Vulnerability management is the process of identifying, assessing, and treating cyber vulnerabilities across systems and software used in an organisation. It is an ongoing, cyclical process to manage the vulnerabilities and report on the status. Vulnerability management is an important part of an organisation’s security program and is integral to reducing the attack surface.
The technology space is transient with systems and networks undergoing changes. Also, cyber-attacks are becoming more vicious and use sophisticated technology. Thus, vulnerability management is a continuous process to monitor and treat vulnerabilities.
While all three terms denote a security concern, they differ in meaning and also in their treatment approach.
A vulnerability as defined in ISO 27002 is a weakness in an asset or a group of assets that can be exploited by threats.
A threat is something that can exploit the vulnerability in a system or software.
A risk is potential damage that can be caused when a threat exploits a vulnerability.
Vulnerability management is an ongoing process. The process can use different terminologies in different organisations or contexts, but the process remains more or less similar in all cases.
The vulnerability management process requires a precursor as defined by Gartner’s Vulnerability Management Guidance Framework. It outlines 5 steps before vulnerability management begins.
After this groundwork, you can begin the vulnerability management process.
The vulnerability management process can be broken down into 4 major steps.
This step is usually carried out using a Vulnerability Scanner, even though other methods are available, too. A vulnerability scanner is a tool that searches for known vulnerabilities in the IT infrastructure and reports them. It will perform the following tasks:
If you are not using a vulnerability scanner, you can use other vulnerability management solutions that continuously gather data from systems without running scans. The end result should be the same though – i.e., the method should be able to identify vulnerabilities.
Vulnerabilities need to be evaluated to ascertain their severity and also so that the vulnerability management process is aligned with risk management. Vulnerability management solutions evaluate vulnerabilities by assigning risk ratings and scores. A popular scoring system is the Common Vulnerability Scoring System (CVSS). Read more about how CVSS works in What is the Common Vulnerability Scoring System?
These scores help you prioritise vulnerabilities. Along with the CVSS scores, you should also consider the below factors to get a complete view of the risks associated with a vulnerability.
Not all vulnerability scanners and other vulnerability management tools are always perfect. There is a chance of false positives while identifying vulnerabilities. Thus, all vulnerabilities need to be validated.
Penetration testing is a comprehensive method to validate vulnerabilities. There are other validation methods, too. Evaluation methods are important because they can help uncover vulnerabilities that you didn’t know existed in your system or didn’t know were severe enough to treat. Read more on how pen testing is relevant to cybersecurity and GRC in Cybersecurity, GRC, and the Role of Penetration Testing.
A vulnerability once validated as a risk needs vulnerability treatment. Below are the options for vulnerability treatment.
Vulnerability management solutions also recommend treatment options. However, the option provided might not always be the most optimal solution. So, any option must be evaluated by security experts, system owners, and system administrators.
When vulnerability fixes are implemented, it is recommended that you run the vulnerability scans again to confirm that the vulnerability has been resolved.
Vulnerability management solutions come with different options for customising reports and a dashboard view to see how the vulnerability management program is performing. These reports help the security teams make decisions about the security controls and other techniques to be used to deal with each vulnerability.
Since vulnerability management is a regular and continuous process, it helps to have updated reports generated regularly so that vulnerabilities can be monitored.
Since vulnerability management is a cyclical process, the information from the reports needs to be used to improve the status of vulnerabilities and then repeat the above cycle right from identifying vulnerabilities.
At the core of vulnerability management is managing the exposure of your data and assets to known vulnerabilities. However, when you choose a vulnerability management solution, you should also consider the below factors.
Many vulnerability management solutions provide endpoint agents to continuously gather vulnerability data. These agent-based solutions can sometimes be quite bulky, impacting the performance of the endpoint. Choose a lightweight solution that will not impact the performance.
Vulnerability management solutions need to be fast. If they take too long to scan the networks and collect vulnerability data, chances are the data is already outdated by the time the tool reports it. This is a common problem with network-based vulnerability management solutions.
The vulnerabilities in the system should be instantly visible. A vulnerability management solution that shows a real-time dashboard can help you to see vulnerabilities in time and the further process to assess and treat them can be triggered.
There are a lot of organisational changes due to the demand for adding more systems and applications, rising adoption of cloud, hybrid work culture, etc. At the same time, the threat landscape is evolving, and the number of cyber attacks is increasing.
All these changes need a strong vulnerability management process. New changes such as onboarding a new partner, hiring, getting a cloud service, etc. are inevitable in a growing organisation. But it is also growing your attack surface. Protecting your organisation from these threats is critical and vulnerability management is an important part of this exercise. Read more in the blog Integrating Vulnerability Management into your ISMS.
To know more about how the 6clicks platform helps with vulnerability management and supports integration with vulnerability scanning platforms, get in touch with our team to take a free tour of the platform.