The best time to initiate a comprehensive program for dealing with security vulnerabilities in your organization was yesterday. Systems are more complex than ever, threats are more prevalent, attacks are more sophisticated, and the sheer number of system vulnerabilities is exceeding the remediation capabilities of many organizations.

As we consider how to develop a vulnerability management program, it’s helpful to define vulnerabilities. Security vulnerabilities are flaws exposing an organization’s assets and environment that can be exploited by attackers to perform unauthorized and potentially harmful actions.

A good vulnerability management program aims to reduce the chances of this occurring through a three-step process:

  1. Identify vulnerabilities in your systems.
  2. Prioritize vulnerabilities according to their risk level.
  3. Remediate vulnerabilities with a fast and manageable approach.

These steps can make a profound difference in efficiency, compliance and the protection of your organization’s infrastructure. Let’s explore each step in greater detail.

Identify Security Vulnerabilities Based on Risk

The first step in a management program, identifying vulnerabilities, requires a scan of your systems, applications, networks and devices. Scanning can help uncover security vulnerabilities that stem from various sources, from third-party vendors to overhauled infrastructure. The good news is that this process is sure to detect security vulnerabilities. The bad news is that you may discover millions. One investment firm uncovered more than 6 million vulnerabilities after just one scan, according to IBM X-Force Red.

It’s no surprise that organizations sometimes lack the resources to scan a system, analyze the results and respond effectively. By the time the security team wades through the data, it may be outdated, and given that business continuity generally takes precedent over identifying and fixing security vulnerabilities, patches may not be implemented, which could leave the business exposed.

False positives also create dead ends that force teams to spend time pursuing vulnerabilities that don’t actually pose a risk. According to the Ponemon Institute and Exabeam, security teams waste an average of 25 percent of their time trying to track down false positives. This is where a multi-stage vulnerability management program and automation can play a major role, cutting down on false positives and allowing remediators to focus on only the vulnerabilities that pose the highest risk of a compromise.

Prioritize the Most Critical Vulnerabilities

Most scans produce results that are referred to by their Common Vulnerabilities and Exposures (CVE) designation. This system provides a standardized name for cataloging and managing publicly known security vulnerabilities. The Common Vulnerability Scoring System (CVSS), a worldwide standard, is used to rate the severity of CVEs. The CVSS generates a numerical criticality score from 1 to 10 (with 10 being the most critical) based on factors such as the type of attack, level of access required and overall complexity.

You may be tempted to rely only on the CVSS to rank and prioritize vulnerabilities, but the scoring system doesn’t account for which exposed assets matter most to your business or if the vulnerabilities exposing them are being weaponized by attackers. In other words, the CVSS treats all assets equally, even though there would be a far greater impact to your business even though compromising some would create far more impact to your business and the vulnerabilities exposing them are actively being exploited by attackers. Without considering those two additional factors – asset value and weaponization – you might prioritize patching vulnerabilities that aren’t likely to be exploited and leave others that could expose even more sensitive assets if left unpatched. Your job is to identify each asset in terms of their risk and critical value.

According to Gartner, “A vulnerability is only as bad as the threat exploiting it and the impact on the organization.” If an attacker exploits just one vulnerability that has public exploit information associated with it, the damage could be significant. Fortunately, the percentage of vulnerabilities that are weaponized is typically low. By correlating and prioritizing weaponized vulnerabilities that could result in the greatest damage, your remediation program should become more manageable and effective.

Follow a Manageable Remediation Process

After prioritizing based on weaponization and asset value, you can address security vulnerabilities in manageable workloads and remediate the most critical ones first. It’s also crucial to eliminate false positives so you can focus on remediating only true vulnerabilities. Each vulnerability on the priority list should include a title, ranking, category, associated threat, proposed solution and remediation schedule. With that in hand, you should be able to remediate the most critical vulnerabilities in a manageable, consistent and efficient manner.

Vulnerability Management Is an Ongoing Process

Given that many organizations potentially have millions of vulnerabilities — many of which could expose highly sensitive assets — the immediate need for efficient identification, prioritization and remediation is obvious. But vulnerability management must be a continual process, not a one-off. To that end, creating a regular schedule for assessing vulnerabilities based on risk to the business is key to developing an effective and efficient vulnerability management program.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read