In defense of Incrementalism (in vulnerability management)

Posted on March 6, 2024 by Jeffrey

Most of the vulnerability management programs I’ve encountered suffered from analysis paralysis—the infosec team had reams of data (or multiple spreadsheets) on their vulnerabilities but couldn’t make progress because they couldn’t decide where to start.

Questions I frequently hear include:

  • What’s the biggest vulnerability (AKA high-risk)?
  • What vulnerability hits the most systems?
  • What vulnerabilities are most easily exploited?
  • What vulnerabilities impact the highest critical business system(s) the most?

Those are all excellent questions and they assume a level of maturity that an analysis paralysis-level organization hasn’t reached yet. Maybe you haven’t completed (or started) a BIA project to determine your critical business systems. Maybe you’re still working on your device inventory. Maybe you don’t know how to define “biggest” yet.

(aside)

A simple vulnerability management process could look like this:

  1. Identify the vulnerabilities—presumably you’ve got a scanner or an advisor that gives you a list.
  2. Prioritize the vulnerabilities—determine which vulnerabilities pose the largest risk.
  3. Remediate the vulnerabilities—change configuration, patch, replace or otherwise address to eliminate or reduce the risk.
  4. Repeat on some interval.

Pick something

You’ll be doing vulnerability management for a good long while (forever), so in the early stages of your program, skip prioritizing, pick something and do it. Do use your knowledge of yourself and your organization to inform your decision, but pick something to work on and then go do it.

Here’s how this works:

  1. Pick a vulnerability to work on
  2. Work on it (remediate)
  3. Celebrate your success
  4. Repeat

Closing thoughts

This is not that different from how you eat an elephant. One simply cannot eat the elephant in one bite, so do it incrementally. Or, if you’re using the “stuck in the weeds” analogy, choose the weed that’s in front of you and pull it, then choose another weed.

Two things will happen: 1) You’ll be making incremental progress, and 2) at some point you’ll start seeing the forest instead of all the trees and can start prioritizing more wisely.

This entry was posted in Cybersecurity and tagged , . Bookmark the permalink.