Vulnerability management is a term that describes the various processes, tools and strategies of identifying, evaluating, treating and reporting on security vulnerabilities and misconfigurations within an organisation’s software and systems. In other words, it allows you to monitor your company’s digital environment to identify potential risks, for an up-to-the-minute picture of your current security status.
In broad terms, a vulnerability is a weakness—a flaw that can be exploited. In computer science, a security vulnerability is essentially the same thing. Security vulnerabilities are targeted by threat actors. These attackers attempt to find and exploit vulnerabilities to access restricted systems.
Identifying vulnerabilities throughout your systems, networks and application requires specific tools. A vulnerability scanner is a program that is designed to move through your digital systems and discover any potential weaknesses, making vulnerability management possible.
Risk-based vulnerability management
An extension of vulnerability management, risk-based vulnerability management programmes are designed to address the weaknesses inherent in digital systems, including software, hardware and infrastructure. Risk-based vulnerability management uses machine learning to extend vulnerability management beyond traditional IT assets, incorporating cloud infrastructure, IoT devices, web apps and more. This allows businesses access to relevant insights across their entire attack surface.
Risk-based vulnerability management also allows for more accurate, risk-based prioritisation. Your company can focus first on identifying and repairing the weaknesses that are most likely to result in a breach, leaving less-critical vulnerabilities for later.
Vulnerability management vs. vulnerability assessment
Both vulnerability management and vulnerability assessment contribute to effectively addressing and resolving cybersecurity vulnerabilities. However, vulnerability management and vulnerability assessment are not synonymous terms.
A vulnerability assessment is only the first phase of vulnerability management. Most companies use scanning tools to look at devices on their network and collect information about the version of software that is installed and compare it to known vulnerabilities announced by software vendors. Multiple scanning tools, with or without agents or credentials, are typically required to cover the range of software in use (applications, operating systems, cloud service providers etc.). Companies run scans at scheduled intervals -- usually monthly or quarterly -- and then use the list, often emailed as a spreadsheet, to assign upgrade or patching tasks. If a zero-day vulnerability is announced, one which is actively being exploited and for which a patch may not yet be available, a company may launch an on-demand scan that can take days or weeks depending on the size and configuration of their infrastructure.
Conversely, vulnerability management is a lifecycle, not just a scheduled or ad hoc scan. Instead, it is an ongoing programme that moves from assessment into prioritisation and remediation. It uses multiple data sources to continually assess and reassess the current state of your software and services. By adding business, threat, exploitation and risk context to the software information generated by the assessment tools, a vulnerability management system can efficiently call attention to the vulnerabilities that must be addressed immediately and even suggest the best solution or mitigation. Constant assessment, evaluation, repair and reporting on vulnerabilities allows you to manage and address security vulnerabilities on a day-to-day basis. This means that weaknesses can be discovered more quickly, the highest impact issues can be addressed first, and fewer vulnerabilities get overlooked.
Simply put, a vulnerability assessment gives you a snapshot of your IT software stance; vulnerability management offers constantly evolving, real-time intelligence, remediation guidance and reporting.