In this 4th installment of The Vulnerability and Exposure Management Survival Guide series, we discuss how to improve security communications so that it better supports our goals. Communication of vulnerabilities and exposures must be effective in order to enable timely mitigation, remediation, and risk reduction. Communications to stakeholders must be timely, frequent, and concise to ensure it is understood and acted upon. When communication is effective, security teams and stakeholders are more aligned, informed, and can work together to reduce risk to the organization.
- Strategies for Improving Governance & Compliance
- Strategies for Improving Detection
- Strategies for Improving Assessment & Prioritization
- Strategies for Improving Communication (YOU ARE HERE)
- Strategies for Improving Mitigation & Remediation
Communication of vulnerabilities and exposures must be effective in order to enable timely mitigation, remediation and risk reduction. Communications to stakeholders must be timely, frequent and concise to ensure it is understood and acted upon. When communication is effective security teams and stakeholders are more aligned, informed, and can work together to reduce risk to the organization.
Map exposures to Apps, Not Assets
Typically, within vulnerability and exposure management functions, we communicate exposures to the individual asset or system owners. This is solid practice and can be an effective way to communicate these, but there’s an even better way. Various organizations may have tens of thousands of servers, workstations, containers, cloud hosts, databases, and so on. Generally these assets support applications within their environment. The number of apps that an organization maintains is usually significantly less than their total asset count. But why aren’t we communicating vulnerabilities to application owners?
Key Insight:
Are application owners not ultimately responsible for the assets that comprise an application? Are we not communicating application security findings to the app owners? We should be, and that also goes for vulnerabilities and exposures. It's a numbers game. I have fewer applications than I have assets; therefore, the data we have on app owners is far more likely to be accurate and complete. This all presupposes that you are mapping your assets to associated applications. But if you’re not doing that as part of a comprehensive asset and IT security management strategy, I implore you to consider getting started. That’s a core dependency that is critical to more than just cybersecurity. If we do have assets mapped to applications, let’s make life easier for them and for us. First, we must ensure these app owners are identified as the control owner within our GRC (Governance, Risk, and Compliance) system. Once this has been established, we should compile vulnerabilities and exposures by the assets that make up a respective application. If possible, let's also include associated application security vulnerabilities, misconfigurations, and any other findings which require mitigation or remediation.
This allows our application owners to be better informed about all the risks posed to their app and to prioritize accordingly. My goal has always been to maximize risk reduction in relation to the time spent by stakeholders addressing security-related findings and remediation activities. If we have an infrastructure vulnerability, a vulnerability affecting a web app, and a misconfiguration on an operating system, shouldn’t we encourage app owners to focus on the one that poses the highest risk first? I say yes.
Tangential benefits to this approach include the ability to gamify the resolution of findings by app owners. Who is best at prioritizing and responding to security findings on their application? When that information is shared with leadership, you will be amazed at the level of competition in our otherwise unmotivated app owners.
If you’re not doing this today, I hope I’ve persuaded you to give it a shot. That is unless you like more work and sending more communications!
Effective and efficient communication can help ensure the success of a vulnerability management program. Not only does it help establish buy-in, but it also helps influence behavior.
Source: SANS Vulnerability, Management Survey 2022
Don’t Overload Your Stakeholders with Security Data
Let's start this with a hypothetical. Many of us check the temperature every day, but we generally aren't looking at all the available metrics. Do you know the barometric pressure where you are today? How about the dew point or the UV index? Likely not. We do, however, often look at the most pertinent metrics to our decisions for the day, like temperature, precipitation, and maybe humidity or wind speed. These all inform the decisions we make on a daily basis. Do I wear shorts or pants? Do I need an umbrella? Do I need to account for wind in my golf swing? We value quick and meaningful insights.
This concept applies similarly to how our stakeholders want to consume security information. They don't care about the threat actor targeting an exploitable vulnerability or even the attack vector at risk. They do care about the steps they need to address the finding and get on with their day. So, let's give the people what they want. In my experience, this increases the timeliness of stakeholder responses because they know quickly what is expected of them. If they have 10 minutes before a meeting, and they know they need to submit a change request for a patch, they may just sneak it in. But, if you're giving them all the associated security data and telemetry to sift through, they may wait until they have dedicated time or just put it off indefinitely.
Key Insight:
Is our objective to make them security experts or just get them to address the findings? If it's the prior, good luck and godspeed. But if it's the latter, focus on simplifying the information provided. That being said, this information is still necessary for security teams to have and understand.
Balancing the information needs of security teams and their stakeholders is no easy task. However, you can help them out by communicating a vulnerability's details in a way that distills it down to the most critical data points they need to consider as part of the response.
For instance, if you include the affected asset, the threat actor, vulnerability age, assessed risk, and remediation steps in your communications. That may be just enough for them to understand and act upon. I am not asking you to take my word on this. Go sample a few stakeholders and ask them what information they need. Before I conclude, I should point out that in small organizations, the individual that performs remediation may also be the same person performing vulnerability scans. If that is you or your organization, go ahead and disregard anything I've said here.
18% of security practitioners admitted that communication was one of the least enjoyable parts of their job. Their frustration stems from the necessity to simplify and convey complex information to less familiar stakeholders, while also managing an overwhelming amount of data from multiple technologies.
Source: Tines' 2023 “Voice of the SOC” report
Conclusion
Striking the right communications balance for clarity, depth, and brevity is key to a successful vulnerability and exposure management program. The goal is not to make your stakeholders security experts, but to give them just the right level of detail needed so that they can take action on what will deliver the greatest benefit to the organization. In the next installment of our blog series, we will explore Strategies for Improving Mitigation and Remediation.
To discuss your exposure management program, and how Zafran might help you sharpen the focus on the vulnerabilities most likely to be exploited, click Get A Demo to connect with an expert.
Who is Nate Rollings?
Nate is an accomplished cybersecurity leader with more than 15 years of experience at Fortune 500 companies. He is a subject matter expert well versed in building high-functioning vulnerability and exposure management programs. Nate is a respected voice in the cybersecurity community, and currently serves as Zafran’s Field CISO.
