The best time to initiate a comprehensive program for dealing with security vulnerabilities in your organization was yesterday. Systems are more complex than ever, threats are more prevalent, attacks are more sophisticated, and the sheer number of system vulnerabilities is exceeding the remediation capabilities of many organizations.

As we consider how to develop a vulnerability management program, it’s helpful to define vulnerabilities. Security vulnerabilities are flaws exposing an organization’s assets and environment that can be exploited by attackers to perform unauthorized and potentially harmful actions.

A good vulnerability management program aims to reduce the chances of this occurring through a three-step process:

  1. Identify vulnerabilities in your systems.
  2. Prioritize vulnerabilities according to their risk level.
  3. Remediate vulnerabilities with a fast and manageable approach.

These steps can make a profound difference in efficiency, compliance and the protection of your organization’s infrastructure. Let’s explore each step in greater detail.

Identify Security Vulnerabilities Based on Risk

The first step in a management program, identifying vulnerabilities, requires a scan of your systems, applications, networks and devices. Scanning can help uncover security vulnerabilities that stem from various sources, from third-party vendors to overhauled infrastructure. The good news is that this process is sure to detect security vulnerabilities. The bad news is that you may discover millions. One investment firm uncovered more than 6 million vulnerabilities after just one scan, according to IBM X-Force Red.

It’s no surprise that organizations sometimes lack the resources to scan a system, analyze the results and respond effectively. By the time the security team wades through the data, it may be outdated, and given that business continuity generally takes precedent over identifying and fixing security vulnerabilities, patches may not be implemented, which could leave the business exposed.

False positives also create dead ends that force teams to spend time pursuing vulnerabilities that don’t actually pose a risk. According to the Ponemon Institute and Exabeam, security teams waste an average of 25 percent of their time trying to track down false positives. This is where a multi-stage vulnerability management program and automation can play a major role, cutting down on false positives and allowing remediators to focus on only the vulnerabilities that pose the highest risk of a compromise.

Prioritize the Most Critical Vulnerabilities

Most scans produce results that are referred to by their Common Vulnerabilities and Exposures (CVE) designation. This system provides a standardized name for cataloging and managing publicly known security vulnerabilities. The Common Vulnerability Scoring System (CVSS), a worldwide standard, is used to rate the severity of CVEs. The CVSS generates a numerical criticality score from 1 to 10 (with 10 being the most critical) based on factors such as the type of attack, level of access required and overall complexity.

You may be tempted to rely only on the CVSS to rank and prioritize vulnerabilities, but the scoring system doesn’t account for which exposed assets matter most to your business or if the vulnerabilities exposing them are being weaponized by attackers. In other words, the CVSS treats all assets equally, even though there would be a far greater impact to your business even though compromising some would create far more impact to your business and the vulnerabilities exposing them are actively being exploited by attackers. Without considering those two additional factors – asset value and weaponization – you might prioritize patching vulnerabilities that aren’t likely to be exploited and leave others that could expose even more sensitive assets if left unpatched. Your job is to identify each asset in terms of their risk and critical value.

According to Gartner, “A vulnerability is only as bad as the threat exploiting it and the impact on the organization.” If an attacker exploits just one vulnerability that has public exploit information associated with it, the damage could be significant. Fortunately, the percentage of vulnerabilities that are weaponized is typically low. By correlating and prioritizing weaponized vulnerabilities that could result in the greatest damage, your remediation program should become more manageable and effective.

Follow a Manageable Remediation Process

After prioritizing based on weaponization and asset value, you can address security vulnerabilities in manageable workloads and remediate the most critical ones first. It’s also crucial to eliminate false positives so you can focus on remediating only true vulnerabilities. Each vulnerability on the priority list should include a title, ranking, category, associated threat, proposed solution and remediation schedule. With that in hand, you should be able to remediate the most critical vulnerabilities in a manageable, consistent and efficient manner.

Vulnerability Management Is an Ongoing Process

Given that many organizations potentially have millions of vulnerabilities — many of which could expose highly sensitive assets — the immediate need for efficient identification, prioritization and remediation is obvious. But vulnerability management must be a continual process, not a one-off. To that end, creating a regular schedule for assessing vulnerabilities based on risk to the business is key to developing an effective and efficient vulnerability management program.

More from Endpoint

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…