Why you need to align vulnerability management with business processes

I recently blogged about how – and why – organizations need to bring business context to their incident response through an integration between their SIEM and security policy management solution.  We looked the value that this approach brings, in helping to prioritize the most appropriate responses to security incidents.  But what about assessing your network’s security vulnerabilities from the same business perspective, before an incident happens?  With Verizon reporting last year that 85% of data breaches originate from known vulnerabilities, not to mention the recent WannaCry ransomware attack, this security strategy is arguably more important than ever before. 

Current approaches to vulnerability management

Today, most organizations approach their vulnerability management by relying on the reports generated by their vulnerability scanners. Typically, these scanners provide a lot of technical information on each vulnerability, organized by the server ID (typically the server’s IP address or DNS name). Enterprise vulnerability scanners also allow you to drill down to get more detailed information, such as the CVSS (Common Vulnerability Scoring System) score, and how each vulnerability could be exploited. Furthermore, it will often provide information on how to remediate the vulnerability, for example by upgrading the server or patching software.

But with the average vulnerability scanner unearthing more risks than any IT department could realistically address in reasonable time, there is a crucial need to prioritize. And in order to do that properly, there’s one critical component currently missing from the conversation:  the business application. 

Tying vulnerabilities to business applications

The conventional approach to vulnerability management neglects the fact that not only is the server at risk but, more importantly, so is any application that relies on the server. For example, while a vulnerability report may identify two servers having the same level of risk, these two servers could be supporting very different applications: one application may carry sensitive regulated data while the other may not; or conversely, one application may be business critical and may only be maintained during brief controlled intervals, while the other may allow a multi-hour maintenance downtime. So, for a more accurate picture of business risk you need to link the vulnerability to the business application affected, in addition to the servers they rely on.

And once vulnerabilities are tied to business applications, the various stakeholders can quickly and easily weight up the various options and timing of remediation efforts based on the potential risk of a security incident on the business versus the impact of downtime needed to fix the problem on business productivity.

Presenting vulnerabilities in the context of business processes and involving all relevant business, security and network stakeholders, helps align security with business strategy, and turns vulnerability management into a valuable, strategic business asset.

AlgoSec has enhanced this capability in version 6.11 of its Security Management solution, released last month, adding support for additional vulnerability scanners. To find out more about What’s New in AlgoSec 6.11 please see here.