Implementing RBVM

While every organization is unique and has their own requirements, there are a few lessons we have learned implementing RBVM solutions for the past few years. If you looking to mature your vulnerability management program, these might be useful:

Don't worry!

You already have the data you need, as most implementations are an exercise in data discovery. What data? That depends on your project goals, but additional security and enterprise tools such as asset and software data, vulnerability and exposure data, and any external intelligence. As an example, there might be new fields in previously integrated tools, new tools to integrate, spreadsheets that house valuable data, hidden meaning in existing data, and employee knowledge for specific data sources. Leverage your existing investment in security and management tools.  

Automation is key.

There is too much time and effort in current RBVM management being wasted manipulating data (both in Excel and otherwise). If vulnerability data is housed in multiple, disparate systems, the aggregation centralization for vulnerability deduplication is a good, early step. Let technology do the easy, repeatable tasks. Free up your team to do more relevant and impactful tasks.  

RBVM programs needs to be flexible and grow with the organization.

So do the tools that manage the RBVM process. Often, organizations try to develop an RBVM program on existing tools in their environment but the tools lack specific functionality to enable a successful program.  

RBVM tools must be flexible and transparent. 

Implementing RBVM is an iterative process. Most organizations want a fully mature program right out of the gate but are very rarely ready. It's OK to start conservatively and grow. It's also OK if you don't have all the answers immediately. The relevant questions and answers will come organically as you build the program.  

Understand the desired end-state for prioritization (goals)

  • How many levels of priority are needed?
  • What attributes are important for assets, exposures and criticality?
  • What are the reporting needs for the organization? (for remediation and for management)
  You can't build a mature program if you don't understand what you're building towards.