What is
Vulnerability Management?

A vulnerability is defined as any means by which an attacker can access sensitive information or infect a workload. Complete vulnerability management offers security teams the needed insights to understand any weaknesses in corporate applications, and network. It allows security teams to properly manage and patch vulnerabilities that pose risks to the applications and network, thus protecting organizations from threat actors and the possibility of a breach.

A vulnerability assessment is a part of a complete vulnerability management system. Organizations will likely run multiple vulnerability assessments to get a systematic overview of the vulnerabilities in their applications and network. This assessment identifies and prioritizes vulnerabilities to inform their action plan.

Vulnerability management requires a structured approach in order to discover and remediate all vulnerabilities. Even one undiscovered vulnerability could be exploited by attackers to infect a workstation or capture sensitive information. A rigid process repeated continually ensures that attack surfaces are reduced before they are taken advantage of.

The process can be broken down into the following steps:

1. Assessment and identification
2. Prioritization
3. Remediation
4. Measure

Following are application types in which to identify security vulnerabilities:

1. Thick client or desktop application
2. Thin client or web-based applications
3. Cloud-based applications (AWS)
4. Microservices

This initial part is to scan for and identify vulnerabilities in an environment. Systems that would be scanned can include employee laptops and desktops, servers and databases, firewalls, and network infrastructure.

After vulnerabilities are identified, they need to be prioritized so they are dealt with in the appropriate order according to organizational vulnerability management plans. Vulnerability management technology offers risk scores for vulnerabilities - Common Vulnerability Scoring System (CVSS) scoring is a common one. These scores help prioritize vulnerabilities by severity so companies know which vulnerabilities to address first.

After a vulnerability has been identified and prioritized, organizations must determine how (even if) they will address the vulnerability. The first and best option is applying security patches so a vulnerability can’t be exploited.

At times, patches are not yet available. Sometimes patching is not always possible on older systems outside the vendor support window. Or at times, patching cannot be done right away, and the company must wait for the proper change window. When these situations arise, mitigation using compensating controls is a common way to address vulnerabilities. Micro-segmentation is a common risk mitigation technique to reduce attack surfaces while organizations find time to patch. Isolating the vulnerable workloads from the rest of the network prevents attackers from moving laterally until patches are applied.

At times, an organization may decide to accept the vulnerability without patching or taking mitigation steps. When vulnerabilities are considered very low risk, merely acknowledging they may happen since they are more trouble than they are worth addressing.

Ongoing analysis and measurement of a vulnerability management program is essential in understanding the progression of metrics like time to discover/identification and time to remediation. With an understanding of these metrics, teams can strive for continuous improvement. Additionally, the reporting of these metrics can assist with compliance initiatives that include vulnerability management.

These metrics are also crucial to reporting. Measurements should be taken to executives to report on the effectiveness of vulnerability management or when seeking additional budget to identify and remediate vulnerabilities.

Here are a handful of high-level capabilities that good systems will provide:

• IT asset and application discovery and inventory
• Real-time monitoring and vulnerability scanning of every asset; understanding of business risk of each asset
• Recommended security actions based on vulnerability assessment and business risk
• Prescriptive fixes to address

Read our vulnerability maps solution brief to further understand how to deploy compensating controls in the face of software vulnerabilities, and how you can improve vulnerability management in your organization.