Form a Vulnerability Management Team

Vulnerability Management Team Responsibilities

Organizations at this level should have a Vulnerability Management Team with the following responsibilities:

  • Tracking latest vulnerabilities
  • Generating advisories for the development teams
  • Alerting and Escalating when critical vulnerabilities arise
  • Leading / Coordinating the remediation efforts for critical vulnerabilities
  • Defining the criteria that the organization will use to classify the severity of the vulnerabilities (CVSS, EPSS, SSVC, VPR)
  • Defining security expectations: creating a definition of in how and in what timeframe vulnerabilities of a certain severity must be fixed.
  • Getting agreements/commitment from the DevOps teams on SLAs for fixing vulnerabilities (or enforcing it top down with agreement from the CISO and CIO)
  • Measuring remediation times for vulnerabilities
  • Providing visibility to the different teams of the vulnerabilities associated with their workloads

When to Auto-Fix or Escalate

There should be a process in place to correct deviations. While this process will be different for organizations in different industries, here are some sample definitions that could help you define your process:

  • [For Critical vulnerabilities in non-prod OS] If patch is not applied in X time auto apply.
  • [For Critical vulnerabilities in prod OS] If patch is not applied in X time escalate.
  • [For High vulnerabilities in non-prod env] If patch is not applied in Y time auto apply.
  • [For High or Critical vulnerabilities in code] If not corrected in X hours contact the Security Guardian for that team. If not resolved in the day, escalate.

Providing each team with the visibility of their vulnerabilities in dashboards and aggregated dashboards of vulnerabilities per manager / director will also help them be more engaged in resolving vulnerabilities

Risk Mitigation

  • Most of large scale vulnerability exploitation occurs days or weeks after the vulnerability was known, and they are still mostly successful because often organizations do not have good vulnerability management teams, processes and tools.
  • The effort of patching all vulnerabilities immediately make it impossible at large scale, and the risk of not patching is too big. Therefore is critical to have the definitions and processes to ensure that vulnerabilities are patched according to how critical are the vulnerabilties and how likely is their exploitation.
  • Most development teams are not experts in security, or do not have time to prioritize secure code practices.

Guidance for assessments

  • Do you have a team dedicated to the tasks explained above ?
  • What are the responsibilities of that team ?
  • Do you have defined processes for fixing vulnerabilties?
  • Do you have Auto-Fix or escalations configured for aging vulnerabilities ?