The Troublemaker’s Guide to EVM: A Real-World Perspective

Let's cut to the chase. Vulnerability management is a never-ending battle. Sure, we could spend all our time patching every single vulnerability, but let's be real, that's not practical or cost-effective.

Here are some harsh truths about EVM:

1. The Time Crunch: We don't have infinite resources or time. Maintenance windows are limited, and downtime is costly. Balancing security with business needs is a constant struggle.
2. The Development Dilemma: Developers are under pressure to deliver features fast. Security often takes a backseat to speed and efficiency.
3. The Prioritization Puzzle: Not all vulnerabilities are created equal. We need to prioritize based on risk, not just severity scores.
4. The Network Nuances: Different networks have different vulnerabilities. A one-size-fits-all approach won't work.

So, how do we navigate this complex landscape?

• Embrace a Risk-Based Approach: Prioritize vulnerabilities that pose the greatest threat to your organization.
• Automate Where Possible: Use tools to streamline vulnerability scanning, patching, and configuration management.
• Foster a Culture of Security: Educate your employees about the importance of security and empower them to report suspicious activity.
• Collaborate with Business Leaders: Work with business leaders to understand their priorities and align security efforts with business objectives.

Remember, cybersecurity is an ongoing battle. Stay vigilant, stay informed, and don't let the bad guys win.

So, if you need more guidance on EVM, here you go. This is based off solid academic research and experience, references included. The guidance does not provide detailed steps as each will be unique to your environment and risk tolerance. 

 Foundational Principles for successful EVM

• Risk-based approach: EVM must be grounded in a comprehensive understanding of the organisation's unique risks and opportunities. This involves identifying critical assets, assessing threats and vulnerabilities, and evaluating the potential impact of exploitation.
• Continuous monitoring: The threat landscape is constantly evolving, so EVM must be an ongoing process. Organisations need to continuously monitor for new vulnerabilities, assess their potential impact, and implement timely remediation measures.
• Prioritisation: Organisations face a constant influx of vulnerabilities, making it impossible to address them all immediately. Effective EVM requires prioritising remediation efforts based on the severity of the vulnerability, the likelihood of exploitation, and the potential impact on the organisation.
• Collaboration: EVM is not solely the responsibility of the security team. It requires collaboration between security professionals, IT staff, developers, and business stakeholders to effectively identify, assess, and remediate vulnerabilities.
• Human factors: People are often the weakest link in cybersecurity. EVM should consider the human element, including potential insider threats, the need for security awareness training, and the cognitive load associated with managing vulnerabilities.

Key Practices

• Asset management: A comprehensive inventory of all hardware, software, and data assets is essential for effective EVM. This enables organisations to understand their attack surface and focus remediation efforts on critical systems.
• Vulnerability scanning: Regular automated scans help identify known vulnerabilities in systems and applications. Organisations should leverage a combination of internal and external scans to get a complete picture of their vulnerability landscape.
• Patch management: Timely patching of known vulnerabilities is crucial for mitigating risk. Organisations should establish processes for evaluating, testing, and deploying patches promptly, prioritising critical systems and high-severity vulnerabilities.
• Secure configuration: Misconfigurations are a major source of vulnerabilities. Organisations should implement secure configuration standards, leverage hardening guides, and employ automation to enforce secure configurations.
• Vulnerability scoring and prioritisation: Various frameworks and tools help organisations prioritise vulnerabilities based on their severity, exploitability, and potential impact. The sources highlight the limitations of relying solely on the Common Vulnerability Scoring System (CVSS) and recommend considering additional factors such as the availability of exploits, known attacks, and business context.
• Threat intelligence: Integrating threat intelligence into EVM enables organisations to focus on vulnerabilities that are actively being exploited or are likely to be targeted by attackers. This helps prioritise remediation efforts and reduce the overall risk.
• Vulnerability chaining: Attackers often exploit multiple vulnerabilities in sequence to achieve their objectives. EVM should consider the potential for vulnerability chaining and implement mitigations to break these chains.
• Reporting and communication: Effective communication of vulnerabilities and remediation efforts is essential for informed decision-making. CISOs should provide clear and concise reports to executive management and the board, highlighting key risks, remediation progress, and areas requiring further investment.

Frameworks and Standards

The following frameworks and standards provide foundational guidance for EVM:

• NIST Cybersecurity Framework: This framework offers a comprehensive set of guidelines for managing cybersecurity risks, including vulnerability management.
• ISO/IEC 27002: This standard provides best practices for implementing information security controls, including vulnerability management.
• CIS Benchmarks: These provide detailed configuration guidelines for hardening systems and applications, reducing vulnerabilities.
• DISA STIGs: These offer security technical implementation guides for securing specific systems and applications used by the U.S. Department of Defense.
• CISA Known Exploited Vulnerabilities (KEV) Catalog: This catalog lists vulnerabilities that are known to be actively exploited, helping organisations prioritise remediation efforts.
• Exploit Prediction Scoring System (EPSS): This data-driven model helps predict the likelihood of a vulnerability being exploited in the next 30 days, aiding in prioritisation.

Tools and Technologies

The following tools and technologies can support EVM efforts:

• Vulnerability scanners: These tools automate the process of identifying known vulnerabilities in systems and applications.
• Patch management systems: These tools automate the process of deploying patches, ensuring timely remediation of vulnerabilities.
• Configuration management tools: These tools help enforce secure configurations and automate the process of hardening systems.
• Threat intelligence platforms: These platforms provide access to real-time information about threats and vulnerabilities, enabling organisations to prioritise remediation efforts.
• Security information and event management (SIEM) systems: These systems collect and analyse security logs from various sources, helping identify potential attacks and vulnerabilities.
• Endpoint detection and response (EDR) solutions: These solutions monitor endpoint activity and help detect and respond to attacks, including those that exploit vulnerabilities.

By implementing the guidance provided, organisations can establish a robust EVM programme that effectively mitigates risk, enhances resilience, and protects critical assets.

References:

Books and Reports:

1. Alleman, G.B. and Quigley, J.M., 2024. Risk Management: Managing Tomorrow's Threats. Auerbach Publications.
2. Baker, D., 2024. A CISO Guide to Cyber Resilience: A how-to guide for every CISO to build a resilient security program. Packt Publishing.
3. Brown, A.R., 2024. Taming Your Dragon: Addressing Your Technical Debt. Apress.
4. Chaput, B., 2024. Enterprise Cyber Risk Management as a Value Creator: Leverage Cybersecurity for Competitive Advantage. Apress.
5. Chaput, B., 2021. Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM). Clearwater.
6. Centre For Cyber Security Belgium, 2015. Cyber Security Incident Management Guide. Centre For Cyber Security Belgium.
7. Hampton, J., 2014. Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposure, and Seize Opportunity. AMACOM.
8. Herrmann, D.S., 2007. Complete Guide to Security and Privacy Metrics: Measuring Regulatory Compliance, Operational Resilience, and ROI. Auerbach Publications.
9. Hyslop, M., 2007. Critical Information Infrastructures: Resilience and Protection. Springer Science+Business Media.
10. Küfeoğlu, S. and Akgün, A.T., 2023. Cyber Resilience in Critical Infrastructure. CRC Press.
11. National Research Council, 2014. Leveraging Two Decades of Experience in Cybersecurity. The National Academies Press.
12. National Research Council, 2009. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. The National Academies Press.
13. Steinberg, R.M., 2011. Governance, Risk Management, and Compliance. (Publisher information needed for complete citation).

Journal Articles and Websites:

1. Brooks, A.W. and John, L.K., 2018. The Surprising Power of Questions. Harvard Business Review Magazine, [online] Available at: https://hbr.org/2018/05/the-surprising-power-of-questions
2. Clinton, L., Higgins, J. and van der Oord, F., 2022. 2023 Director's Handbook on Cyber-Risk Oversight. National Association of Corporate Directors (NACD), [online] Available at: https://nacdonline.org/insights/publications.cfm?ItemNumber=74777
3. Deloitte, 2015. Tone at the top: The first ingredient in a world-class ethics and compliance program. [online] Available at: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-tone-at-the-top-sept-2014.pdf
4. Drew, C., 2023. 25 Negativity Bias Examples. Helpful Professor, [online] Available at: https://helpfulprofessor.com/negativity-bias-examples/
5. Dunn, G., 2023. 2022 Year-End Securities Enforcement Update. [online] Available at: https://www.gibsondunn.com/2022-year-end-securities-enforcement-update/
6. Lipton, M. et al., 2018. Risk Management and the Board of Directors. Harvard Law School Forum on Corporate Governance, [online] Available at: https://corpgov.law.harvard.edu/2018/03/20/risk-management-and-the-board-of-directors-5/  
7. McCoy, K., 2017. Target to pay $18.5M for 2013 data breach that affected 41 million consumers. USA Today, [online] Available at: https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/  
8. Mendro, J.J., Tulumello, A.S. and Hilborn, J.H., 2019. Recent Application of Caremark: Oversight Liability. Harvard Law School Forum on Corporate Governance, [online] Available at: https://corpgov.law.harvard.edu/2019/08/16/recent-application-of-caremark-oversight-liability/#more-120953
9. Micheletti, E.B. and Lindsay, R.M., 2021. The Risk of Overlooking Oversight: Recent Caremark Decisions From the Court of Chancery Indicate Closer Judicial Scrutiny and Potential Increased Traction for Oversight Claims. Skadden, Arps, Slate, Meagher & Flom LLP, [online] Available at: https://www.skadden.com/insights/publications/2021/12/insights-the-delaware-edition/the-risk-of-overlooking-oversight
10. Needleman, S.E., 2022. Twitter's Ex-Security Head Files Whistleblower Complaint on Spam, Privacy Issues. WSJ, [online] Available at: https://www.wsj.com/articles/twitters-ex-security-head-files-whistleblower-complaint-on-spam-privacy-issues-11660422044 .
11. Seets, C. and Niemann, P., 2022. How cyber governance and disclosure drive business value. Harvard Law School Forum on Corporate Governance, [online] Available at: https://corpgov.law.harvard.edu/2022/10/02/how-cyber-governance-and-disclosure-drive-business-value/.

Standards and Regulations:

1. American Bar Association, 2020. Model Business Corporation Act Annotated (fifth ed.).
2. CIS Benchmarks. (Publisher and date information needed for complete citation).
3. CISA Known Exploited Vulnerabilities (KEV) Catalog. Cybersecurity and Infrastructure Security Agency (CISA), [online] Available at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog [Accessed 17 October 2023].
4. DISA STIGs. Defense Information Systems Agency (DISA), [online] Available at: https://public.cyber.mil/stigs/ [Accessed 17 October 2023].
5. Exploit Prediction Scoring System (EPSS). Cybersecurity and Infrastructure Security Agency (CISA), [online] Available at: https://www.first.org/epss/ [Accessed 17 October 2023].
6. Federal Information Security Management Act (FISMA) of 2002.
7. Food and Drug Administration 21 Code of Federal Regulation Part 11.
8. Health Insurance Portability and Accountability Act (HIPAA) of 1996.
9. Homeland Security Presidential Directives (HSPDs).
10. ISO/IEC 27001:2022.
11. ISO/IEC 27002:2022.
12. ISO/IEC 27034-1:2011.
13. ISO/IEC 27036.
14. ISO/IEC 29147:2020.
15. ISO/IEC 30111:2019.
16. ISO/IEC 30111:2020.
17. ISO/IEC TS 27034-5-1:2018.
18. NIST Cybersecurity Framework. National Institute of Standards and Technology (NIST), [online] Available at: https://www.nist.gov/cyberframework [Accessed 17 October 2023].
19. NIST Special Publication 800-30, Revision 1. Guide for Conducting Risk Assessments. National Institute of Standards and Technology (NIST), 2012.
20. NIST Special Publication 800-37, Revision 2. Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. National Institute of Standards and Technology (NIST), 2018.
21. NIST Special Publication 800-39. Managing Information Security Risk. National Institute of Standards and Technology (NIST), 2011.
22. NIST Special Publication 800-53, Revision 5. Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards and Technology (NIST), 2013.
23. NIST Special Publication 800-61, Revision 2. Computer Security Incident Handling Guide. National Institute of Standards and Technology (NIST), 2012.
24. NIST Special Publication 800-137. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. National Institute of Standards and Technology (NIST), 2011.
25. NIST Special Publication 800-207. Zero Trust Architecture Standard. National Institute of Standards and Technology (NIST), 2020.
26. New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. New York State Department of Financial Services, 2023.
27. Sarbanes-Oxley Act of 2002.

Court Cases:

1. In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).
2. Marchand v. Barnhill, 212 A.3d 805 (Del. 2019).

Other:

1. The People’s Law Dictionary.