Cybersecurity practitioners receive an overwhelming amount of alerts every day, but how can they know which issues to address first? As the attack surface rapidly expands, vulnerability management offers a strategic approach to manage exposure and remediate on time.
What is vulnerability management?
Vulnerability management is the continuous process of identifying, prioritizing, reporting on, and remediating security vulnerabilities in operating systems, browsers, enterprise applications, and end-user applications.
Robust vulnerability management tools detect vulnerabilities across an organization’s network and third-party ecosystem, and support different processes to patch or remediate them. These are based on four pillars:
- Reporting and prioritization
- Response and remediation
What is a vulnerability?
The International Organization for Standardization (ISO 27002) provides the following definition of a vulnerability:
A vulnerability is a weakness of an asset or group of assets that can be exploited by one or more threats.
A vulnerability is a flaw in a system that can affect the integrity, availability, and confidentiality of data, as well as compromise business continuity as attackers may exploit it to get unauthorized access to a network.
Common types of vulnerabilities include system misconfigurations, insider threats, outdated software, hardware, or firmware, and weak authorization credentials.
The sheer volume of vulnerabilities that are reported every week challenges security teams to remediate them in a timely way. To that end, successful vulnerability management programs leverage advanced prioritization techniques and automated workflows to streamline remediation efforts.
These can take hours, weeks, or even months, depending on how fast vulnerabilities can be exploited and their severity. In the case of zero day vulnerabilities, since no patch yet exists and they can be used to carry out cyberattacks or spread malware, a patch needs to be deployed as soon as it becomes available. Other less critical vulnerabilities may offer longer timeframes for remediation.
How are vulnerabilities categorized?
The Common Vulnerability Scoring System (CVSS) is an industry standard used to assess the criticality of software vulnerabilities, with a base score ranging from 0.0 to 10.0. In addition, the National Vulnerability Database (NVD) provides qualitative severity ratings for base score ranges, as they are defined in the CVSS v3.0 specification:
|CVSS Base Score||Severity Rating|
These frameworks allow security teams to prioritize vulnerabilities based on risk considering factors such as the severity of the vulnerability, exploitation activity, business criticality, and exposure of the affected system.
What does a vulnerability management process look like?
First comes assessing the resources, processes, and tools in place to identify gaps and decide a course of action. Which assets will be monitored for vulnerabilities, and which are the most critical? Who will manage the process, and what tools will they need?
To help answer these questions, Gartner’s Vulnerability Management Guidance Framework lays out five “pre-work” steps aimed at solving the people, process, and technology components:
- Determine Scope of the Program
- Define Roles and Responsibilities
- Select Vulnerability Assessment tools
- Create and Refine Policy and SLAs
- Identify Asset Context Sources
The Vulnerability Management Cycle
Once the pre-work is completed, there are five main stages to a vulnerability management cycle:
Step 1: Assess
In this stage, security analysts need to create (and maintain) an asset directory and narrow down the ones that are to be assessed for vulnerabilities. This means taking inventory of the organization’s assets, including software, hardware, operating systems, and services, as well as their current versions and applied patches.
Once a team gathers that data, it typically establishes a baseline of known or identified vulnerabilities to serve as a reference when detecting new vulnerabilities. Next comes assessing each asset for vulnerabilities and generating a report to determine which ones are at risk or will need patching or further investigation and remediation.
Step 2: Prioritize
The pre-work stage classifies an organization’s assets based on their criticality, risk level, and importance to business operations. Then, it’s time to assign values to every group class to determine which assets should undergo a vulnerability assessment first; core business software and hardware should be the priority.
With a prioritized list of assets, teams can gauge the threat exposure of each asset to add context to their reports. To accomplish these tasks, they can leverage endpoint security and threat intelligence tools.
Step 3: Act
There are three possible outcomes after gathering prioritization data:
- Accepting the risk of the vulnerable asset to the network. This can be the case for non-critical assets or systems, where the threat of exposure is very low.
- Mitigating the vulnerability or developing a strategy to reduce its potential impact, in order to make it more difficult for an attacker to exploit it. While the vulnerability won’t be eliminated, the measures in place can keep the network safe.
- Remediating the vulnerability by installing a patch to prevent the affected asset from becoming an entry point. This is typically the case for high risk vulnerabilities, zero days, or those that affect a critical system or asset.
Step 4: Reassess
After assessing, prioritizing, and assigning action items to vulnerabilities, it’s time to reassess the approach. This means verifying that each vulnerability remediation activity has been appropriately conducted through an auditing process, including scans and cross-examinations.
The reassessment stage is important because it sheds light on the success of the course of action, and detects potentially new issues around the same assets that might readjust priorities. It also provides important reporting metrics to communicate the value of these efforts.
Step 5: Improve
Like most cybersecurity workflows, the vulnerability management lifecycle involves continuously evaluating the strategy to verify that the measures in place have successfully reduced or eliminated the prioritized risks. This ongoing process can be supported with periodic scans and assessments to ensure that vulnerability management policies are effective.
High-performing vulnerability management programs seek consistent improvement and actively work to detect and eliminate underlying security issues. A good practice is to revisit the pre-work phase and its preliminary questions. By regularly examining the entire workflow, you can detect areas for improvement and proactively defend your organization.
Why vulnerability management must continuously evolve
The five step vulnerability management cycle is an ongoing and continuous effort to manage exposure that goes beyond running scans, installing patches, or performing one-time vulnerability assessments. While these practices are all crucial to vulnerability management, they are only a fraction of the program.
A vulnerability assessment is the evaluation of a host or network to provide visibility into its current state. Patch management consists of distributing firmware, driver, operating system (OS), and application updates to endpoints. By combining these tactics, vulnerability management provides continuous, real-time intelligence, reporting, and remediation guidance.
How can your organization benefit from a vulnerability management program?
As long as there are assets connected to the internet and digital supply chains keep expanding, every organization needs a vulnerability management program. Many industries and regulations require one in order to conduct business and instill trust.
There are thousands of known vulnerabilities in the wild, and many others are yet to be discovered and exploited. A vulnerability management program is the only way to detect and timely remediate vulnerabilities without draining your resources. Not all vulnerabilities carry the same risks, and not all vulnerabilities should be managed in the same way.
In addition to addressing specific flaws, vulnerability management also provides insight into areas that need to be improved in your organization’s security posture and facilitates compliance with regulatory requirements.
What to look for in a vulnerability management tool
To truly understand the risks that a threat actor might exploit, organizations need a vulnerability management approach that sees their expanding network the way attackers do – automatically and continuously. Vulnerabilities won’t cease to exist, but timeliness and performance are critical to being prepared for the next one.
BitSight allows organizations to gain the full view of their attack surface and control vulnerability exposure with External Attack Surface Management (EASM) capabilities, including Vulnerability Detection and Attack Surface Analytics. It also facilitates vulnerability management best practices such as ongoing asset discovery, and provides insights into patching rates.
BitSight Attack Surface Analytics continuously probes the network – ports, endpoints, databases, applications, cloud instances, even shadow IT and remote offices – without the need for costly point solutions. When a vulnerability is discovered, BitSight will alert security teams in near-real time and allow them to drill down into the root causes of vulnerabilities, so they can take control of risk exposure without succumbing to tool sprawl.
With this outside-in view of the network, teams can identify hidden risks and the systems or data that may be compromised if an attacker exploits that threat. Findings are displayed on a centralized dashboard, including the location of individual digital assets broken down by cloud provider, geography, and business unit – and the cyber risk associated with each asset.
Analysts and leaders can also visualize areas of critical or excessive risk – such as a vulnerability in a web application firewall that guards sensitive data stored in the cloud – and prioritize them for remediation.
The vulnerability threat also affects an organization’s third-party ecosystem, especially during majority security events where vendor risk can inadvertently expose the network through supply chain attacks. BitSight for Third-Party Risk Management allows security teams to respond to major security events and zero day vulnerabilities impacting their vendors, at scale and with confidence, by detecting and mitigating vulnerabilities across the vendor ecosystem with Vulnerability Detection and Vulnerability Response capabilities.
Learn more about BitSight’s data driven insights that can increase visibility into your attack surface and the risks from cyber vulnerabilities.