Companies need to do more than just scan for known problems and provide huge vulnerability reports to system and network administrators for remediation. According to Gartner, known vulnerabilities still comprise 99 percent of all known exploit traffic. Furthermore, malware, ransomware and exploit kits target vulnerabilities that are six months or older on average.

For many companies, vulnerability management amounts to a game of whack-a-mole. Vulnerability research, assessment and testing are conducted manually and with technological approaches that have not matured over the course of a decade. This inadequacy results in inefficient strategies and security assessments that lack the breadth of scope to reliably simulate what attackers are likely to do when targeting an organization. Even companies that have mature vulnerability assessment programs may struggle when it comes to analyzing the potential risk and impact and managing remediation.

The Scope of the Challenge

Unfortunately, companies face a variety of other challenges when pursuing vulnerability management, including decentralized or inexperienced resources supporting the process, lack of an accurate IT asset inventory, and failure to determine and document whether a fix was applied or an exception was granted.

Another challenge is that the scope of the problem typically exceeds the span of control for the information security team. For comprehensive vulnerability mitigation and ongoing maintenance to occur, security teams depend almost completely on the cooperation of other teams — such as server support, systems administration and network operations — to make the necessary remediation changes. These groups know that each change can be time-consuming and possibly require reboots or scheduled downtime. Consequently, they usually have different timelines and sets of priorities compared to the security team, which wants to address the identified vulnerabilities as quickly as possible.

Any change to your environment could introduce a new vulnerability, and new threats are constantly emerging. Network equipment, server and workstation operating systems, printers and software are all rife with vulnerabilities. So are mobile, virtual and cloud environments. With growing concerns about data breaches and regulatory compliance, the need for mature vulnerability management capabilities is obvious.

What Is Vulnerability Management?

Vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline to discover, prioritize and mitigate exposures. Effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets.

There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration standards based on industry-recognized practices provide implementation details for hardening and specify the recommendations of organizations such as the Center for Internet Security (CIS), the SANS Institute and product vendors themselves. Companies that implement these standards also demonstrate due diligence during audits and regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames.

When starting to build a vulnerability management program, companies should take the following steps:

  • Assess and document the current state of the environment to prioritize areas of improvement.
  • Maintain an accurate IT asset inventory.
  • Document the security infrastructure, as well as external access to systems and processes.
  • Establish a security configuration baseline or desired state for each component of the infrastructure based on industry-recognized standards and practices.
  • Conduct internal vulnerability scanning across the entire network at least biannually.
  • Conduct external network perimeter scanning at least quarterly.
  • Identify the patch and configuration issues responsible for the most numerous and serious vulnerabilities.
  • Create a vulnerability remediation plan of action.
  • Prioritize remediation actions based on potential business impacts and the probability that a vulnerability will be exploited.

Sensitive assets with critical vulnerabilities should be assigned the highest mitigation priority. This requires some risk quantification and analysis. Major network, server and database assets should be classified in terms of the applications they support. This way, vulnerabilities can be related to the business processes that are at risk. Key assets should also be rated in terms of availability, data sensitivity and integrity requirements. Companies that have performed a business impact analysis as a component of their continuity planning have a good starting point.

Remediating Vulnerabilities

Vulnerability management requires an automated or manual workflow. Assessment reports should be provided to IT asset administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your company can correct known vulnerability exposures.

It is essential to recognize that resolving the vulnerability for good depends on the IT asset and its role. The following can be considered remediation measures:

  • Patching the vulnerability;
  • Disabling vulnerable functionality;
  • Uninstalling vulnerable components;
  • Changing the system configuration; and
  • Upgrading the platform or service.

Companies should document all decisions not to remediate to prevent them from multiplying and becoming unmanageable. Failure to address a vulnerability is a decision to accept the risk. This decision should never be made by the IT or information security team, but by the business owner of the vulnerable asset. Exceptions should show up on the vulnerability assessment reports and the use of exceptions logged and tracked.

A Layered Approach

The need to find and fix vulnerabilities will persist for the foreseeable future. Companies should implement a vulnerability management program that begins with a security configuration baseline and references industry-recognized best practices. Strong leadership can promote top-to-bottom commitment to the process.

A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to secure any environment from threats. Vulnerability management must be a foundational element to every information security program.

Discover What IBM QRadar Vulnerability Manager can do for your business

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…