Rethinking Vulnerability Management: The attacker’s perspective

November 26, 2013  |  Sandy Hawke

Here's a really basic question... Why do we do vulnerability management? If your child asked you that question, how would you answer? It’s pretty simple really. We need to find and fix vulnerabilities because that’s what attackers exploit.

You would then likely explain to your child that vulnerabilities are weaknesses, and weaknesses can be exploited by bad people who want to do you harm. And unfortunately there are quite a few vulnerabilities, and finding all of them, and trying to figure out if, how, and when you can patch them has to be managed as a process.

But somewhere along the way, a checklist mindset aka “The Management Process” took over and our original purpose has gotten lost in the chaos. One way to overcome that chaos lies in prioritizing our remediation efforts. And the key to prioritization is to view vulnerabilities in the context of real-time and actual threats facing your environment.

How do you do that? Start with looking at your network the way an attacker would.

This is a significant paradigm shift for most of us. It’s far more natural to look at vulnerabilities in the way we value our assets, according to business priority. But a better way is to view vulnerabilities in the context they find themselves in your network. Think of them the way an attacker would. Which ones are most likely to be exposed? Which ones would offer an attacker a foothold into your organization? And keep in mind… Not every vulnerability can be fixed; some systems may require very specific versions of software; some vulnerabilities do not have patches available and the only solution is to upgrade to a newer version of the software.

That said, more important than removing all vulnerabilities, is to understand what vulnerabilities commonly exist on your network, and prioritize investigation on hosts known to be more vulnerable-over-time.

Let’s take a step back and talk basics.


For a vulnerability to be exploited, it must be exposed to a threat. An unexploited vulnerability poses little to no risk to an organization. For example, you could have a high-impact vulnerability present on a server but if that server is not connected to the rest of the network, there’s little to no risk. However, a medium-impact vulnerability on an Internet-facing machine would pose significant risk to your organization.

So the trick becomes viewing vulnerabilities in the context of real, actual threats present in your network, so that you can prioritize remediation efforts.

And thankfully, AlienVault USM makes that possible.

This is a screenshot of one of our alarms, generated by our event correlation or SIEM capability. Because AlienVault USM combines vulnerability management with asset inventory, host-based IDS, network IDS, netflow analysis, file integrity monitoring, and SIEM event correlation, all of the rich information captured by these capabilities is viewable in a single screen.

As soon as an alarm is triggered, you can immediately identify known malicious IPs interacting with a vulnerable host, along with all events involving that host, details on the vulnerabilities discovered, notes on who owns the system as well as all the software installed on it.

There are a number of other challenges with vulnerability management - reducing false positives, avoiding network downtime, etc. To learn more about the challenges with vulnerability management and how to overcome them, check out Threat Intelligence: The Key to a Complete Vulnerability Management Strategy In the meantime, stay focused on the essentials...

Share this with others

Get price Free trial