Your auditors have identified a gap where you need to start carrying out vulnerability assessments on your infrastructure and patch accordingly. Sounds easy right?
If only!
Buying a suitable tool is just a tiny part of the problem, so try to ignore the sales bit when choosing a product that fits your environment, as there's a fair bit to think about.
Considerations
1. What devices are you planning to scan?
a. Servers
b. What OS types?
c. Anything legacy?
d. Desktops & Laptops?
e. Is your workforce mobile?
f. Are servers segmented or firewalled off?
g. How do you scan through those firewalls?
h. Switches?
2. How do you plan to authenticate to those devices
3. How often do you need to scan?
4. Who’s dealing with remediation?
5. Does the solution need product updates?
6. Are you hosting anything in the cloud?
Now have a conversation with the BAU teams about patching the operating systems and applications. They’ll most likely laugh you out the door when you give a long list of things that need patching, updating, or modifying, so fingers crossed you've already built some good relationships there.
Patches can occasionally break things, and most will need a reboot. Some services can’t be rebooted for months and some need to be scheduled with the business due to the impact it can have. In fact, to provide an effective VM service takes a great deal of support from various teams, stakeholders and process driven tasks to ensure a reasonable turnaround is even possible.
Key things to look out for:
1. Automation is your friend here
a. Schedule scans
b. Schedule reports to key personnel
2. Integration with a ticketing system so new findings can be assigned to the right team(s)
3. Integration with cloud solutions
4. Asset Management – some tools will provide an excellent way to keep track of your assets, their OS ver, installed apps etc
5. Role based access controls. Ensure only the right people can access what they need
6. Scanning network ranges can provide additional useful data than just agent-based options, such as open ports, certificate info.
7. Make sure you manage your assets and categorise where possible (criticality, OS type, location etc)
So next time you read in the news about the latest vulnerability that needs patching ASAP, have a thought for the poor IT teams who are doing their upmost best to keep the lights on, because this stuff is really hard!
However, if you want to broaden your knowledge and skillsets, it’s an interesting area to learn and a critical function of any IT environment so I highly recommend getting stuck in if you get the chance.
Comments