Companies need to do more than just scan for known problems and provide huge vulnerability reports to system and network administrators for remediation. According to Gartner, known vulnerabilities still comprise 99 percent of all known exploit traffic. Furthermore, malware, ransomware and exploit kits target vulnerabilities that are six months or older on average.

For many companies, vulnerability management amounts to a game of whack-a-mole. Vulnerability research, assessment and testing are conducted manually and with technological approaches that have not matured over the course of a decade. This inadequacy results in inefficient strategies and security assessments that lack the breadth of scope to reliably simulate what attackers are likely to do when targeting an organization. Even companies that have mature vulnerability assessment programs may struggle when it comes to analyzing the potential risk and impact and managing remediation.

The Scope of the Challenge

Unfortunately, companies face a variety of other challenges when pursuing vulnerability management, including decentralized or inexperienced resources supporting the process, lack of an accurate IT asset inventory, and failure to determine and document whether a fix was applied or an exception was granted.

Another challenge is that the scope of the problem typically exceeds the span of control for the information security team. For comprehensive vulnerability mitigation and ongoing maintenance to occur, security teams depend almost completely on the cooperation of other teams — such as server support, systems administration and network operations — to make the necessary remediation changes. These groups know that each change can be time-consuming and possibly require reboots or scheduled downtime. Consequently, they usually have different timelines and sets of priorities compared to the security team, which wants to address the identified vulnerabilities as quickly as possible.

Any change to your environment could introduce a new vulnerability, and new threats are constantly emerging. Network equipment, server and workstation operating systems, printers and software are all rife with vulnerabilities. So are mobile, virtual and cloud environments. With growing concerns about data breaches and regulatory compliance, the need for mature vulnerability management capabilities is obvious.

What Is Vulnerability Management?

Vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline to discover, prioritize and mitigate exposures. Effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets.

There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration standards based on industry-recognized practices provide implementation details for hardening and specify the recommendations of organizations such as the Center for Internet Security (CIS), the SANS Institute and product vendors themselves. Companies that implement these standards also demonstrate due diligence during audits and regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames.

When starting to build a vulnerability management program, companies should take the following steps:

  • Assess and document the current state of the environment to prioritize areas of improvement.
  • Maintain an accurate IT asset inventory.
  • Document the security infrastructure, as well as external access to systems and processes.
  • Establish a security configuration baseline or desired state for each component of the infrastructure based on industry-recognized standards and practices.
  • Conduct internal vulnerability scanning across the entire network at least biannually.
  • Conduct external network perimeter scanning at least quarterly.
  • Identify the patch and configuration issues responsible for the most numerous and serious vulnerabilities.
  • Create a vulnerability remediation plan of action.
  • Prioritize remediation actions based on potential business impacts and the probability that a vulnerability will be exploited.

Sensitive assets with critical vulnerabilities should be assigned the highest mitigation priority. This requires some risk quantification and analysis. Major network, server and database assets should be classified in terms of the applications they support. This way, vulnerabilities can be related to the business processes that are at risk. Key assets should also be rated in terms of availability, data sensitivity and integrity requirements. Companies that have performed a business impact analysis as a component of their continuity planning have a good starting point.

Remediating Vulnerabilities

Vulnerability management requires an automated or manual workflow. Assessment reports should be provided to IT asset administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your company can correct known vulnerability exposures.

It is essential to recognize that resolving the vulnerability for good depends on the IT asset and its role. The following can be considered remediation measures:

  • Patching the vulnerability;
  • Disabling vulnerable functionality;
  • Uninstalling vulnerable components;
  • Changing the system configuration; and
  • Upgrading the platform or service.

Companies should document all decisions not to remediate to prevent them from multiplying and becoming unmanageable. Failure to address a vulnerability is a decision to accept the risk. This decision should never be made by the IT or information security team, but by the business owner of the vulnerable asset. Exceptions should show up on the vulnerability assessment reports and the use of exceptions logged and tracked.

A Layered Approach

The need to find and fix vulnerabilities will persist for the foreseeable future. Companies should implement a vulnerability management program that begins with a security configuration baseline and references industry-recognized best practices. Strong leadership can promote top-to-bottom commitment to the process.

A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to secure any environment from threats. Vulnerability management must be a foundational element to every information security program.

Discover What IBM QRadar Vulnerability Manager can do for your business

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today