Technical leakage management is getting more and more crucial for organizations thanks to boosting cybersecurity attack threats and judicial regulations such as KVKK (Personal Data Protection Law of Türkiye), GDPR, ISO 27001, and PCI DSS. To summarize, technical leakage management is a process of detecting, evaluating, classifying, remediating, and reporting security vulnerabilities.
Even though technical vulnerability management is not a novel concept for many organizations, it is a fact that antique and accepted applications are grossly deficient, to name a few, yearly basis security vulnerability tests and remedial action plans. The cogent reason for mentioned tests being insufficient for organizations is that new vulnerabilities could show up in the following months after a test being conducted. Lowering an organization’s cyber risk index requires a stable approach allowing constant remediation and increasing visibility on security vulnerability.
Security Vulnerability
What is security vulnerability management?
Security vulnerability management and patch management are two terms that are often inter-changed yet different. Patching could disrupt an organization’s working scheme yet monitoring with EDR allows management planning through the adoption of such techniques as providing a supervision mechanism.
Security vulnerability management does not merely implement scanning and patching. Every unit is required to devote its effort on which security vulnerabilities to be handled, and how these could be mitigated.
Security scanning shall be conducted periodically and activated automated tools shall be running constantly. Thanks to increasing security vulnerabilities, prioritization and remediation strategies should be executed so as to focus on security risks faced by many organizations. In addition, SecOps and DevOps teams shall participate in every security vulnerability management effort in order to mitigate threats swiftly and effectively.
Four Stages
Four Stages of Security Vulnerability Management
Identification
The first stage is to identify every security vulnerability in an entire BT ecosystem. All BT assets shall be registered, and for each asset, suitable security vulnerability scanning shall be preferred.
​
The same security vulnerability scanning cannot be applied both for network and application. When application security is at stake, multiple application security test (AST) tools could be preferred to identify security vulnerabilities in proprietary code and open-sourced libraries.
​
Differences between technical leakage scanners are a prominent element for security vulnerability management since organizations’ BT ecosystems are getting larger, complex, and interrelated which makes it a challenge.
​
Continuous scanning enables an organization to observe signs of progress on security leak patching. Therefore, new risks can be identified based on updated security leakage data, derived from frequent scanning.
Evaluation
After an identification phase, it shall be proceeded with an evaluation of risks posed by identified vulnerabilities, and with a decision on how to respond. Common Vulnerability Scoring System (CVSS) scores have a crucial role for an organization to determine a rank within security leakage management, yet there are many real-case risk factors that should be evaluated by organizations.
​
Several additional factors which should be considered:
​
-
How can one exploit this security vulnerability and is there a revealed exploit?
-
Does a security vulnerability affect a product’s security?
-
What’s a security vulnerability’s effect on work when compromised?
-
Do we (an organization) have required security protocols so as to mitigate compromise possibility
​
In addition, an organization should be aware of whether detected security vulnerabilities are exploitable or not. Techniques and tools, like vulnerability assessment verifying a security leakage, could offer unreliable scanning results. In this sense, it can be stated that the most threatening security vulnerabilities should be focused on.
Remediation
After an identification and evaluation process, prioritization and execution are the next stages.
​
Security vulnerability management solutions offer which remediation strategy to be used for each security vulnerability. Therefore, an effective strategy can be decided in collaboration with security teams and system administrators.
​
There are three strategies to be implemented:
​
-
Correction: Complete prevention of exploitation through patching, correcting, or altering vulnerable code.
-
Mitigation: Easing the possibility or effect of a security vulnerability. This is a transitory solution only implemented until handling a security vulnerability.
-
Acceptability of a false positive: Accepting a false positive as a security vulnerability. Organizations apply for this strategy only if remediation costs are higher than being exploited.
​
Upon the completion of the remediation, another scanning can be a way to check whether a security vulnerability is fully responded to or not.
Reporting
An organization could collect more information on activity, rapidity, and cost of security vulnerability management through making security vulnerability assessments a routine.
​
Many security vulnerability management systems permit an organization to export data -- e.g., scanning data -- out of security vulnerability scanners so as to get a cybersecurity team clearly understand the security status of each asset, and to determine and follow increasing security vulnerability and decreasing remediation speed tendency.
​
Consistent reporting could help to comply with an organization’s risk management KPIs and regulative requirements.
