Although the most damaging viruses and worms can penetrate critical systems in a matter of seconds, it isn't necessary to sacrifice an ounce of your company's critical data to one of these attacks. Organizations can escape the wrath of even the most tenacious worms and viruses provided two key ingredients are in place: a standardized, documented process for patch and vulnerability management and the right people working together around this process.
In fact, synchronizing management efforts across typically separate groups in the organization - namely IT security and operations teams - is one of the most critical steps in achieving air-tight patch and vulnerability management.
But these different organizational teams first need to agree upon a common process and implement a centralized, automated system for patch and vulnerability management.
Uniting Process and People
The process and management aspects of patch and vulnerability management are inextricably linked. The lack of a standard, repeatable processes can exacerbate the disconnect often present between security and operations groups. Without a clearly defined and agreed upon process, the security team can do its job well, but only behind the walls of its department. For example, under a directive to secure the organization, the security group can dutifully create an inventory of systems, platforms and devices; assess the vulnerabilities; and then hand off a list of fixes to an overwhelmed operations team. If communication is lacking and operations isn't involved in the process and isn't aware of the organization's priorities, a disconnect occurs. And although it is not always the case in every organization, this type of miscue can result in unaddressed vulnerabilities and security breaches.
A combination of solid process and multiple groups working together is the key to successful patch management and a secure organization.
Getting in Sync
So how do you get different groups such as security, operations, business and even external auditors on the same page? The first step is to understand the challenges that cause groups within your organization to function within silos.
One issue is organizational structure. The IT security group in most companies is separate from the IT department. In some cases, the security team is a think-tank type group that functions more like an academic discipline. This type of security team focuses on big picture issues and doesn't generally get involved in operational issues. IT operations, in contrast, is typically knee-deep in the daily maintenance, firefighting and system management. Complicating matters is the fact that the security group often reports through a different structure in the organization.
This siloed approach within IT is all too common, and more often than not, it is at the heart of security troubles.
Furthermore, as internal groups struggle to find common ground for fighting vulnerabilities, external auditors often are required to enter the process to examine a company's processes and state of security. If auditors find problems, it can put even more stress on the already tenuous security-operations relationship. The more you can have those teams working together, the more your organization's security will benefit and the smoother audits will become.
Although internal IT security teams often function in silos, the reality is that security threats aren't constrained to silos. Attacks, or even the process of protecting against known threats, span across an entire enterprise and affect both the security team as well as the IT operations. To reach across all platforms, groups need to work together with a standardized, automated process. By bridging the gap between IT security and IT operations, you can reconcile IT goals with security requirements, and effectively enforce universal security policies across the entire enterprise.
Breaking Down the Walls
It is critical to form a cross-discipline team that can rise above the walls that typically separate different IT and business groups within a company.
NIST recommends forming a PVG (patch and vulnerability management group) to help coordinate the cross-team nature of patch management.
The PVG should be a formal group that consists of representatives from IT security and operations groups. The members should have adequate knowledge of patch and vulnerability management, system administration, intrusion detection and firewall management, NIST recommends. Also, OS and applications specialists may be useful as well as network administrators and personnel with vulnerability scanning experience.
Because the PVG is formed by members of different cross-discipline teams, time-sensitive tasks such as prioritizing the order in which to address vulnerabilities can be done faster and with more insight. Other key duties include overseeing vulnerability remediation and distributing vulnerability and remediation information to local administrators.
In addition to a common, agreed-upon process and open communication among groups, using an automated tool for patch and vulnerability management can help speed the company's reaction time to vulnerabilities.
-Chris Andrew is vice president of security technologies for PatchLink.