Building a vulnerability management workflow that works, and getting the buy-in to implement it
Ken Goodwin, director of networking, Pittsburgh Supercomputing Center (PSC) will present “Building a vulnerability management workflow that works, and getting the buy-in to implement it,” on Thursday, May 27, 3pm Eastern, as part of the ResearchSOC webinar series.
Subscribing to a vulnerability identification or scanning service is great for network security. But how do you manage the vulnerability data and create a manageable and trackable workflow that doesn’t overwhelm staff? How do you measure progress? What questions should a higher education or research facility or project cybersecurity team ask themselves?
“Teams can subscribe to an outside service called a vulnerability identification service, or VIS,” said Goodwin. “Their role is to try to connect to a machine to see what services are running and if it can identify the service software and match it against known vulnerabilities.”
Typically, teams can get back a report that has hundreds of vulnerabilities listed. A small support team could quickly become overloaded.
One of Goodwin’s goals for the webinar is to prepare people for how to deal with it when it comes in. How to organize the data. How to prioritize the data. And how to address the vulnerability issues that allows them to be effective and retrace their steps.
“You don’t want to repeatedly touch the same machine or service when you’ve already addressed the issue,” said Goodwin. “You’ve addressed it, put it in the done list, and you move on.”
Sometimes vendors slip in a patch but don’t update the version number. A VIS will catch the version number on a vulnerability list and flag it even though it’s been patched. One of the ways around that is to combine multiple information sources or build tracking mechanisms into your workflow.
Combining information sources may also provide a way to prioritize vulnerabilities or shift focus. “You might combine a VIS with a threat intelligence service like Stingar,” said Goodwin.
Goodwin has been with PSC since 1991 and in the networking group since about 1996, so he’s learned a lot about security over the years.
“Security was one of the main efforts inside the networking group and then that morphed into specialized security personnel over the years,” he said. “But security obviously is a central cornerstone for the network and quite frankly, you have to make sure your basement door is secure in addition to worrying about your front door.”
One of the ways their group has morphed over the years is by adding security services to their regional network in Pennsylvania called Three Rivers Optical Exchange (3ROX). “One of the things that we did for some of our smaller members was we started an optional security-as-a-service offering,” he said. “One is a security/network intelligence service. The other one is the vulnerability identification service, where we’ll go out and scan their networks and give them reports back. That’s really how we started participating in the ResearchSOC project. One of the many things that I’ve noticed with our smaller university members is that they have very similar problems as some of these research projects.”
Goodwin said a research project may have dozens of researchers working on the project, but they don’t have that many people dedicated to IT or networking support.
“In that aspect, they’re often personnel strapped, much like a small university,” he added. “So many of the suggestions that I give to the smaller 3ROX members is what I would give to a research project because they suffer from the same issues.”
“I hope this webinar gives people some ideas,” Goodwin said. “I would also like to hopefully make this an open conversation where folks who maybe do things a little bit differently, or have some different ideas, really want to contribute back either in follow-up discussions or questions.”