Vulnerability Risk Management: What Does this Mean for MSPs and IT Service Providers?

If you’re looking to improve your vulnerability risk management strategy as an MSP or an IT service provider, you’re in the right place. Let’s look at the lifecycle for an effective vulnerability management process, and how patch management can help you go the extra mile.

 

Your Options when you Uncover a Vulnerability

 

The risks of a connected and dynamic IT environment change all the time, and are growing in number and sophistication. As the IT pro – it’s your job to understand the risk of the environment that you’re managing, and then decide what the best course of action might be. The truth is, you can’t solve it all. When you consider a risk, you have three main options which we will discuss through this article.

 

  • Accept the risk
  • Implement compensating controls
  • Patch the vulnerability

 

Accepting the Risk

 

In some cases, if there is no fix available, you might decide that you want to accept a certain amount of risk for your business. Think about it this way. If a client asks you, “How can I eliminate the risk of my users accidently clicking on an email link and launching a phishing scam?” One answer is – take away your user’s access to email! No more emails, no more phishing! Of course, that might have a 100% success rate – but it also will cause your business to grind to a halt. You accept a certain amount of risk that phishing scams may slip through the cracks, while implementing anti-malware detection, phishing education for your staff, and much more.

 

There is really no such thing as zero risk. It’s therefore important to acknowledge the amount of risk that is outside of your control and you’re willing to take on. This could be something like out of date certificates on a third-party website that you need to use, or services with old passwords and no easy way to update an administrator to reset or change them. At all stages, ask yourself “What is the worst-case scenario here, and am I okay with opening the business up to this level of risk?”

 

Compensating Controls

 

In some cases, for example with zero day exploits or attacks – there might not be an easy fix available, but the risk is just too great to leave as an accepted level of risk. In this case, if there is a true technical limitation, it may make sense to look for a separate solution. This might be a temporary fix until a patch becomes available, or it could be more long-term if the vulnerability can’t be fixed traditionally due to your own business requirements, such as if you have legacy software and protocols that are yet to be torn down or replaced. An Intrusion Prevention System (IPS) is a good example of a compensating control that might be used. Further actions to compensate could be taking the impacted part of the system offline, or using some kind of segmentation to isolate the vulnerability, or alternatively to ring-fence your sensitive or critical data.

 

Compensating controls are often used when compliance mandates cannot be kept to by the traditional methods available, for example if they don’t have the technology to encrypt all of their data.

 

Patch Management

 

In the best-case scenario, and in the majority of cases, you will be able to implement a normal patch management process on finding a vulnerability. When your RMM allows you to automate patch management, you can create the right process for each of your customers, choosing when and how to schedule and implement critical updates, security updates, definition updates, rollups and more. A sophisticated system will offer the ability to add extra functions, like shut down or restart after patches have been deployed. At Atera, you can add custom scripts directly from the Shared Script Library, augmenting and customizing your patch management process in exactly the way you choose.

 

You should also be able to exclude specific patches where you have compensating controls or accepted risk protocols in place with your customer. At the same time, regular maintenance work such as setting system restore points, deleting temporary files, defragment and running Check Disks can also be automated – creating a more secure environment in which your clients or internal IT can work.

 

What is a Smart Process for Vulnerability Management?

 

Let’s go through the vulnerability management lifecycle as seen below, and think about each stage. The more monitoring for full visibility you can achieve, and the more that you can handle via automation, the less risky your environments, and the more you free up resources to do higher-value tasks.

 

Discover: Here you can use network scanning, your existing logs and even manual or automated penetration testing to see what weak spots there are across your client or internal networks.

 

Prioritize: Which anomalies are ‘false positives’ or don’t equate to risk in your environments, and which need your immediate attention?

 

Assess: Is there a patch available for this vulnerability? If not, think about your options above – can you deploy a compensating control, or does this constitute an acceptable level of risk?

 

Mitigate: Here is where patch management comes into its own. Patches are usually offered by the software or hardware vendors. Schedule patching so that it doesn’t impact user activity.

 

Verify: Use your continuous scanning to ensure that the vulnerability has been patched and can no longer be exploited on your networks. Remember, different OS or servers and systems may need their own approaches.

 

Report: Keep a log of everything that you’ve done, which will be helpful for compliance, quarterly business reviews, and your own internal governance.

 

Vulnerability Risk Management Made Simple

 

With an automated process for patch management, the work needed to manage risk in your client or corporate IT environment is greatly reduced. Allow regular scanning and patching to happen in the background, narrowing down your security focus to only the few items that need manual assessment.

 

Want to learn more about our Patch Search and Deploy report that you can use to show your MSP value? Check it out here.