SANS Vulnerability Management (VM) Maturity Model - Identify
David Hazar
Certified SANS Instructor | IANS Faculty Member | Consultant | Founder | Public Speaker
Today I will be sharing the maturity model for the "Identify" phase of the PIACT model for vulnerability management that we discuss in SANS MGT516 - Managing Security Vulnerabilities: Enterprise and Cloud. This is my 4th article in a series on vulnerability management. I will provide the links to these other articles at the end of this article. Also, look for the official release of the maturity model on the back of the SANS Security Leadership poster at SANS Security West 2020 https://www.sans.org/event/security-west-2020.
Identification of vulnerabilities is important and has been the focus of many security programs for many years. While I believe that most companies are struggling in other areas of their program much more that this one, it is an important part of a holistic vulnerability management program. Today, I will share the maturity model for the identification phase of the PIACT model. It includes three different categories for automated, manual, and external identification techniques. I previously covered the "Prepare" and "Analyze" phases and will wrap things up with "Communicate" and "Treat" in the next few weeks.
Automated
Level 1
Infrastructure and applications are scanned ad-hoc or irregularly for vulnerability details, or vulnerability details are acquired from existing data repositories or from the systems themselves as time permits.
Level 2
The process, configuration, and schedule for scanning infrastructure and applications is defined and followed for certain departments or divisions within the organization. Available technology may vary throughout the organization.
Level 3
There are defined and mandated organizationwide scanning requirements and configurations for infrastructure and applications that set a minimum threshold for all departments or divisions. Technology is made available throughout the organization through enterprise licensing agreements or as a service.
Level 4
Scanning coverage is measured and includes the measurement of authenticated vs. unauthenticated scanning (where applicable), the types of automated testing employed, false positive rates, and vulnerability escape rates.
Level 5
Scanning is integrated into build-and-release processes and procedures and happens automatically in accordance with requirements. Scanning configurations and rules are updated based on previous measurements.
Manual
Level 1
Manual testing or review occurs when specifically required or requested.
Level 2
Manual testing or review processes are established and some departments and divisions have defined requirements.
Level 3
Manual testing or review occurs based on reasonable policy-defined requirements that apply to the entire organization and is available as a service where not specifically required by policy.
Level 4
Deviations from manual testing or review requirements are tracked and reported.
Level 5
Manual testing or review processes include focused testing based on historical test data and commonalities or threat intelligence.
External
Level 1
External vulnerability reports and disclosures are handled on a case-by-case basis.
Level 2
Basic vulnerability disclosure policy (VDP) and contact information published, but backend processes and procedures not documented.
Level 3
More comprehensive VDP in place, along with terms and conditions for external vendors and security researchers, that outlines rules of engagement, tracking, and feedback processes.
Level 4
Compliance with VDP and terms and conditions is tracked and measured and information is used to streamline processes and evaluate vendors and researchers
Level 5
A mature external testing and research program is in place with specific goals and campaigns that may only be available to specific vendors or researchers.
Here are the links to the other articles if you are interested:
Prioritizing vulnerabilities is not a solution
https://www.dhirubhai.net/pulse/prioritizing-vulnerabilities-solution-david-hazar/
SANS Vulnerability Management (VM) Maturity Model - Intro & Analyze
https://www.dhirubhai.net/pulse/sans-vulnerability-management-vm-maturity-model-intro-david-hazar/
SANS Vulnerability Management (VM) Maturity Model - Prepare
https://www.dhirubhai.net/pulse/sans-vulnerability-management-vm-maturity-model-prepare-david-hazar/