Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, security may seem unachievable.
POSTER
Key Metrics: Cloud & Enterprise | Vulnerability Management Maturity Model
This new poster was developed by Jonathan Risto and AJ Yawn.
Key Metrics: Cloud and Enterprise delivers a set of essential metrics to generate, provide, and review with the Technical, Operational, and Executive partners of the organization. Providing both early-stage and advanced metrics, organizations can generate meaningful metrics across the Identify, Protect, Detect and Respond functions of their security programs.
The SANS Vulnerability Management Maturity Model helps you gauge the effectiveness of your Vulnerability Management program. The model details key activities performed within Vulnerability Management on a 5-point scale. Leveraging the model, you can categorize your program’s current capabilities to create a clear roadmap to improve your program.
Download your FREE copy here.
NEWS
- Firms Push for CVE-Like Cloud Bug System
- Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers
- Researcher Releases PoC for Recent Java Cryptographic Vulnerability
- 2021 Top Routinely Exploited Vulnerabilities - A joint security bulletin coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom lists the top 15 exploited vulnerabilities in 2021
- Cisco Vulnerability CVE-2022-20695
- VMWARE Remote Code Execution (RCE) vulnerability
- ‘Groundbreaking’ CISA directive to overhaul cyber vulnerability management process
- Can understanding flaws in malware help defenders prevent attacks?
WEBCASTS
Understand Vulnerability Management Maturity with a Self-Assessment Tool, May 2023
- Securing Cloud Data: The Hidden Vulnerabilities of SaaS Platforms, July 2021
- REKT Casino Hack Assessment Operational Series – Vulnerability Management Gone Wrong, March 2021
- Reimagining Vulnerability Management in the Cloud, Aug 2020
- Enterprise and Cloud | Threat & Vulnerability Assessment, June 2020
- Domain Password Auditing with the Cloud, April 2020
- Passwords are a Solvable Problem!, Feb 2020
- How to Communicate about Security Vulnerabilities Jan 2020
SURVEYS
- A SANS 2021 Survey: Vulnerability Management - Impacts on Cloud and the Remote Workforce, Nov 2021
- A SANS 2021 Survey: Vulnerability Management - Impacts on Cloud and the Remote Workforce Panel Discussion, Nov 2021
- SANS 2020 Vulnerability Management Survey, Nov 2020
- SANS 2020 Vulnerability Management Survey: A Panel Discussion, Nov 2020Workforce Transformation & Risk: A SANS Survey, Dec 2019
LIVE STREAMS
Download notes from this live stream here.
BLOGS
- Vulnerability Management Maturity Model - Self Assessment Tool (VMMM-SAT), May 2023
- 5 Metrics to Start Measuring in Your Vulnerability Management Program
- Vulnerability Management Maturity Model, Part I
- Vulnerability Management Maturity Model, Part II
- The Cyber Capability Development Centre (CCDC) Concept, May 2019
ADDITIONAL RESOURCES
CISA Know Exploited Vulnerabilities - CISA publishes a list of known exploited vulnerabilities that the federal government must remediate. If it is on this list you should ensure your organization has mitigated it
2021 Top Routinely Exploited Vulnerabilities - A joint security bulletin coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom lists the top 15 exploited vulnerabilities in 2021
Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01
SANS Vulnerability Management Courses
MGT516: Building and Leading Vulnerability Management Programs
Vulnerability, patch, and configuration management are not new enterprise security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage security vulnerability capabilities effectively. The quantity of outstanding vulnerabilities for most enterprise organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new security vulnerabilities in their infrastructure and applications. When you add in the cloud, and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, enterprise security may seem unachievable. This vulnerability management training course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. 21 Cyber42 and 15 lab exercisesSEC460: Enterprise & Cloud: Threat Vulnerability Assessment
SEC460 will help you build your technical vulnerability assessment skills and techniques using time-tested, practical approaches to ensure true value across the enterprise. Throughout the course you will use real industry-standard security tools for vulnerability assessment,management, and mitigation; learn a holistic vulnerability assessment methodology while focusing on challenges faced in a large enterprise; and practice on a full-scale enterprise range chock-full of target machines representative of an enterprise environment, leveraging
production-ready tools and a proven testing methodology. SEC460 takes you beyond the checklist and gives you a tour of attackers' perspectives that is crucial to discovering where they will strike.
Comparison of MGT516 vs SEC460
MGT516 - STRATEGY | SEC460 - SCABILITY | |
POSITIONING | Prepares you to strategically build and mature a vulnerability management program that is inline with overall business objectives, risks, and culture. | Teaches threat and vulnerability management assessment from the attackers' perspective. |
WHO | Security Managers Security Architects CISOs Team Leads Operations Directors and Managers Auditors | Vulnerability Assessors Security Analysts Sys Admins Red Teamers Pen Testers |
WHAT | How we solve for a vulnerability management life-cycle, holistically from identification through remediation while considering the overall business strategy by utilizing the PIACT model (Prepare, Identify, Analyze, Communicate, Treat) | Understanding the environment & the threat landscape to identify vulnerabilities & determine the optimal, scalable solutions for the enterprise. |
WHY | Overarching strategy to implement or improve vulnerability management while considering limited resources of time, money, and personnel. | Focuses on preparing security personnel to effectively & efficiently secure systems for mid-sized to large organizations. |
SPECIFIC TASKS / SKILL SETS | Create, implement & mature Vulnerability Management program Establish secure & defensible enterprise & cloud environment Build accurate and useful inventory of IT assets Identify existing vulnerabilities and how to meaningfully use this info Make data more actionable Prioritize vulnerabilities Effectively report & communicate vulnerability data within the organization up to C-level Understand treatment capabilities & better engage with treatment teams Make Vulnerability Management more engaging | Learn how to conduct vulnerability assessments Develop vulnerability discovery, management, and remediation plans Threat intelligence gathering Vulnerability assessment tool configuration and management Conduct infrastructure vulnerability enumeration at scale across numerous network segments Manage large vulnerability datasets and perform risk calculation OSINT gathering Active and Passive Reconnaissance Web application scanning |
