CISA’s Eric Goldstein on a Practical Transformation for Vulnerability Management

WaterISAC is honored to have Eric Goldstein kick off Day 3 of H2OSecCon next week.

Regardless of organizational size, vulnerabilities are everywhere and vulnerability management isn’t easy. The fewer resources an organization has, the more challenging it is to address the continuous cycle of vulnerabilities that plague our networks. Nonetheless, vulnerability management can’t be ignored. Vulnerability management involves the need to identify and remediate cybersecurity gaps before the bad guys exploit them – an absolute necessity for every organization.

Vulnerability management is part of the core of every cybersecurity program, which is why it’s included in every cybersecurity framework and guidance, including WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. It’s also why CISA maintains the Known Exploited Vulnerabilities Catalog and continues to provide guidance to help every organization manage risk more effectively. Today, Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity outlined three critical steps and highlights tools to help organizations of all size to advance the vulnerability management ecosystem, including:

• Introducing greater automation into vulnerability management, including by expanding use of the Common Security Advisory Framework (CSAF)
• Making it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of Vulnerability Exploitability eXchange (VEX)
• Helping organizations more effectively prioritize vulnerability management resources through use of Stakeholder Specific Vulnerability Categorization (SSVC), including prioritizing vulnerabilities on CISA’s Known Exploited Vulnerabilities (KEV) catalog

Specifically, utilities of all size are encouraged to review CISA’s customized SSVC decision tree guide to help prioritize known vulnerabilities based on an assessment of five decision points, which are (1) exploitation status, (2) technical impact, (3) automatability, (4) mission prevalence, and (5) public well-being impact. The result of the prioritization (based on reasonable assumptions for each decision point) will result in a vulnerability being categorized more appropriately for each environment and help organizations better prioritize which vulnerabilities are more critical to address. A description of each decision and value can be found on CISA’s new SSVC webpage. Access CISA for more.