Looking in the rear view mirror from the Spring of 2004, the InfoSec World Conference in Orlando FL was on the calendar.
Our flight from Washington, DC provided just enough time to plan out the sequence of sessions and events to attend in order to explore any new innovations.
At that point, we were now only in our first decade of our "Information Security" evolution.
"Before “The Cloud”. Before IT standards could truly grasp the spectrum of sophisticated exploits, that were soon to be developed by other Nation States."
The guidelines and metrics developed that year by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys.
The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities:
>>Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.
>>Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.
>> Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.
>>Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.
The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program.
"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."
Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:
1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.
2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.
3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.
4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.
Soon after the business trip to this InfoSec World event, the notes written then can still provide us additional vital context, as we commercialize our travel to Space.
They give us some basis for how over two decades later, the best practices are still very much the same.
Except for this.
Today, "Vulnerability Management" now has the Cloud, Quantum and more powerful AI…