Vulnerability assessment and management is one of the essential functions of any enterprise security program. It is so critical that it can make or break the security of an organization. Before we explore the nuances of what constitutes an effective vulnerability management program, it is important to understand what we mean by vulnerability management.

The term vulnerability management itself represents a misguided vision of how vulnerabilities are handled in a security program. A vulnerability is nothing but a weakness on a system that can be exploited by malicious outsiders. These vulnerabilities need to be remediated, not simply managed. Plugging them would eradicate 90 percent of your security concerns. So then what is the problem?

Too Many Assets, Too Little Time

If you are remotely interested in enterprise security, you already know the problem: There are millions of assets to assess, report on and remediate. The process is time consuming, repetitive and uncertain to actually solve any problems. You might believe it is working until a breach rocks your boat.

Can we remediate all these vulnerabilities? Not just yet — you would never be able to get to all of them in time. This is when most people start managing vulnerabilities. Manage which assets need to be scanned first, determine if the discovered vulnerabilities are accurate, create reports, determine which ones need to be remediated first and continue the process. The problem with this is that it’s easy to lose sight of the end goal: security.

Risk and Vulnerability Management

If we step back, we’ll see that we are really trying to minimize the risk factor by eliminating vulnerabilities that could lead to potential exploits. But the mere existence of a vulnerability doesn’t constitute risk. Risk is the combination of a vulnerability, access to that vulnerability, the ability to exploit it and, most importantly, something of value that could be extracted.

Unfortunately, many vulnerability management efforts tend to revolve around scanning and patching, while risk assessment and management is ignored. Risk management puts the vulnerability in context within the IT environment and helps security professionals understand if a particular risk is really something they should prioritize over other issues. Often it can be mitigated through other means, such as updating relevant firewall rules, changing application configuration or patching network layer to block a vulnerability for a large set of assets.

It’s safe to say that risk management is a common need among enterprise security programs. To implement an effective risk management approach, IT teams must first have:

  • An accurate and efficient vulnerability assessment tool;
  • An understanding of which assets and information are most important to the organization;
  • Knowledge of the network topology for visibility into how an attack would spread;
  • Current asset information;
  • Visibility into suspect behavior and activities;
  • Updates on the latest vulnerability disclosures;
  • Understanding of key stakeholders, such security officers, vulnerability engineers, asset owners and IT engineers;
  • Buy-in and participation from executives; and
  • Communication, communication and communication!

What Does It Take?

This is not an exhaustive list, but it should show you that it takes more than a scanning engine and a patch management solution to run an effective security program. You can’t buy it in a box: It takes tools, people, processes, expertise and investment to have a meaningful solution. It takes a program with active participation from people across security and IT operations. It also takes visibility and an understanding of known vulnerabilities in context with your environment.

More from Risk Management

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort.Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker is cracking…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…