By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) third control for implementing a cybersecurity program is to practice continuous vulnerability management. Organizations that identify and remediate vulnerabilities on an on-going basis will significantly reduce the window of opportunity for attackers. This third control assumes you’ve implemented the first two CIS framework controls — understanding both the hardware that makes up your infrastructure and the software that runs on that infrastructure.

The first two controls are important to your vulnerability management program. When you know what hardware assets you have, you can validate that you’re scanning all of them for vulnerabilities. As you update your IT inventory, you can include new assets in the scanning cycle and remove assets that no longer need to be scanned. And, when you know what software run on your infrastructure, you can understand which assets are more important. An asset’s importance is key to identifying what should be remediated first.

Most vulnerability scanning platforms allow you to rank the importance of systems being scanned. They prioritize vulnerabilities by applying the CVSS (Common Vulnerability Scoring System) score for each vulnerability on an asset and couple it with the asset’s importance to develop a risk score.

The dimension missing from this risk scoring process is understanding if attackers can reach the asset to compromise it. Although you are remediating vulnerabilities, you can still be vulnerable to attacks if what you’re remediating isn’t accessible by an attacker. It may be protected by firewalls and other network security measures. Knowledge of the network security controls already deployed would allow the vulnerability management program to improve its prioritization efforts to focus on high value assets with exposed vulnerabilities that can be reached from an attacker’s location.

Other vulnerability scanning and risk rating platforms use threat management data to augment their vulnerability risk scoring process. While threat management data (exploits actively in use across the world) adds value, it doesn’t incorporate the network accessibility dimension into evaluating that risk.

As you work to improve your vulnerability management program, it’s best to use all the information available to focus remediation efforts. Beyond CVSS scores, the following elements can improve most programs:

• Information from network teams on new and removed subnets (IP address spaces) to make sure that all areas of the infrastructure are being scanned.
• Information from systems teams on which systems are most important to your organization.
• Including network information in the risk scoring process to determine if these systems are open to compromise.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for meeting your vulnerability management goals by providing network context to existing vulnerability scanning information. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your program using the CIS Controls.