Companies need to do more than just scan for known problems and provide huge vulnerability reports to system and network administrators for remediation. According to Gartner, known vulnerabilities still comprise 99 percent of all known exploit traffic. Furthermore, malware, ransomware and exploit kits target vulnerabilities that are six months or older on average.

For many companies, vulnerability management amounts to a game of whack-a-mole. Vulnerability research, assessment and testing are conducted manually and with technological approaches that have not matured over the course of a decade. This inadequacy results in inefficient strategies and security assessments that lack the breadth of scope to reliably simulate what attackers are likely to do when targeting an organization. Even companies that have mature vulnerability assessment programs may struggle when it comes to analyzing the potential risk and impact and managing remediation.

The Scope of the Challenge

Unfortunately, companies face a variety of other challenges when pursuing vulnerability management, including decentralized or inexperienced resources supporting the process, lack of an accurate IT asset inventory, and failure to determine and document whether a fix was applied or an exception was granted.

Another challenge is that the scope of the problem typically exceeds the span of control for the information security team. For comprehensive vulnerability mitigation and ongoing maintenance to occur, security teams depend almost completely on the cooperation of other teams — such as server support, systems administration and network operations — to make the necessary remediation changes. These groups know that each change can be time-consuming and possibly require reboots or scheduled downtime. Consequently, they usually have different timelines and sets of priorities compared to the security team, which wants to address the identified vulnerabilities as quickly as possible.

Any change to your environment could introduce a new vulnerability, and new threats are constantly emerging. Network equipment, server and workstation operating systems, printers and software are all rife with vulnerabilities. So are mobile, virtual and cloud environments. With growing concerns about data breaches and regulatory compliance, the need for mature vulnerability management capabilities is obvious.

What Is Vulnerability Management?

Vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline to discover, prioritize and mitigate exposures. Effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets.

There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration standards based on industry-recognized practices provide implementation details for hardening and specify the recommendations of organizations such as the Center for Internet Security (CIS), the SANS Institute and product vendors themselves. Companies that implement these standards also demonstrate due diligence during audits and regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames.

When starting to build a vulnerability management program, companies should take the following steps:

  • Assess and document the current state of the environment to prioritize areas of improvement.
  • Maintain an accurate IT asset inventory.
  • Document the security infrastructure, as well as external access to systems and processes.
  • Establish a security configuration baseline or desired state for each component of the infrastructure based on industry-recognized standards and practices.
  • Conduct internal vulnerability scanning across the entire network at least biannually.
  • Conduct external network perimeter scanning at least quarterly.
  • Identify the patch and configuration issues responsible for the most numerous and serious vulnerabilities.
  • Create a vulnerability remediation plan of action.
  • Prioritize remediation actions based on potential business impacts and the probability that a vulnerability will be exploited.

Sensitive assets with critical vulnerabilities should be assigned the highest mitigation priority. This requires some risk quantification and analysis. Major network, server and database assets should be classified in terms of the applications they support. This way, vulnerabilities can be related to the business processes that are at risk. Key assets should also be rated in terms of availability, data sensitivity and integrity requirements. Companies that have performed a business impact analysis as a component of their continuity planning have a good starting point.

Remediating Vulnerabilities

Vulnerability management requires an automated or manual workflow. Assessment reports should be provided to IT asset administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your company can correct known vulnerability exposures.

It is essential to recognize that resolving the vulnerability for good depends on the IT asset and its role. The following can be considered remediation measures:

  • Patching the vulnerability;
  • Disabling vulnerable functionality;
  • Uninstalling vulnerable components;
  • Changing the system configuration; and
  • Upgrading the platform or service.

Companies should document all decisions not to remediate to prevent them from multiplying and becoming unmanageable. Failure to address a vulnerability is a decision to accept the risk. This decision should never be made by the IT or information security team, but by the business owner of the vulnerable asset. Exceptions should show up on the vulnerability assessment reports and the use of exceptions logged and tracked.

A Layered Approach

The need to find and fix vulnerabilities will persist for the foreseeable future. Companies should implement a vulnerability management program that begins with a security configuration baseline and references industry-recognized best practices. Strong leadership can promote top-to-bottom commitment to the process.

A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to secure any environment from threats. Vulnerability management must be a foundational element to every information security program.

Discover What IBM QRadar Vulnerability Manager can do for your business

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…