How to Adapt Vulnerability Management Service Level Agreements (SLAs) to Team Maturity
In working with customers across different enterprises and experiencing it myself, the challenges in managing vulnerabilities effectively are felt. Drawing from the insights of customers and my experiences, I’ve learned much about using Service Level Agreements (SLAs) in the vulnerability remediation process.
I’ve consistently observed that setting and tracking SLAs can be challenging. Many teams need help to use them effectively, especially under tight deadlines. To assist with alleviating some of these SLA challenges, I offer a few recommendations and reflections that dig into how to get started with SLAs for vulnerability remediation and their implications for security teams aiming to implement vulnerability management processes in their organization successfully.
I also offer an example of how advanced organizations use SLAs effectively so you can consider leveraging and implementing that process in your organization.
One of the (Many) Challenges with SLAs in Vulnerability Management
In a recent discussion with a director-level colleague in an enterprise organization, we chatted about his difficulties in managing SLAs for over 500 different products within their organization. He faced a real challenge in balancing fixing vulnerabilities efficiently while accommodating varying vulnerability severity levels and workloads across different teams.
The director said, “I have teams with 50 critical vulnerabilities and others with zero.” He wanted to create a vulnerability remediation policy to help guide all those teams. The first challenge he faced was picking an approach. Should they “fix all critical vulnerabilities within 30 days” and leave some teams without vulnerabilities to fix (in their ticketing system)? Should they “fix all critical + high vulnerabilities within 30 days” and then overwhelm other teams with critical and high vulnerabilities?
This scenario got me thinking: there may be more effective solutions than the traditional approach of creating a blanket statement to address all critical vulnerabilities. When taken, the traditional route can lead to teams with zero critical vulnerabilities having no action to take while simultaneously overwhelming teams with multiple critical vulnerabilities.
As an agile company, my colleague wanted to fix vulnerabilities in every sprint. To accomplish this, he had to explore alternative approaches to vulnerability remediation SLAs that would adapt to the maturity level of each team, which led to our discussion. Before we continue, let’s look at the background of vulnerability management SLAs.
What are Vulnerability Management Service Level Agreements (SLAs)?
Vulnerability Management SLAs are formal agreements that define the expected timeframes and standards for addressing and resolving software vulnerabilities within an organization’s IT infrastructure. These SLAs are typically set between the IT or cybersecurity department and the broader organization or sometimes with third-party service providers.
The “Beauty” of SLAs
The beauty of SLAs lies in their ability to provide a unified metric for measuring performance across different teams, irrespective of the varying standards to which each team is accountable.
Let’s imagine a scenario where Team 1 has an SLA of 6 days to address critical vulnerabilities while Team 2 has a more lenient SLA of 14 days for similar tasks. SLAs abstract these differences, allowing for a straightforward measure of adherence, and measuring SLA adherence becomes a simple yet powerful tool for assessing whether an organization is functioning as intended.
In this scenario, if both teams are meeting their respective SLAs, regardless of the different time frames, it indicates a well-functioning system tailored to each team’s unique capabilities and workloads. This approach avoids the pitfalls of a one-size-fits-all metric, offering a nuanced view of performance that respects the diversity of roles and challenges within the organization.
Why Are SLAs Important in Vulnerability Management Processes?
When implemented correctly, SLAs are a formidable tool. They provide clear insights into the health of an organization’s prioritization frameworks and remediation processes.
Other SLA benefits include:
- Standardization of Processes: SLAs provide a standardized approach to handling vulnerabilities. This standardization ensures consistency in the quality and effectiveness of remediation efforts across the organization.
- Improved Security Response Time: SLAs establish clear timelines for addressing vulnerabilities, ensuring prompt action. This swift response is crucial in mitigating risks associated with vulnerabilities, reducing the window of opportunity for attackers to exploit them.
- Enhanced Risk Management: By prioritizing vulnerabilities based on severity and potential impact, SLAs help organizations focus their resources on the most critical issues. This approach leads to a more effective management of risks.
- Increased Accountability: SLAs define specific responsibilities for different teams or individuals involved in the vulnerability management process. This clarity in roles and expectations improves accountability, leading to more efficient and effective remediation efforts.
- Better Resource Allocation: SLAs help organizations plan and allocate the necessary resources more effectively by outlining the expected timeframes and processes for vulnerability remediation. These resources can include staffing, tools, and budgets dedicated to cybersecurity efforts.
- Compliance Assurance: Many industries have regulatory requirements related to vulnerability management processes. SLAs help ensure that vulnerability management practices comply with these regulations, reducing the risk of legal or regulatory penalties.
- Performance Measurement and Improvement: SLAs enable organizations to track and measure the performance of their vulnerability management processes. Organizations can use this data to identify areas for improvement, driving continuous enhancements in security practices.
- Enhanced Communication and Collaboration: The clear guidelines provided by SLAs can improve communication and collaboration from the board to individual remediators.
- Proactive Security Posture: SLAs encourage a proactive approach to security that addresses vulnerabilities systematically before exploitation rather than reacting to security incidents after they occur
Adapting SLAs to Team Maturity: Vulnerability Management Maturity Roadmap
We must look to different spaces for inspiration to maintain progress as an industry. The earlier discussion with my director-level colleague and his agile enterprise inspired me to tap into agile principles.
As builders of products, we emphasize adaptability and continuous improvement. Those same principles must be applied when creating SLAs for vulnerability remediation to ensure organizational efficiency and adaptability.
Incorporating and considering vulnerability management maturity involves tailoring SLAs to meet each team’s needs and capabilities and dynamically prioritizing vulnerabilities based on severity, team capacity, and product criticality. It means thinking bigger than having just one blanket policy that applies to every team. How? You create an adaptable system that meets teams where they are and then shows progress per team while maintaining a single standard.
Let’s talk through what this means.
The roadmap below provides an example of leveraging this more adaptable and effective approach. Consider SLA adherence as a spectrum, not a single ‘yes’ or ‘no’ answer.
For this example, let’s create a simple maturity scale representing all our steps to achieve the business outcome.
1. Define the Business Outcome
In this scenario, a business outcome could be a patch timeline from the date of discovery, such as a system including:
- Emergency vulnerabilities are fixed within 48 hours
- All critical vulnerabilities are fixed within 30 days, regardless of every other attribute.
- All high vulnerabilities are fixed within 90 days
So, how do we set up our system to support this outcome?
2. Prioritize the Outcomes
Let’s look at the options above and determine a priority for each outcome. Is fixing emergency vulnerabilities within 48 hours the most important? Or perhaps your normal critical vulnerabilities patch cycle is the most important? Write the outcomes on paper and number them in order of priority. You now have your levels of maturity for this SLA rollout.
3. Document Maturity Levels
The next step is to document your maturity levels. You want every team to tackle getting these under control in that order. We’ll choose an order for this example.
4. Develop Detailed SLAs
For this step, I added more precision to the example SLAs to show you what a more realistic and advanced set of SLAs might look like, prioritized.
Realistic SLAs might include:
- All emergency vulnerabilities are fixed within 48 hours (with a clear definition of emergency vulnerability)
- All critical severity vulnerabilities, remotely exploitable, being used actively in malware, and on a public-facing asset patched within 7 days
- All high-severity vulnerabilities remotely exploitable being used actively in malware on a public-facing asset patched within 14 days
- All critical severity vulnerabilities (in general) fixed within 30 days
- All high severity vulnerabilities (in general) fixed within 90 days
5. Visualize the SLA Maturity Roadmap
Here’s a visualization of what that might look like for sharing with a team. Alternatively, you could create a matrix.
A graphic like this allows teams to assess themselves against their maturity while providing an avenue for you to communicate the end state expected by the business and the path to get there.
Important Reminder: Every team can be at a different level of maturity.
You are not dictating the same starting point for everyone. Instead, you give high-level guidance on the destination and a vehicle to track progress. Attempting to do too much too soon can cause stalls in your SLA rollouts. To prevent this, you must clear the path to success using adaptive SLAs that meet teams where they are.
6. Focus on Realistic Improvement Goals
A vulnerability management SLA Maturity Roadmap emphasizes setting realistic and incremental improvement goals based on the current maturity level of each team, allowing flexibility in their workflows and strategies. This customization leads to a more effective and less overwhelming process, encouraging gradual improvement in vulnerability management.
3 Tips to Getting Started with Vulnerability Management SLAs
1. Threat Modeling
Threat Modeling involves identifying scenarios most likely to lead to breaches and the types of vulnerabilities associated with them. It’s not just about critical severity vulnerabilities but understanding the broader context.
By identifying scenarios most likely to result in breaches, enterprises can align their security efforts with real-world threats rather than theoretical vulnerabilities. This practical approach ensures resources are allocated where they’re most needed.
Focusing beyond just critical severity vulnerabilities allows teams to appreciate the full spectrum of risks, including those that might not seem immediately severe but could have significant implications in specific contexts.
By prioritizing vulnerabilities based on likely threats, enterprises can use their resources more efficiently, focusing on vulnerabilities that pose a genuine risk to their operations.
2. Focus SLAs on Worst-Case Scenarios
Focus SLAs on systems whose breach would have severe consequences, creating targeted SLAs for these specific scenarios. By targeting systems where breaches would have severe consequences, you can ensure that your organization’s most critical assets are protected, reducing the potential for significant damage.
Preparing for worst-case scenarios equips enterprises to handle severe breaches more effectively, minimizing potential fallout. This approach allows for more strategic risk management, aligning vulnerability remediation efforts with the areas of highest business impact.
3. Start Simple
Begin with achievable goals, gradually building up to more comprehensive SLAs. This stepwise approach ensures gradual progress and avoids overwhelming the system.
Starting with achievable goals makes the implementation of SLAs more practical and less daunting. This approach builds momentum as teams can quickly see the results of their efforts.
A step-by-step approach allows teams to develop the necessary skills and processes incrementally. This gradual progression is essential for ensuring long-term success and avoiding the pitfalls of trying to do too much too soon.
Here’s an example:
- Focus on being great at 1 SLA instead of rolling every SLA out simultaneously.
- Use an SLA roadmap like we showed above, and then get every team up to level 1.
- Once you’ve accomplished the first two bullets, ratchet up the expectations.
An approach like this highlights progress and keeps you moving in a specific direction while measuring progress. By avoiding a comprehensive SLA rollout all at once, enterprises can ensure their teams stay calm and don’t feel overwhelmed. This careful pacing ensures that the quality of vulnerability management doesn’t suffer due to an excessive initial burden.
Ensuring Vulnerability Management SLAs Remain Effective Over Time
Regular review and feedback mechanisms ensure that SLAs remain effective and relevant over time. Additionally, leveraging technology solutions that provide customized support for different team requirements can enhance the process.
By shifting from a standardized model to a more adaptable framework, organizations can ensure a more balanced workload distribution, improve efficiency, and enhance the overall effectiveness of their VM processes.
Automation As a Resource Key to SLA Management
High-performing organizations utilize technology to manage SLAs automatically, freeing resources to focus on core tasks. This technological integration is critical for tracking and achieving SLA compliance across various business units.
A Case Study: Transforming Vulnerability Management Processes with SLAs
In a real-world example, one of our customers struggled with vulnerability management. They started by conducting a risk mapping exercise to develop a framework for realistic and achievable SLAs. They listed out all the things that would need to be true to keep them up at night:
- What type of vulnerability would require you to call the CISO? How about the CEO?
- What causes THAT vulnerability?
Once answered, the customer created more mappings of vulnerability attributes to different levels of business risk. At that point, they could map SLAs to the level of business risk. Mapping SLAs to the level of business risk made it easy to communicate and get business stakeholders aligned. They were then able to ensure appropriate resourcing based on the level of risk.
Next came the hard part of tracking everything in one place and measuring those adaptable SLAs correctly per team; at this point, our organization, Nucleus Security, was engaged.
Their business taking on this adaptive approach to vulnerability remediation SLAs aligned with the business’s risk appetite led to a significant reduction in vulnerabilities posing the highest risk within a short period of time, showcasing the transformative power of well-structured SLAs in the enterprise.
Here’s a Quick Recap to Take Back to Your Team
- Implementing SLAs in a phased manner prevents overload and fosters a culture of continuous improvement. An easy way to phase out SLAs is to create an SLA maturity roadmap and publish it internally for teams to see
- Tailor SLAs to your teams’ specific context, considering their maturity levels and the types of vulnerabilities they handle. A one-size-fits-all approach is less effective.
- By focusing on threat modeling, teams can get complete alignment across the entire company and effectively prioritize efforts where they matter most, enhancing overall security posture.
- Leveraging technology for SLA management ensures accuracy and efficiency, allowing teams to concentrate on strategic tasks.
- Effective SLAs align various stakeholders, promoting a unified approach to cybersecurity and enhancing communication across different levels of the organization.
Getting vulnerability management SLAs right is HARD.
I rarely see an organization with Service Level Agreements that are realistic and well-implemented. Either they are incredibly aggressive, and remediation teams can’t keep up, or they ineffectively communicate the why behind them.
The power of well-implemented and well-written SLAs is monumental and worth the struggle of crafting them in the first place. Imagine if you had a single metric that not only aligns your entire business but also serves as a measure of the health and efficiency of your operations. That single metric would be tailored to meet your organization’s unique needs and would be something you could confidently present to your board of directors. That is an SLA’s essence when utilized to its full potential.
Hopefully, the insights I shared underscore the importance of a strategic, contextual, and automation-driven approach to SLAs in vulnerability management. By adopting these practices, enterprises can transform their vulnerability management processes, aligning them more closely with their business objectives and risk appetites without making engineers hate security.