Case Study » Security Vulnerability Management Strategy for a Large Federal Agency
The Program Office at a large federal agency was concerned about the high number of vulnerability findings identified during quarterly and yearly security audits by the agency audit group, on a consistent basis. The objective was to help reduce the number of vulnerabilities thus bringing the agency’s network and application environment in compliance. The environment included over 5000 desktops/laptops and hundreds of servers spread across both continental USA and international locations. The security engineering and operations team under the leadership of Mr. John Neville, engaged both network and application teams to conduct in-depth research on type of vulnerabilities and develop reasoning behind numbers being witnessed, provide an in-depth review of a range of critical risks and advise on agency approving authority on the true snapshot (reflection) of agency’s network and application level of FISMA compliance.
Following collaborative discussions, a small task force was created from security, network and application teams with the objective to gather evidence of new versus repetitive vulnerabilities, compliance audit versions, false positives, total versus unique findings, thereby developing a clear understanding on how the vulnerability management assessment results were interpreted. With regards to false positives evidence was gathered including screenshots captures to illustrate to the client and agency auditors.
Furthermore, a monthly vulnerability assessment self-assessment process was developed and implemented that included running automated scans, capture results in native format, run Perl scripts to convert the results into manageable excel spreadsheets, develop excel algorithms to filter large volumes of data into meaningful output that was then converted into reports for both technical and senior leadership teams to review. This was accompanied by a presentation to dissect the report findings and share the results in organizational terms that encompassed risk, cost, operational performance and compliance.
The actionable recommendations enabled the client to address the following critical areas:
- Non-Compliance: Vulnerability Findings were identified where the network and application teams had failed to conduct patch management to hardware and software prior to release to Production due to time and resource constraints, thus reflecting lapses in configuration and change management process.
- Documentation: A large number of findings identified were false positives that were not spotted and captured as part of documentation. In addition, certain failed patches to systems were not documented accurately to reflect the negative impact of the patch on the application operability. Plan of Action and Milestone (POA&M) documentation was not updated on regular basis and lacked version control. Standard Operating Procedures needed to be developed and/or updated.
- Interpretation: In the past, the vulnerability findings were identified and reflected as total number findings, as raw data. The excel spreadsheets were utilized to analyze and identify unique vulnerabilities across multiple systems and platforms which helped reduce the number of findings as depicted previously. Once the large data set was mined, security team collaborated with the network and application teams to fix the vulnerabilities in a managed and controlled manner across systems and applications, supported by documentation records for future audit purposes. At a later date, the process evolved into a structured database solution.
- Regular Monthly Scans: While previously, network and application teams were made aware of findings when the agency auditors visited to conduct an audit. With the new monthly self-assessment process, all internal stakeholders were well-informed, and the response to mitigating vulnerabilities occurred on a monthly basis, that helped reduce the number of findings both on a quarterly and yearly audit basis. The program office risk rating improved within the federal agency.
- Communications and Security Awareness: Effective communications followed/supported by security awareness helped lower the human barriers to new process acceptance. Security teams are usually considered exclusive to It operations, and thus the bridge between security and IT operations and applications developers is considered a “bridge too far”. Security Awareness training in the form of “brown-bag” lunches was implemented to share industry best practices related to secure coding, patch and configuration management, documentation and security assessments.
Movel has broad expertise in cybersecurity, thread assessment and management and is an expert in application development security. We were chosen due to the domain and technical expertise and the cyber qualifications of our team.
The key to successful implementation of this solution lie in developing a security vulnerability management strategy and effective communications with all technical and executive stakeholders. Thus, security internal self-assessment process proved to be an organizational mission enabler.