This blog was written by a third party author.
What is vulnerability management?
Every year, thousands of new vulnerabilities are discovered, requiring organizations to patch operating systems (OS) and applications and reconfigure security settings throughout the entirety of their network environment. To proactively address vulnerabilities before they are utilized for a cyberattack, organizations serious about the security of their environment perform vulnerability management to provide the highest levels of security posture possible.
Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems (OS), enterprise applications (whether in the cloud or on-premises), browsers, and end-user applications. An ongoing process, vulnerability management seeks to continually identify vulnerabilities that can be remediated through patching and configuration of security settings.
Addressing threats with vulnerability management
Bad actors look to take advantage of discovered vulnerabilities in an attempt to infect a workstation or server. Managing threats is a reactive process where the threat must be actively present. Whereas vulnerability management is proactive, seeking to close the security gaps that exist before they are taken advantage of.
More than just patching vulnerabilities
It’s important to note that formal vulnerability management doesn’t simply involve the act of patching and reconfiguring insecure settings. Vulnerability management is a disciplined practice that requires an organizational mindset within IT that new vulnerabilities are found daily requiring the need for continual discovery and remediation.
What is considered a vulnerability?
Any means by which an external threat actor can gain unauthorized access or privileged control to an application, service, endpoint, or server is considered a vulnerability. Tangible examples include communication ports open to the internet, insecure configurations of either software or OSs, methods by which to gain privileged access through approved interaction with a given application or OS, and a susceptibility to allow malware to infect a system.
How are vulnerabilities defined?
While security vendors can choose to build their own vulnerability definitions, vulnerability management is commonly seen as being an open, standards-based effort using the security content automation protocol (SCAP) standard developed by the National Institute of Standards and Technology (NIST). At a high level, SCAP can be broken down into a few components:
- Common vulnerabilities and exposures (CVE) – Each CVE defines a specific vulnerability by which an attack may occur.
- Common configuration enumeration (CCE) – A CCE is a list of system security configuration issues that can be used to develop configuration guidance.
- Common platform enumeration (CPE) – CPEs are standardized methods of describing and identifying classes of applications, operating systems, and devices within your environment. CPEs are used to describe what a CVE or CCE applies to.
- Common vulnerability scoring system (CVSS) – This scoring system works to assign severity scores to each defined vulnerability and is used to prioritize remediation efforts and resources according to the threat. Scores range from 0 to 10, with 10 being the most severe.
Many public sources of vulnerability definitions exist, such as the National Vulnerability Database (NVD) or Microsoft’s security updates and are freely available. Additionally, several vendors offer access to private vulnerability databases via paid subscription.
Security configuration baselines are also used to establish how OSs and applications should be configured for the most security. The Center for Internet Security provides the broadest range of updated configuration baselines against which to assess and remediate configuration-based vulnerabilities.
The vulnerability management process
Every new vulnerability introduces risk to the organization. So, a defined process is often used to provide organizations with a way to identify and address vulnerabilities quickly and continually. At a high level, 6 processes make up vulnerability management—each with their own subprocesses and tasks.
- Discover: You can’t secure what you’re unaware of. The first process involves taking an inventory of all assets across the environment, identifying details including operating system, services, applications, and configurations to identify vulnerabilities. This usually includes both a network scan and an authenticated agent-based system scan. Discovery should be performed regularly on an automated schedule.
- Prioritize: Second, discovered assets need to be categorized into groups and assigned a risk-based prioritization based on criticality to the organization.
- Assess: Third is establishing a risk baseline for your point of reference as vulnerabilities are remediated and risk is eliminated. Assessments provide an ongoing baseline over time.
- Remediate: Fourth, based on risk prioritization, vulnerabilities should be fixed (whether via patching or reconfiguration). Controls should be in place so that that remediation is completed successfully and progress can be documented.
- Verify: Fifth, validation of remediation is accomplished through additional scans and/or IT reporting.
- Report: Finally, IT, executives, and the C-suite all have need to understand the current state of risk around vulnerabilities. IT needs tactical reporting on vulnerabilities identified and remediated (by comparing the most recent scan with the previous one), executives need a summary of the current state of vulnerability (think red/yellow/green type reporting), and the C-suite needs something high-level like simple risk scores across parts of the business.
Strong vulnerability management programs see each process (and any sub-processes) as a continual lifecycle designed to help improve security and reduce organizational risk found in the network environment. Strong programs see this as being a daily process rather than quarterly or annually.
Vulnerability management solutions
Many commercial solutions exist to simplify and automate the process of vulnerability management. Some focus solely on vulnerability assessment, some perform vulnerability scanning only, while still others look to provide comprehensive coverage of the entire vulnerability management process.
Additionally, many security solutions go beyond just offering vulnerability management, adding value by integrating other security functionality that, in total, helps to protect the environment better, including:
- Asset discovery
- Data classification
- Intrusion detection
- Privilege access management
- Threat detection and response
- SIEM and log data correlation
- Compliance auditing and reporting