even more stretched than usual right now, and they are less available for vulnerability management tasks. It’s essential to identify and manage the most critical vulnerabilities in your network based on the realities of this unique time. In order to do so, you’ll need to keep the following principles in mind:
- Prioritize remediation of the most relevant vulnerabilities, and perform a thorough house cleaning ASAP. Your focus needs to be on vulnerabilities related to VPNs, RCEs, and anything else that can directly harm the remote workforce. For more information, check out our blog post on improving enterprise VPN security.
- For production systems: Given the increase in pressure on production systems, focus on vulnerabilities that can harm availability, such as DDoS exploits.
- Prioritize patches. In order to maintain vulnerability management levels in the face of fewer resources, it is important to prioritize tasks based not only on risk criteria but also on the most effective patches to apply. For example, identify patches that can resolve multiple vulnerabilities in a single patching process.
It is important to use all the remediation ammunition in your storehouse—not just patching. Listed below are some additional strategies.
- Remember that configuration changes and compensating controls are your best friends. Because patching will not be easy for the foreseeable future, use configuration changes and compensating controls whenever and wherever possible. In many cases, a small configuration change or the shutting down of a non-essential service or port can be as effective as a patch.
- Focus on the base infrastructure. Run frequent scans and updates on all assets that can have massive impacts on production, such as AMIs, Docker images, and infrastructure-as-code templates.
- Customize patching schedules. As with scanning schedules, your patching schedules should be built around users’ availability patterns.
Manage and Orchestrate the Process
One of the biggest challenges at this time is mobilizing the workforce that is actually executing the remediation efforts. Keep the following guidelines in mind while supervising your vulnerability management staff:
- Build task forces. For the most critical vulnerabilities, you must assemble a dedicated task force that will focus solely on remediating those threats.
- Say goodbye to Excel sheets. Choose a single collaboration platform for the different tasks forces, and work only through that platform.
- Establish clear KPIs. Provide all of the task forces with one clear and systematic KPI, and optimize the vulnerability remediation process to that KPI. Some examples of metrics that are particularly relevant to monitor around WFH critical systems are: risk reduction, scan coverage, type of scan (not-auth, auth, and agent-based versus nothing), and the extent to which SLAs are being met.
The COVID-19 pandemic has created many new normals, including a massive shift from employees working in centralized offices to employees working from home. It’s put a lot of pressure on IT teams to provide reliable and secure connectivity to core production systems and services from a vast array of end user devices. It is crucial that vulnerability management and remediation processes be quickly adapted to this new reality. Scanning and patching schedules have to be optimized. Vulnerabilities must be carefully prioritized based on a risk assessment that is focused on the specific organization’s environment and policies. Remediation activities should include measures other than patching and, and they must be carefully orchestrated and managed.
The Vulcan vulnerability remediation platform has demonstrated its value during “normal” times for helping enterprises build and execute a risk-focused and effective vulnerability management program. During these unusual times, we urge everyone to stay safe and healthy—and we are available to discuss how our platform may be able to help your company safely weather this crisis.