Managing risk is an essential component of any successful security program. But with the deluge of vulnerabilities discovered on a regular basis, it is a never-ending, uphill battle to mitigate all of the risk within an enterprise network or data center.

Ironically, some organizations even shy away from scanning or patching critical data center applications and servers because they are afraid of disrupting the business. While security teams must minimize risks to the business, remediation can’t come at the expense of stifling the business.

According to the study conducted by the Ponemon Institute on “The State of Risk-Based Security Management,” 59 percent of the 1,320 IT and security professionals surveyed believed that security metrics information is too technical to be understood by non-technical management. This is the crux of the problem – that security and management don’t speak the same language and thus can’t efficiently and effectively find the proper balance when it comes to risk mitigation and business productivity. In order to get the best of both worlds – improved security and agility – organizations need to consider alternative approaches to vulnerability management and change the way security is viewed by management.

Here are the current vulnerability management approaches that are in practice today and thoughts on each:

Determine Severity

 .

One common approach to vulnerability management requires organizations to identify the most crucial vulnerabilities based on CVSS score and fix them immediately. This approach can be problematic because it looks at vulnerabilities through a vacuum. Think about it – no two environments are alike. For instance, what may appear as a severe risk in one environment, may not have as much of an impact in another one. Should you rush to fix a critical vulnerability in a non-mission critical server that houses non-critical data?

This is the type of questions that you should consider when determining the criticality of a vulnerability.

Predict Threat Paths

 .

The second approach to vulnerability management is to try to determine the vulnerabilities an attacker may use in order to make multiple “hops” required to reach a critical asset. This type of approach requires a lot of overhead, with the result often being disconnected from how attacks are actually conducted and from what business stakeholders value the most. According to a recent market analysis conducted by the Ogren Group, “organizations reduce the risk of disclosure events by assuming critical resources are exposed to all threats, regardless of threat paths or how many hops an attack must take before finding a vulnerable resource.”

Tag Multiple Assets

 .

Another approach is asset tagging and associating them with a line of business. This tends to work well in a static environment, but what network or data center today doesn’t have an abundance of changes from the business? When changes occur, it throws this concept out of whack because often the provisioning of new servers is carried out by an individual not by the security team. This individual is also not typically someone who understands the business impact. Now, new servers are not tagged to their associated business line. As a result, this makes asset tagging data unreliable.

View Risks in Context of Business Applications

 .

The last best practice approach to vulnerability management is to look at vulnerabilities from the business perspective. What do I mean by this? Data centers today are comprised of hundreds to thousands of complex business applications that must work properly in order for the business to run optimally. These applications range from commercial off-the-shelf applications including SAP and SharePoint to homegrown applications performing custom business logic. Taking the approach of viewing risk at the business application level, vulnerability information is aggregated and the entire application including all of its underlying servers and databases are continuously updated. This enables security to effectively communicate with business owners and enable them to be accountable for “owning the risk”.

By shifting your vulnerability management program to an application-centric approach, it elevates security up the chain. Security is not just a technical issue that can be managed in bits and bytes – it is a core business issue with a direct impact on the bottom line.

About the Author

Sam Erdheim is senior security strategist at security policy management company, AlgoSec, and has more than a decade of product management and marketing experience in the IT software space, from email archiving to information security.

photo credit: Free Grunge Textures – www.freestock.ca via photopin cc