Digital Defense Incorporated released a white paper on their vulnerability management maturity model, which they dub VM3, back in 2015. The white paper is pretty robust, detailing vulnerability management steps as a discipline and then diving into maturity levels and what they mean. However, I’m focusing on the maturity levels rather than their whole breakdown, which is a good write-up on its own.
There are six levels in the model, starting with Level 0. They also define a level not on the scale entitled “Vulnerable To A Breach”, which i find to be more than a little incorrect. I do get what they were trying to convey, Level 0 is entitled “Importance Acknowledged” and it entails exactly what you would think from the name. The graphic is mostly trying to show that prior to acknowledging the importance of vulnerability management as a whole, the risk involved is considerable and unknown. By taking that first step, and organization can begin the process of vulnerability and risk management, but they are certainly still vulnerable to a breach. A poor choice of wording I think, especially considering that one of the purposes of these models is for security professionals to use them in order to explain a way ahead to their leadership, and it gives the wrong impression.
Level 1 is entitled “Primitive Operations”, and it is at this stage that the organization adds in scanning on an ad-hoc basis. The key detail from this level is that the organization is unable to meet compliance objectives. Without the processes in place to prioritize findings and integrate remediation or mitigation, the program is weak.
When an organization is in Level 2, “Purpose Driven Compliance”, we begin to see the automation of tasks like scanning and even scheduled assessments. Other aspects like trending and the beginnings of remediation prioritization are also found here, but that prioritization is immature and shows how at this point the security team is not integrated with other groups within their organization. An important point is that at this level the organization is able to use these fledgling processes to actually achieve compliance.
Priority begins to play a larger role in Level 3, “Proactive Execution.” This level sees the scanning begin to become more advanced, more frequent, and the remediation more integrated with the organization’s business practices. The white paper makes a point that at this level we are still not talking about executive level buy-in, which is extremely important for the future growth of the program to have this buy-in.
At Level 4, “Committed Lifecycle Management”, we see it come together. The executives are on board, remediation efforts are fully integrated and operate on a timeline, and prioritization is a fundamental part of the program. This is also where we begin to see automation playing a role, with automated scans and automated patching.
The last level, Level 5, is entitled “Automated Security Ecosytem”. The idea of this level is taking Level 4, which is a fairly complete system, and adding further automation to make it as seamless as possible. Multiple scans are done from variable vantage points in order to leverage the maximum possible system information, and that data is incorporated into the system for analysis.
So there are a few problems with this one. I already spoke about the pre-level 0 issue, just a disagreement on the correct grammar. Another problem I have is that credentialed scanning doesn’t show up until Level 3, but in Level 2 the assumption is that compliance has been achieved. I don’t see how any organization can realistically be compliant with whatever compliance metric they are responsible to without implementing at least some of the technical measures talked about in Level 3. This lack of technical maturity at the stage when you should be achieving compliance really hurts the model, in my opinion. Aside from those minor issues, the model really seems to capture the evolution of a program.
Next week, I’ll compare these three models against each other. I’ve signed up to give a talk on this at NovaHackers next month so, there it is. My first talk with the group, although I’ve been on the list for a while they have meetings on Mondays and I’ve had classes on Mondays since forever. But I decided to only look at 3, because more than that and they start to get very obscure and also there is so much repetition I don’t think I need to go over any more.