1. Vulnerability Management Overview
What is vulnerability management?
Vulnerability management is an ongoing program of technologies and tools to identify cyber risks across your organization, align them with your operational goals and objectives and then prioritize to remediate vulnerabilities in a timely manner to secure your network and keep your operations safe.
Vulnerability management consists of the people, policies and processes that work together toward common goals to ensure your attack surface and cyber risk are as small as possible.
Fixing vulnerabilities across your entire attack surface is a daunting task. The reality is, the volume of assets in most organizations, coupled with more than a growing list of hundreds of potential attack vectors, makes it challenging for security teams to patch and remediate them all.
It’s even more challenging because most organizations don’t have the right tools to gain insight into all of the assets across the organization — from traditional IT, to cloud, to mobile, to containers or serverless, to web applications and operational technology (OT) assets.
Add that to the reality of the real world problem that many assets have multiple vulnerabilities and other security issues and before you know it, your security team is buried under a mountain of vulnerabilities.
The more vulnerabilities that exist and the more disparate remediation functions are, the more likely it is that attackers can exploit your attack surface.
That’s where vulnerability management comes in.
What does vulnerability management entail?
There are five core steps for effective vulnerability management. These steps align with your cybersecurity lifecycle.
Step 1: Discover
Identify and map all of your assets across all of your computing environments.
Step 2: Assess
Understand exposure of all of your assets including vulnerabilities, misconfigurations and other security health indicators.
Step 3: Prioritize
Understand your exposures with context so you can prioritize remediation based on asset criticality, vulnerability severity and threat context.
Step 4: Remediate
Prioritize which exposures to address first and then use the appropriate remediation process.
Step 5: Measure
Measure and then benchmark your exposure so your teams can make better business and technology-related decisions.
What's the difference between vulnerability management and vulnerability assessment?
Vulnerability management and vulnerability assessment are different, but complementary practices.
Vulnerability management helps you identify all of the assets and vulnerabilities across your attack surface. It also helps you plan how you will mitigate issues, prioritize and remediate weaknesses and improve your overall security posture.
Vulnerability assessment, on the other hand, is a one-time project conducted on a regular basis to identify all of your assets and vulnerabilities.
Generally, vulnerability assessment, which is not the same as a vulnerability scan, has a specified beginning and end date. It’s a snapshot of your attack surface at a specific point in time.
Vulnerability assessment is part of your overall vulnerability management program, which helps you continuously identify and address your cyber risks.
How is vulnerability management different from risk-based vulnerability management?
Traditional vulnerability management practices, also called legacy vulnerability management, give you a theoretical view of vulnerabilities and risks, uncovering threats a vulnerability could introduce into your environment, but without indication of which threats pose real risk.
Without clear insight into actual risks, your security team can get bogged down trying to remediate vulnerabilities that may not pose actual risk and can miss finding and remediating critical vulnerabilities more likely to impact your organization.
Adding a risk-based approach to your vulnerability management practices can help you better understand risks — with threat context — so you have insight into the potential business impact of weaknesses across your attack surface.