There are many vulnerability management frameworks that organizations can choose from, including landmark guides from CISA, NIST, and SANS. Each has its strengths and weaknesses to consider when optimizing your approach to vulnerability management.
Does your organization manage risks effectively? Schedule a consultation to find out!
Which Vulnerability Management Framework is Best?
Vulnerability management is the practice of accounting for and mitigating weaknesses in your cybersecurity infrastructure and architecture. To aid in this process, several governmental and other institutions have published vulnerability management frameworks that organizations can implement. Picking the right one for you comes down to weighing their relative strengths.
In particular, this article analyzes three prominent approaches to vulnerability management:
- Recommendations from CISA in CRR Volume 4
- NIST approaches from the CSF and SP 800-40r4
- The SANS Institute’s framework and maturity model
Working with a security program advisor will help your organization decide which framework suits it best. You may even develop a bespoke strategy using elements of several approaches.
The CISA Approach to Vulnerability Management
The Cybersecurity and Infrastructure Security Agency (CISA) develops resources, such as programs and frameworks, to help organizations in every sector improve their cybersecurity maturity. Their primary resource family is the Cyber Resource Review (CRR), which includes Supplemental Resource Guides dedicated to specific areas of cybersecurity.
CRR Volume 4 is a vulnerability management framework that offers high-level guidance for mitigating risks in any environment. Namely, it breaks it down into four basic phases:
- Define a strategy – Organizations should develop top-level governing baselines, such as primary goals and resources, to inform all elements of vulnerability management.
- Develop a plan – Organizations should then channel the strategy into one or more specific sets of actions to be taken whenever a security vulnerability is identified.
- Implement the capability – Upon realizing a vulnerability, organizations should set the plan in motion and neutralize or minimize the vulnerability (and, ideally, its root causes).
- Assess the capability – Organizations should then analyze the efficacy of the strategy, plan, and implementation, documenting challenges and making adjustments if needed.
Crucially, these phases are cyclical, with the last feeding back into the first.
The phases are fleshed out in significant depth throughout the text, with steps and sub-controls detailing specific software to install or resources to consult for threat intelligence or best practices. Therein lies the real value of the seemingly simple approach.
Highlights and Benefits of CRR Volume 4
The biggest benefit of using CRR Volume 4 as your vulnerability management framework is that it encourages best practices organizations might not be aware of otherwise. While it does not specify many particular requirements for these, its general direction will prepare your team for greater maturity through more robust implementations in the near and distant future.
For example, consider the following highlights from its two middle phases:
- Planning phase – CISA dedicates steps to training and intelligence gathering in the planning stage, which highlights how integral these are—and how they should be informed by strategy, rather than prior to or constitutive of it. The steps are:
- Step 3, Define training requirements: Organizations should determine topics and methods for end users and practitioners, based on relevant threat intelligence.
- Step 5, Identify sources of vulnerability information: Organizations should determine quality sources of threat intelligence on all in-scope resources.
- Implementation phase – CISA also dedicates individual steps to vulnerability logging and prioritization, which lend themselves to requirements in certain regulations. And it calls for Root Cause Analysis (RCA), a consensus best practice. These are the steps:
- Step 4, Categorize and prioritize vulnerabilities: Organizations should categorize vulnerabilities based on relevance and responsibility, which determine priority.
- Step 7, Analyze root causes: Organizations should determine what base factors led to a vulnerability (vendors, training, etc.), document them, and resolve them.
These particular steps show CISA’s framework and approach at its best. It’s flexible and encourages an open, data-informed approach to overall vulnerability management.
The Drawback to CISA-style Vulnerability Management
The approach described above may not be particularly useful for larger organizations that are further along on their journey toward IT and cybersecurity maturity. Its flexibility and openness make implementation relatively straightforward, but it lacks detailed and specific guidance on controls to implement for specific security ends. It might not be enough for your needs.
For example, organizations preparing for compliance with standards like HIPAA or PCI-DSS need to document specific thresholds of vulnerability and risk management. You may be required to score the vulnerabilities on a particular scale, which the CISA model may not empower you to do. For this reason, you might consider working with an external threat and vulnerability management expert who can tailor the CISA approach to your needs.
The NIST CSF and Vulnerability Management
The National Institute of Standards and Technology (NIST) is a governmental regulating body that defines, explains, and enforces several standards and regulations. Its rulesets typically apply to governmental organizations and private institutions that work with them, such as military contractors. However, NIST frameworks are also widely used in many other contexts, and definitions they develop for security purposes inform nearly every regulation used in the US.
NIST’s Cybersecurity Framework (CSF) is the cornerstone of every other guide and regulation it has published concerning IT and cybersecurity. It categorizes all security concerns under the functions of Identify, Protect, Detect, Respond, and Recover—which collectively make up the backbone of a NIST-informed approach to vulnerability management (or any area of security).
It should be noted that the CSF is not a vulnerability management framework proper. Instead, it is an overall security framework that can be applied to vulnerability management. NIST also publishes a guide more directly tied to vulnerability management, albeit tangentially (see below).
The Adaptability of NIST Vulnerability Management
The beauty of any NIST-based approach to any element of cybersecurity is how expansive and flexible the CSF is. It spans nearly every cybersecurity context, with recommendations and controls that can be applied to any use case—vulnerability management included.
For example, the Retail and Hospitality Information Security and Analysis Center (RH-ISAC) has highlighted the following CSF vulnerability management integrations as particularly beneficial:
- Identify – Identification subcategories applicable to vulnerability management include:
- Asset Management (AM)-1: Inventory all physical devices and systems
- AM-5: Prioritize resources based on classification, criticality, and value
- Risk Assessment (RA)-1: Identify and document asset vulnerabilities
- RA-2: Collect cyber threat intelligence from various outside sources
- RA-5: Use threats’ and vulnerabilities’ likelihood and impact to determine risk
- Protect – The Protection subcategory most applicable to vulnerability management is:
- Information Protection (IP)-12: Develop a holistic vulnerability management plan
- Detect – The Detection subcategory most applicable to vulnerability management is:
- Continuous Monitoring (CM)-8: Perform regular vulnerability scans
- Respond – Response subcategories applicable to vulnerability management include:
- Analysis (AN)-1: Investigate notifications from detection systems
- Mitigation (MI)-3: Mitigate new vulnerabilities or document them as risks
- Recover – Recovery subcategories applicable to vulnerability management include:
- Recovery Planning (RP)-1: Execute recovery plan during or after an incident
- Improvements (IM)-1: Incorporate lessons learned into recovery plans
Beyond these, organizations can implement any other parts of the NIST CSF that fit their specific risk and vulnerability management needs. Like CISA’s approach, it is adaptable.
An added benefit of this adaptability is how central the NIST CSF is to several frameworks and regulations required for compliance. Organizations involved in government contract work may need to implement frameworks like NIST SP 800-53 or 800-171, depending on what kinds of data they process. Having a foundation in the CSF will allow for streamlined control mapping.
Potential Limitations of a CSF-informed Approach
Although the CSF is central to much governmental compliance, it is also typically not enough on its own to secure government contracts. Organizations will have to put in the work of mapping and updating CSF controls to other standards prior to an assessment or audit. This is because of the CSF’s high-level, generalist approach to vulnerability management and cybersecurity.
One example of this is in the general structure of controls. Consider, for instance:
- ID.RA-3 – Identify and document internal and external threats.
There is no further instruction provided on how threats are to be documented—where, with what codes, etc.—in the CSF. Instead, it points to resources like SP 800-53 for further guidance.
Another example is looseness in scope and scheduling. There is no formal NIST vulnerability remediation timeline to speak of; instead, organizations are just to work as swiftly as possible.
NIST SP 800-40r4 and Vulnerability Management
Another NIST document that concerns vulnerability management is Special Publication (SP) 800-40r4, Guide to Enterprise Patch Management Planning. A previous version of the guide included “Vulnerability Management” in its title (v2, 2005). And, while its focus has shifted in subsequent revisions, it still lays out recommendations for effective vulnerability management.
In a section titled Software Vulnerability Management Lifecycle, NIST SP 800-40r4 describes the following three-step process that spans the entire lifespan of any risk or vulnerability:
- Knowing when new vulnerabilities arise and how they (would) impact your assets
- Planning risk response activities commensurate to the level of risk involved
- Executing the plan, verifying risks are neutralized, and continuously monitoring
The strategy here mirrors the straightforwardness of the CISA approach detailed above. As such, it shares similar strengths and weaknesses—it’s flexible but lacks concrete direction.
The SANS Vulnerability Management Framework
The SANS Institute is a cybersecurity research, education, and administrative organization that publishes guidance materials and frameworks on many areas of security. Unlike NIST, it does not oversee specific compliance frameworks. Instead, its texts are positioned as guidance from industry experts on how to meet those requirements—and generally improve security maturity.
SANS has two main approaches to vulnerability management: a framework for vulnerability assessments and a maturity model for gauging your efficacy. Both draw on SANS’ experts’ decades of research and practical experience aiding governmental and other institutions on vulnerability management. They’re also proprietary systems that organizations need to work with SANS directly (through an instruction or advisement engagement) to fully implement.
In comparison with the other two models detailed above, SANS’ two-pronged approach to vulnerability management is a bit more comprehensive and robust on its face. This makes it more applicable for larger organizations with more complex cybersecurity infrastructures or with greater data privacy needs. However, SANS’ approach lacks specific regulatory mapping to common compliance frameworks like PCI, HIPAA, or NIST. Organizations with interlocking compliance needs might instead opt for NIST (or an omnibus framework, like HITRUST).
SANS’ Seven Phases of Vulnerability Assessment
SANS’ approach to vulnerability management revolves around vulnerability assessments. They recommend regularly assessing and scanning your system for any indicators of a weakness or gap, potential or actual, and resolving them. The process breaks down into seven phases:
- Engagement planning – Organizations should determine and secure stakeholder buy-in on the scope, purposes, and methods to be used for a vulnerability assessment.
- Intelligence modeling – Organizations then gather information available to the public about their IT and security assets, including common attack vectors and techniques.
- Discovery – Next, organizations build on the foundational vulnerability intelligence with reconnaissance on the actual IT assets to be assessed, creating a comprehensive list.
- Scanning – Organizations use tools determined by their strategies and plan to scan their IT environment to identify vulnerabilities across software, hardware, and networks.
- Validation – Any identified vulnerabilities are analyzed to confirm their existence, the breadth and depth of their reach, and with what priority they should be addressed.
- Remediation – Organizations develop and implement plans to implement or patch controls, adjust configurations, and take other measures to mitigate vulnerabilities.
- Reporting – Wrapping up, all assessment findings should be analyzed thoroughly, documented, and reported to stakeholders to inform future vulnerability management.
More detailed information is available about SANS’ programmatic approach to vulnerability assessment in their course, SEC460. Organizations can also consult with a security program advisor to determine whether SANS’ principles are directly applicable to their environments.
The SANS Vulnerability Management Maturity Model
Finally, SANS also utilizes a vulnerability management maturity model tool to assess how effective and efficient an organization’s approach to vulnerability management is. The model is best understood as a 5×5 grid charting organizations’ relative strength in five Focus Areas.
The Focus Areas measured in SANS’ model are:
- Prepare – Organizations need to ensure that everything is in place for a programmatic approach to vulnerability management, specifically Policy, Standards, and Context.
- Identify – This focus considers what methods organizations use to monitor for and find vulnerabilities (Automated, Manual, and External) and how effective those methods are.
- Analyze – Once vulnerabilities are found, organizations subject them to analysis. SANS specifically highlights the importance of RCA and Prioritization, like other frameworks.
- Communicate – Organizations also have a responsibility to gather Metrics and conduct Reporting and Alerting to other individuals and institutions who might be impacted.
- Treat – Vulnerability management also needs to account for mitigation practices. SANS specifically highlights methods such as Change, Patch, and Configuration Management.
And the Levels indicate increasingly stronger security, as follows:
- Level 1: Initial – There are policies, but they are undocumented, informal, or in flux.
- Level 2: Managed – Policies are designed in response to negative events (reactively) rather than based on best practices from industry experts or frameworks (proactively).
- Level 3: Defined – Policies are selected carefully and updated regularly based on institutional needs and intelligence and outside experts’ consensus best practices.
- Level 4: Quantitatively Managed – Policies are followed systematically, performance is tracked and quantified, and stakeholders are subject to training at least once per year.
- Level 5: Optimizing – Controls are proactive and automated, providing insights that power regular updates to system-wide practices, in turn reflected in frequent training.
Altogether, the maturity model captures the complexity of vulnerability management, as an organization might have greater maturity in one Focus Area than they do in another. More information about SANS’ vulnerability management maturity model is available across two articles (Part I and Part II) organized around a useful infographic on the subject.
Optimize Your Vulnerability Management Today!
Three of the most common and effective vulnerability management frameworks come from CISA, NIST, and SANS. Each has its respective strengths and weaknesses, with CISA on the more open, flexible side and SANS on the more robust and comprehensive end. NIST is a relative middle ground and thus potentially applicable to the widest range of organizations.
RSI Security is committed to serving organizations like yours, helping you select, plan for, and implement the perfect vulnerability management solution for your needs. We believe that the right way is the only way to keep data safe, and we’ll help you determine and execute it.
For further guidance on selecting a vulnerability management framework, contact us today!