Pick your security battles

Computerworld - Lloyd Hession has a simple philosophy for dealing with vulnerabilities on his company's network: Know which ones have to be fixed right away and which can be safely put off for later.

The sheer number of vulnerabilities that can exist on a network make it impossible to address all of them at the same time without serious disruption, says Hession, chief information security officer at Radianz, a New York-based provider of network connectivity services to financial firms.

So the key is to have a formal vulnerability management process to identify problems, categorize them by severity and prioritize responses, he explains.

"It's all about arriving at some sort of a risk determination and figuring how seriously you need to address it," he says. "The days of people running out and patching everything are over."

Hession isn't alone. Finding out what to protect on the network and how much protection is needed is suddenly becoming a lot more important to companies than it was even two years ago, says Scott Crawford, an analyst at Enterprise Management Associates in Boulder, Colo.

The never-ending barrage of software vulnerability announcements and the constant, sometimes competing, need to fix them is pushing companies to look for more efficient ways to deal with the problem, he says.

Instead of rushing to apply costly fixes to every flaw that's announced, the goal is to take a more selective approach by prioritizing threats, adds Crawford.

"Vulnerability management tools are going to be in great demand where exposure to external risk is high," Crawford says. That's because the tools are designed to impose order on a process that has, in the past, simply been urgently reactive.

Image Credit: William Rieser

Vulnerability and asset classification, as well as risk metrics, are needed to help companies prioritize responses to the threats.

Mitigation and blocking measures may be needed to deal with some threats for which software updates or other fixes may not be immediately available. And monitoring and measurement processes are crucial to ensure that fixes and changes that have been made remain in place.

Detection and Remediation

A good management process helps companies identify and remediate the network vulnerabilities that really matter, says Derek Milroy, a security architect at Career Education Corp. (CEC), a $1.73 billion company in Hoffman Estates, Ill., that runs postsecondary education programs.