What is Vulnerability Management?
A beginner's guide to Vulnerability Management
Vulnerability management is the process of discovering, prioritization, remediation, and ongoing measurement and reporting of security vulnerabilities in software and systems. This process is essential for organizations to understand and address vulnerabilities to minimize their "attack surface."
A reliable management solution will regularly scan for new vulnerabilities in order to limit the risk of cybersecurity breaches. Without this, discovered security gaps may be exploitable for long periods. Attackers can capitalize on this to target organizations.
What is the need for Vulnerability Management?
Complete vulnerability management offers security teams the needed insights to understand any weaknesses in corporate applications, and network. It allows security teams to properly manage and patch vulnerabilities that pose risks to the applications and network, thus protecting organizations from threat actors and the possibility of a breach.
What is Management vs. Assessment?
A Vulnerability Assessment is a part of a complete Vulnerability Management system. Organizations will likely run multiple Vulnerability Assessments to get a systematic overview of the vulnerabilities in their applications and network. This assessment identifies and prioritizes vulnerabilities to inform their action plan.
What is Vulnerability Management Framework?
The process can be broken down into the following steps:
- Assessment and Identification
Following are application types in which to identify security vulnerabilities:
- Thick client or desktop application
- Thin client or web-based applications
- Cloud-based applications (AWS)
This initial part is to scan for and identify vulnerabilities in an environment. Systems that would be scanned can include employee laptops and desktops, servers and databases, firewalls, and network infrastructure.
After vulnerabilities are identified, they need to be prioritized so they are dealt with in the appropriate order according to organizational vulnerability management plans. Vulnerability management technology offers risk scores for vulnerabilities - Common Vulnerability Scoring System (CVSS) scoring is a common one. These scores are helpful in prioritizing vulnerabilities by severity so companies know which vulnerabilities to address first.
After a vulnerability has been identified and prioritized, organizations must determine how (even if) they will address the vulnerability.
The first and best option is applying security patches so a vulnerability can’t be exploited.
At times, patches are not yet available. Sometimes patching is now always possible on older systems outside the vendor support window. Or at times, patching cannot be done right away, and companies must wait for the proper change window. When these situations arise, mitigation using compensating controls is a common way to address vulnerabilities. Micro-segmentation is a common risk mitigation technique to reduce attack surfaces while organizations find time to patch.
At times, an organization may decide to accept the vulnerability without patching or taking mitigation steps. When vulnerabilities are considered very low risk, merely acknowledging them may happen since they are more trouble than they are worth addressing.
Continuous measurement: Ongoing analysis and measurement of a vulnerability management program is essential in understanding the progression of metrics like time to discover/identification and time to remediation. With an understanding of these metrics, teams can strive for continuous improvement. Additionally, the reporting of these metrics can assist with compliance initiatives that include vulnerability management.
What are the features of a good vulnerability management system?
Here are a handful of high-level capabilities that good systems will provide:
- IT asset and application discovery and inventory
- Real-time monitoring and vulnerability scanning of every asset; understanding of business risk of each asset
- Recommended security actions based on vulnerability assessment and business risk
- Prescriptive fixes to address