Qualys, Inc. Press Release: Yankee Group Defines Dynamic Best Practices in Vulnerability Management:
Yankee Group Defines Dynamic Best Practices in Vulnerability Management
Best Practices Derived from Laws of Vulnerabilities Research Identifies Weekly Auditing of Critical Assets as Top Security Priority
InfoSec World Conference, Orlando, FL – March 23, 2004 – The Yankee Group today announced the development of Dynamic Best Practices in Vulnerability Management to help organizations better manage network resources to identify and eliminate security weaknesses in a timely manner. Implementing dynamically changing best practices in vulnerability management is the most effective, preventative measure security administrators can use to thwart automated attacks and preserve network security. The guidelines and metrics developed by the Yankee Group were derived from The Laws of Vulnerabilities research, authored by Gerhard Eschelbeck, CTO of Qualys. The Dynamic Best Practices in Vulnerability Management is a custom consulting report contracted by Qualys from the Yankee Group.
"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," said Eric Ogren, Senior Analyst at the Yankee Group. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."
The Dynamic Best Practices in Vulnerability Management are based on key findings from The Laws of Vulnerabilities. The best practices apply vulnerability management as the one solution IT can count on to measure and manage the effectiveness of a network defense program. The Laws of Vulnerabilities are derived from the industry's largest vulnerability dataset and reveal vulnerability half-life, prevalence, persistence, and exploitation trends. These trends were drawn from statistical analysis of vulnerabilities collected by more than three million scans during a two-year period.
Based on these Laws, the Yankee Group defines four dynamic best practices for vulnerability management as:
1. Classify: Enterprises should identify and categorize all network resources. They should classify these resources into categories and tier a hierarchy of assets by value to the business. Critical assets should be audited every 5 to 10 days to identify vulnerabilities and protect against exploits. Based on hierarchical priority, lower category assets can be scanned less frequently as the work plans to patch will also be less frequent.
2. Integrate: To improve effectiveness of various security technologies such as server and desktop discovery systems, patch management systems, and upgrade services, enterprises must integrate with vulnerability management technologies. Best practice organizations should also report on operational progress against vulnerability goals to raise the level of awareness for security within the executive management team.
3. Measure: Enterprises need to measure their networks against the half-life curve and persistence curves of vulnerabilities. Graphically track the percentage of vulnerabilities mitigated within each 30-day cycle and the number of vulnerabilities that extend past 180 days. Chart the security team's performance to make sure the end result is risk reduction, especially to critical assets.
4. Audit: Security officers should utilize the results of vulnerability scans to understand a corporation's network security posture. Use the metrics to evaluate successes and failures of different policies to improve security performance. Use audit metrics to communicate security status to senior management.
"Regulations such as HIPAA and Sarbanes-Oxley, coupled with recent threats from viruses like MyDoom, have required companies like Geisinger to adopt industry best practices that will ensure compliance and proactive network protection" said Jaime Chanaga, Chief Information Security Officer for the Geisinger Health System in Pennsylvania. "Yankee Group's best practices underscore the importance of continuous vulnerability scanning in today's changing threat environment."