Vulnerability Management in Government: Visibility Plus Context
Vulnerability management is an essential part of government cybersecurity. It requires not only continuous monitoring and visibility to spot vulnerabilities, but also the context needed to prioritize vulnerabilities based on risk so agencies can take effective action to eliminate, patch or mitigate.
Successful coaches know that a winning team must be able to execute on the fundamentals. The same holds true for government cybersecurity. The best talent and technology by themselves cannot ensure the security of an agency’s enterprise without a focus on the basics.
Vulnerability management is fundamental to government cybersecurity
Vulnerability management is fundamental to government cybersecurity. It is essential to good cybersecurity hygiene and a basic element of your agency’s risk management. It requires not only that you identify vulnerabilities, but also prioritize them so that they can be effectively eliminated, patched or mitigated. This requires not only visibility, but also context. Tenable, already the most widely deployed security solution for discovering what and who is on your network, can also provide the context and communication you need for fully effective vulnerability management.
Risk
According to the latest 2016 Data Breach Investigations Report from Verizon, the median time to exploit a newly identified vulnerability is about 30 days, and the top 10 vulnerabilities account for about 85 percent of successful exploits. This provides agencies with a reasonable window to patch or mitigate the most troublesome vulnerabilities in their systems. But there are another 900 Common Vulnerabilities and Exposures (CVE) that are being targeted by the remaining 15 percent of exploits.
Add to this the fact that your networks are dynamic, with new hardware and software continually coming online and increasingly mobile users accessing your resources remotely, and it becomes clear that managing vulnerabilities must be a continuous process.
A vulnerability management program can’t be effective if it manages only some of your agency’s assets
A vulnerability management program can’t be effective if it manages only some—or even most—of your agency’s assets. It must detect new and hidden (or shadow) devices and applications, as well as transient end devices such as laptops and mobile devices. These unknowns, including cloud assets, must be identified, their status and configuration discovered, and then managed on an ongoing basis.
Management
Anyone who has updated, patched or mitigated vulnerabilities knows that this is not a trivial task. All changes must be vetted to ensure that they do not interfere with vital government missions. Devices that are not permanently part of the network must be managed when they show up—all while dealing with the addition of new software and hardware. This means that vulnerability management must be prioritized. If you can’t eliminate all vulnerabilities, you have to focus on the most important ones.
If you can’t eliminate all vulnerabilities, you have to focus on the most important ones
Which vulnerabilities are most important depends on the level of risk they represent, and this will vary from agency to agency. It depends on the likelihood that a vulnerability will be exploited, and the potential impact. So you not only need to spot the vulnerability, you must also know something about it and the system where it lives.
Relevant information must be made available to public sector stakeholders, including the security team, IT operations, asset owners, and executive-level management.
Visibility plus context
Tenable Network Security provides the visibility and critical context needed to move your agency beyond vulnerability scanning to effective vulnerability management. Tenable’s passive traffic and event monitoring detect and monitor services and applications in use, even in cloud and virtualized environments.
SecurityCenter™ is a comprehensive solution that provides not only discovery, but also analysis and a variety of customizable dashboards, reports and Assurance Report Cards™ so that stakeholders get the information they need. It combines technology with people, with a research team that provides daily content updates.
SecurityCenter provides:
- Broadest coverage of CVEs
- Powerful communication
- Easy integration with third-party solutions
- Support from Tenable’s world-class team of researchers
The government vulnerability management life cycle includes continuous monitoring, analysis and response. By providing full-cycle vulnerability management, Tenable is ready to help your agency create a successful vulnerability management program.
Check out these resources for more information on vulnerability management:
- Vulnerability Management resources
- Comprehensive Vulnerability Management for a Changing IT Landscape blog
- SecurityCenter
- Stay in touch with Tenable. Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page
Related Articles
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
Cybersecurity Snapshot: Critical Infrastructure Orgs Found Vulnerable to Basic Hacks, While New MITRE Tool Uses ML to Predict Attack Chains
September 20, 2024Report finds that many critical infrastructure networks can be breached using simple attacks. Plus, a new MITRE Engenuity tool uses machine learning to infer attack sequences. Meanwhile, CISA will lead a project to standardize civilian agencies’ cyber operations. And get the latest on XSS vulnerabilities, CIS Benchmarks and a China-backed botnet’s takedown!
At Nearly $1 Billion Global Impact, the Best Cloud Security Couldn’t Stop This Hybrid Attack Path. Takeaway: Map and Close Viable Attack Paths Before Breaches Begin.
October 16, 2024Conventional wisdom suggests best-of-breed is the only way to secure your clouds. But what of hybrid attack paths that cross security domains — like those exploited in the SolarWinds and Capital One breaches? Exposing the gaps attackers exploit to move laterally requires visibility and context across security silos.
Oracle October 2024 Critical Patch Update Addresses 198 CVEs
October 15, 2024Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.
Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources
October 15, 2024Learn how data security posture management (DSPM) and AI security posture management (AI-SPM) can help you address key cloud security challenges.
- Federal
- Government
- Vulnerability Management