Vulnerability management allows you to identify, prioritize, and respond to software issues and misconfigurations that could be exploited by attackers, lead to inadvertent release of sensitive data, or disrupt business operations.
The modern cyber ecosystem is anything but static; it’s a constantly
shifting, evolving entity that continually expands to encompass new
technologies, systems, and individuals. Unfortunately, this makes
security a daunting task.
New digital vulnerabilities are being discovered on a nearly daily basis, accounting for thousands of new threat vectors every year that may be exploited—causing significant problems for organizations across essentially every industry. And according to Ponemon Institute, the global average cost of a data breach in the United States is $8.64 million. As such, responding to attacks only after they occur is simply not an effective defense.
In addition, systems and services are growing more complex and more
integral to modern society. Mistakes will happen as users configure, maintain,
and add more tech and devices to the environment. Each mistake is an
opportunity for a problem.
Vulnerability management offers a solution.
Vulnerability management is a term that describes the various processes, tools, and strategies of identifying, evaluating, treating, and reporting on security vulnerabilities and misconfigurations within an organization's software and systems. In other words, it allows you to monitor your company’s digital environment to identify potential risks, for an up-to-the-minute picture of your current security status.
In broad terms, a vulnerability is a weakness—a flaw that can be exploited. In computer science, a security vulnerability is essentially the same thing. Security vulnerabilities are targeted by threat actors. These attackers attempt to find and exploit vulnerabilities to access restricted systems.
Identifying vulnerabilities throughout your systems, networks, and application requires specific tools. A vulnerability scanner is a program that is designed to move through your digital systems and discover any potential weaknesses, making vulnerability management possible.
Risk-based vulnerability management
An extension of vulnerability management, risk-based vulnerability management programs are designed to address the weaknesses inherent in digital systems, including software, hardware, and infrastructure. Risk-based vulnerability management uses machine learning to extend vulnerability management beyond traditional IT assets, incorporating cloud infrastructure, IoT devices, web apps, and more. This allows businesses access to relevant insights across their entire attack surface.
Risk-based vulnerability management also allows for more accurate, risk-based prioritization. Your company can focus first on identifying and repairing the weaknesses that are most likely to result in a breach, leaving less-critical vulnerabilities for later.
Vulnerability management vs. vulnerability assessment
Both vulnerability management and vulnerability assessment contribute to effectively addressing and resolving cybersecurity vulnerabilities. However, vulnerability management and vulnerability assessment are not synonymous terms.
A vulnerability assessment is only the first phase of vulnerability management. Most companies use scanning tools to look at devices on their network and collect information about the version of software that is installed and compare it to known vulnerabilities announced by software vendors. Multiple scanning tools, with or without agents or credentials, are typically required to cover the range of software in use (applications, operating systems, cloud service providers, etc.). Companies run scans at scheduled intervals -- usually monthly or quarterly -- and then use the list, often emailed as a spreadsheet, to assign upgrade or patching tasks. If a zero-day vulnerability is announced, one which is actively being exploited and for which a patch may not yet be available, a company may launch an on-demand scan that can take days or weeks depending on the size and configuration of their infrastructure.
Conversely, vulnerability management is a lifecycle, not just a scheduled or ad hoc scan. Instead, it is an ongoing program that moves from assessment into prioritization and remediation. It uses multiple data sources to continually assess and reassess the current state of your software and services. By adding business, threat, exploitation, and risk context to the software information generated by the assessment tools, a vulnerability management system can efficiently call attention to the vulnerabilities that must be addressed immediately and even suggest the best solution or mitigation. Constant assessment, evaluation, repair, and reporting on vulnerabilities allows you to manage and address security vulnerabilities on a day-to-day basis. This means that weaknesses can be discovered more quickly, the highest impact issues can be addressed first, and fewer vulnerabilities get overlooked.
Simply put, a vulnerability assessment gives you a snapshot of your IT software stance; vulnerability management offers constantly evolving, real-time intelligence, remediation guidance, and reporting.
As more and more information is created and contained within digital systems, and organizations continue to increase the employment of mobile technologies and IoT devices, new security vulnerabilities are emerging. Here, we take a look at some of the most relevant statistics related to vulnerability management:
The five vendors with the most documented security vulnerabilities in 2020 are Microsoft, Google, Oracle, Apple, and IBM. (Stack Watch)
There certainly isn’t any shortage of vulnerabilities for threat actors to target. And, given the damage that may result from a data breach—not only in terms of financial loss, but also in regard to operational disruptions, damage to customer trust and brand reputation, and even potential legal ramifications—finding and fixing vulnerabilities is absolutely vital.
An effective vulnerability management system provides an important additional layer of protection, giving you the power to manage and correct IT security flaws on an ongoing basis.
No discussion of vulnerability management would be complete without addressing exploits—what they are, and how to prepare for them.
An exploit is a malicious software (malware) program. It consists of a specialized code that takes advantage of known vulnerabilities within a system. Threat actors initially use exploits to access networks and related systems remotely. They can then steal or alter data, give themselves system privileges, lock out authorized users, move deeper into the network, and open the door for other malware or attack techniques.
One important factor to consider is that exploits are software programs that are designed to target and take advantage of known vulnerabilities, or, in the case of a zero-day, a vulnerability that may not be known and therefore won’t have been patched. By implementing vulnerability management within your organization, you can address and repair the same vulnerabilities targeted by exploits.
In addition to ongoing vulnerability management, you can also prepare your organization in the following ways:
For more insight into protecting your vital IT ecosystem, check out Implementing Agile Security Response: The Essential Checklist.
As vendors and developers release software solutions, they do not always have the time to identify and address all possible vulnerabilities before the product is pushed to market. As such, flaws and bugs may go undiscovered for some time.
As vendors, security agencies, testers, and traditional users discover new vulnerabilities, the vulnerabilities are usually reported and disclosed through the proper channels. The vendors are then responsible for patching their exposed products. Depending on the severity or criticality of the vulnerability, vendors will move more or less quickly to release a patch. Large vendors typically aggregate and test patches into a “Patch Tuesday” release, so that their customers can have fewer disruptions and less work in implementing the fix.
Although vendors will likely employ their own testers and even third-party penetration testing agencies to identify vulnerabilities, many flaws do go unnoticed until they are stumbled upon by users or identified by hackers. With this in mind, ongoing vulnerability management becomes even more essential.
Vulnerability management is a cyclical process; it follows a set number of stages and then repeats. This cycle includes six steps:
The longer a vulnerability remains undetected, the more likely it is to result in a security breach. Perform weekly external and internal network scans to identify existing and new vulnerabilities. This process includes scanning network-accessible systems, identifying open ports and services on those systems, gathering system information, and comparing system information with known vulnerabilities.
Once you know what is in use, you can assign each asset a value based on its usage or role in your business. Is it an application or web server used to support your best customers or mission-critical employees, or just a printer? Is it an executive laptop or a customer help desk terminal? By adding this context to your list of systems, you know how important a vulnerability is to fix.
Assessment is where you scan to understand the state of the applications and systems in your environment.
As your scans uncover vulnerabilities, you will need to prioritize them based on their potential risk to your business, workforce, and customers. Vulnerability management platforms typically provide different built-in metrics for assessing and ranking vulnerabilities. That said, you will also need to enrich the process with business, threat, and risk context that may come from internal or external sources. The goal is to identify the most relevant-to-you, high-impact, high-likelihood vulnerabilities. With the explosion of software, services, and devices in your business, you may never be able to patch all of your vulnerabilities. Identifying the most important and likely targets of an attack provides a practical way to manage this reality.
With vulnerabilities identified, prioritized, and catalogued, the obvious next step is to remediate and/or mitigate them. It is worth noting that often those within a company who are responsible for understanding the risk associated with vulnerabilities are not often the same individuals with the authority to implement solutions. With this in mind, your organization should work towards achieving a common language, decision criteria, and process between security operations, IT operations, and system administration teams.
The final, often-overlooked step in this process is to verify that
the vulnerability has been resolved. Follow up the aforementioned steps
with another scan to ensure that your top-priority risks have been
effectively resolved or mitigated. This final step permits the incident
to be closed out in the tracking system and facilitates key performance metrics such as mean time to remediate (MTTR) or number of open critical vulnerabilities.
Report on status
Especially when there is a newsworthy event like a major software flaw or exploited zero-day vulnerability, managers, executives, and even the board may be asking about how well you have assessed and addressed the vulnerabilities in your estate. Reports on trends in vulnerabilities, risk, and vulnerability management performance also help justify staffing or tooling. Top vulnerability-management platforms include options for automatically generating visual reports and interactive dashboards to support different users, stakeholders, and lenses.
The six stages outlined above demonstrate a structured, sequential approach to vulnerability management. The right structure is likewise vital as you set up your vulnerability management process. These are the steps you’ll want to consider:
Obviously, the primary goal of any vulnerability management solution
should be to identify and remediate or mitigate vulnerabilities within
your system, and to do so before those vulnerabilities can be exploited.
However, you should also identify any secondary objectives your
organization may have in relation to the vulnerability management
Secondary objectives allow you to improve the overall effectiveness of vulnerability management, and how your organization is implementing the resultant data. These secondary objectives may include increasing the regularity of vulnerability scanning, or speeding up the resolution time in addressing identified vulnerabilities.
For your vulnerability management solution to be effective, you’ll need all of your stakeholders committed to its success, and their roles and responsibilities in the process clearly defined. Although different organizational structures and capabilities may demand a different separation of responsibilities, most businesses may benefit from assigning individuals to the roles of monitors, resolvers, and authorizers.
Ongoing vulnerability-management processes allow your business a clearer, more up-to-date view of your overall security status. As an added bonus, the continuous nature of these processes will help you develop an accurate assessment of what aspects of your vulnerability-management approach are working, and which need adjustment.
Remember: Although the basics steps of vulnerability management are relatively consistent, subtle variations in approach may be appropriate between organizations. Don’t be afraid to make changes to your processes to facilitate improved accuracy, clarity, and remediation.
In order to create an effective, ongoing vulnerability-management process, top solutions should include the following:
This includes network scanning and firewall logging, as well as penetration testing and automated tools. In fact, there are many different sources of scan data, so don’t feel as though you need to limit your options to a single company or tool.
This involves analyzing the results of your scans to identify vulnerabilities as well as possible evidence of past or occurring breaches.
This incorporates an assessment of the vulnerabilities themselves to determine how they may be used by threat actors and what risk they entail.
This may incorporate risk-based vulnerability management to determine which bugs are highest risk, and thus should be placed at a higher priority for remediation or mitigation.
This involves patching identified vulnerabilities, effectively eliminating them as potential threat vectors.
This involves assessing the effectiveness of the vulnerability-management solution, and making changes to the process where necessary.
Identify, prioritize, and respond to threats faster.