With the disclosure of vulnerabilities at a record high as of 2021, how can vulnerability management help you identify, analyze, and address vulnerabilities across all IT systems?
By Megan ReesUpdated Nov 24, 2022
Vulnerability management is the process of identifying, classifying, prioritizing, and remediating vulnerabilities across your organization’s digital estate. The aim is to patch or fix those weaknesses before they can be exploited by bad actors in large-scale attacks, data breaches, and more.
But the problem is, vulnerabilities are everywhere. And new ones keep popping up just as quickly as we can patch existing ones.
So, vulnerabilities are impossible to avoid. But they aren’t impossible to manage.
Throughout this article, we’ll take a look at what vulnerability management is, why it’s important, and how the vulnerability management cycle works. We’ll also provide some recommendations on how you can best support your vulnerability management processes.
What Is Vulnerability Management?
Vulnerability management is a process that enables you to more quickly and effectively identify, prioritize, and address vulnerabilities to prevent them from being exploited by bad actors or threat groups.
The exploitation of known and undisclosed vulnerabilities continues to remain a common cause of security breaches and incidents globally. Vulnerability management enables you to continuously monitor your environment for potential risks and proactively patch high-risk vulnerabilities before they are exploited.
But this process isn’t just a one-off activity. Instead, it’s a continuous cycle that requires your security teams to not only address existing vulnerabilities, but also keep scanning for new ones. Hence, it’s referred to as: “the vulnerability management lifecycle”.
Before we can take a deeper dive into what vulnerability management is, how the lifecycle works, and why it’s so important, we should first take a look at what a vulnerability is and how you classify them.
What Is A Vulnerability?
A vulnerability is a weakness or flaw in your security system that can be exploited by a bad actor to facilitate a breach. These can occur in anypart of your digital estate at any time and can go weeks, months, or years without being discovered.
Vulnerabilities commonly manifest as technical bugs in pieces of software, but they also include weaknesses in operating systems, web servers, firewalls, and networks, and can be caused by hardware, processes, misconfigurations, and more.
Opportunistic threat actors often seek to leverage vulnerabilities to cause as much disruption as possible. For example, throughout 2020, as COVID-19 catalyzed the global adoption of remote working, threat actors most frequently targeted vulnerabilities that affected remote work, VPNs, and cloud-based technologies.
Software vulnerabilities are a common focus in vulnerability management, because they don’t just affect one organization in isolation. Rather, they impact every organization using an affected software or product.
When software vulnerabilities are discovered, they’re disclosed via the proper channels. Then, software vendors are responsible for sending out software updates and patching those products—with larger vendors such as Microsoft, Adobe, and Oracle grouping updates on “Patch Tuesday” to limit disruption for their customers.
But vulnerabilities aren’t always discovered and patched by these vendors before bad actors can exploit them. Just look at the Log4j vulnerability (known as Log4Shell), which enabled attackers to remote load and execute code, giving them control of entire systems. Log4j affected millions of users worldwide and was entirely preventable if acted on sooner.
Which is why investing a powerful vulnerability management process is so important.
Defining And Ranking Software Vulnerabilities
Because most software vulnerabilities affect all organizations using a particular product or service rather than one organization in isolation, there must be a vulnerability naming standard for defining and communicating vulnerabilities across organizations.
The most widely accepted is NIST’s Security Content Automation Protocol (SCAP), which is a suite of specifications to classify vulnerabilities and ensure that those entered into its dictionary are identifiable with unique names.
The CVE (Common Vulnerabilities and Exposure) specification is a dictionary of publicly known software vulnerabilities and exposures, and includes each CVE ID, date, and description.
Once a vulnerability is registered as a CVE in MITRE’s CVE database, it’s assigned a risk score using the CVSS (Common Vulnerability Scoring System). This score ranges from 0.0 (low risk) to 10.0 (critical) and indicates the characteristics and severity of a given vulnerability to help you prioritize remediation actions.
When so many security breaches and incidents are caused by vulnerabilities, then it’s tempting—and even logical—to ask: “Well, why can’t my organization patch all of our vulnerabilities to ensure there’s nothing for bad actors to exploit in the first place?”
It’s a great question. And in an ideal world, a great solution too. But the reality is that patching all of your vulnerabilities is an impossible task.
Firstly, there are many unknown vulnerabilities—and you can’t fix what you don’t know is broken. New vulnerabilities continuously keep popping up too, with 88% of CVEs being between 0–5 years old.
Secondly, some vulnerabilities might be known to vendors, but have no known fixes or mitigations to correct them. When a bad actor discovers one of these, they can leverage it to launch a zero-day attack, which takes advantage either of the fact that the vulnerability itself is unknown, or that there are no known mitigations or patches.
Thirdly, patching all known vulnerabilities would take a gigantic amount of time, energy, and resource, not to mention it would be extremely costly, cause massive disruption to users, and some legacy systems might be incompatible with new updates. Additionally, not all vulnerabilities are a threat to your organization—so spending time patching the low-risk ones is likely a waste of resources.
So, when it comes to patching vulnerabilities and mitigating threats, the best way forward is to prioritize which vulnerabilities are most critical or most likely to be exploited, and therefore, need to be patched most urgently.
The vulnerability management process supports you in doing just that, providing a structured methodology that enables you to efficiently and effectively identify and prioritize vulnerabilities across your attack surface. The process ensures your teams are all aligned and can focus their time and effort on the most urgent and imminent threats.
It’s also worth mentioning that vulnerability management is also necessary for compliance with many external regulators, including PCI DSS, HIPAA and GDPR, and others.
The Vulnerability Management Lifecycle
As we’ve mentioned, vulnerability management isn’t just a one-and-done activity. Rather, it’s an ongoing process; a cycle that continuously identifies and analyzes new vulnerabilities as they arise.
New vulnerabilities might come in the form of previously unknown weaknesses within existing technologies, or they might be brought in via the introduction of a new piece of software or service. Regardless, regular vulnerability scanning and fast remediation are critical for organizations of all sizes and across industries.
We can break the vulnerability management lifecycle down into four stages:
Let’s take a deeper dive into what’s involved at each stage of the cycle.
The first stage of the vulnerability management process is to identify and detect vulnerabilities that exist across your internal and external networks and systems.
But before you get started, you’ll need to define your assets. This means creating a comprehensive map of your entire estate and assigning a value to each asset based on its role within your organization. This helps guide your analysis and enables you to prioritize which vulnerabilities to fix later in the process.
You can then go about identifying vulnerabilities using various vulnerability scanners and endpoint agents—as well as cyber threat intelligence to enhance the data.
Vulnerability scanners are programs that scan your assets and detect new and existing vulnerabilities. They do this by scanning your systems, gathering detailed information on those systems, and then comparing that information with databases or lists of known vulnerabilities.
The Center for Internet Security recommends performing vulnerability scans at least once per week. And the output of these scans is usually a detailed report of detected vulnerabilities, which you can use to evaluate and prioritize vulnerabilities in the next stage of the process.
We should note that you’ll likely need to use different types of vulnerability scanners for different assets. For example, you might use a different scanner for running applications versus operating systems or infrastructure. We advise mapping this out when you’re defining your assets.
Once you have a detailed list of identified vulnerabilities across your systems, you then need to evaluate and classify them by severity. This enables you to prioritize which pose the greatest threat to your organization, and which to address most urgently during your remediation process.
Most vulnerability management platforms link identified vulnerabilities with standardized risk ratings—such as their common vulnerability scoring system (CVSS) scores—to help you analyze risk. But while that data is invaluable, you should also strive to understand the risk in the context of your own business.
For example, you should enrich built-in risk scores with additional factors and contextual information such as cyber threat data, how easy a vulnerability is to exploit, whether there is a known published exploit code, the business impact if the vulnerability were exploited, and more. Using the combination of this data, you can then prioritize which vulnerabilities to address first during remediation efforts and patch management processes.
It’s also important to note that vulnerability management platforms are known to produce false positives from time to time. Which is why we advise performing vulnerability validation exercises—such as penetration testing—to help you separate the false positives from the true positives and focus your efforts.
Once you’ve identified, prioritized, and validated your vulnerabilities, the next stage of the process is to address them.
When it comes to responding to vulnerabilities, you’ve got three options:
Remediation: Where a threat is identified and a fix is possible, you should fully patch or take action to correct the vulnerability so that it can’t be exploited.
Mitigation: Where a threat is identified but a full fix isn’t yet possible, you should take steps to reduce the likelihood of that vulnerability being exploited. This should be a temporary fix until full remediation is possible.
Acceptance: If a vulnerability is particularly low risk or would have a low impact on your business if it were exploited, it can be justified to accept that risk and take no further action.
When approaching the remediation of individual vulnerabilities, your vulnerability management platform will likely recommend the best course of action for you to take. However, we recommend that your security teams, system owners, and system administrators also work together to determine the right approach to take.
Once you’ve taken the appropriate remediation actions, it’s then a good idea to validate that those vulnerabilities have been successfully fixed—after all, you don’t want all that effort to have been for nothing. You can do this by running further vulnerability scans and penetration testing activities.
The final of the four stages is the reporting stage. This is where you produce reports detailing the current state of vulnerabilities across all IT systems and the risks surrounding them, as well as the vulnerabilities that were identified during the vulnerability management process and the actions that were taken to remediate or mitigate them.
Most vulnerability management solutions will automate this for you, enabling you to export data from vulnerability scans and produce in depth-reports at the push of a button.
These reports are important for teams across many different levels of your organization. For your IT and security team, these reports help them evaluate and track your organization’s security posture over time, as well as identify vulnerability trends, better allocate resources, and improve future vulnerability management processes.
And for executives and C-suite level members, reports are crucial for communicating your organization’s vulnerability status and risk at a higher level, enabling them to make more strategic, context-based decisions.
Reporting is also important for ensuring accountability and proving adherence to compliance standards—it’s vital to have a record that shows that you’re actively taking steps to identify and remediate security vulnerabilities.
Here are our recommendations for how to best secure your organization against vulnerability exploitation.
Keep All Software Up To Date
Patches existto fix critical vulnerabilities and security flaws within the software that you’re using.
Vendors tend to send these out regularly to help keep you safe against emerging threats and vulnerabilities. But if you aren’t installing them in a timely manner, you’re widening a potential threat actor’s window to strike your organization while the vulnerability still exists.
Regular patching is one of the most vital things you can do to tackle and prevent exploits. We recommend checking for new software updates on a regular basis, and ensuring that you’re always running the most up-to-date version of any given system or application.
Invest In A Vulnerability Management Solution
Vulnerability management solutions are designed to support you in implementing and running your vulnerability management program.
The most comprehensive vulnerability management solutions achieve this by leveraging automation to enable you to more efficiently and effectively identify vulnerabilities, evaluate the risk they pose, and respond to potential threats and breaches—all from one central dashboard.
But not every vulnerability management solution is built in the same way. In fact, some solutions might focus on running vulnerability assessments, while others might focus on vulnerability scanning. Some might also integrate other security solutions and tools into the product, such as patch management software, threat intelligence and detection, SIEM tools, and more.
We recommend vulnerability management solutions for organizations of all sizes. But which solution you invest in should depend on how greatly your organization will benefit from it, among other factors such as cost, resources, and more.
Your employees are your greatest strength. But it’s important to bear in mind that they can—albeit unintentionally—introduce threats into your environment by downloading malicious content, clicking on phishing scams, and more. In fact, 61% of CVEs are estimated to involve users clicking on links, downloading files, or sharing credentials.
Educating your users to be able to spot and prevent these threats and potential exploits when they face them is a crucial part of any IT security program. You can achieve this by implementing security awareness training (SAT) for all employees across all levels of your organization.
Security awareness training is designed to educate users on security best practices, as well as threats they might face and how to stop them. This usually includes both modular content and engaging simulations to enable users to not only learn about threats, but also practice what they’ve learned in a safe environment.
Megan is a writer, editor, and journalist and has been actively researching and writing about the tech industry for three years. Throughout that time, she has covered a wide range of IT and cybersecurity topics in depth—including cloud software, biometric technologies, identity and access management solutions, and threat intelligence—and conducted interviews with dozens of industry experts. An avid reader and lover of research, Megan has a master’s degree and First-Class Honours bachelor’s degree in English Literature from Swansea University.