November 1, 2016 By Vinaykumar Sukumar 2 min read

Vulnerability assessment and management is one of the essential functions of any enterprise security program. It is so critical that it can make or break the security of an organization. Before we explore the nuances of what constitutes an effective vulnerability management program, it is important to understand what we mean by vulnerability management.

The term vulnerability management itself represents a misguided vision of how vulnerabilities are handled in a security program. A vulnerability is nothing but a weakness on a system that can be exploited by malicious outsiders. These vulnerabilities need to be remediated, not simply managed. Plugging them would eradicate 90 percent of your security concerns. So then what is the problem?

Too Many Assets, Too Little Time

If you are remotely interested in enterprise security, you already know the problem: There are millions of assets to assess, report on and remediate. The process is time consuming, repetitive and uncertain to actually solve any problems. You might believe it is working until a breach rocks your boat.

Can we remediate all these vulnerabilities? Not just yet — you would never be able to get to all of them in time. This is when most people start managing vulnerabilities. Manage which assets need to be scanned first, determine if the discovered vulnerabilities are accurate, create reports, determine which ones need to be remediated first and continue the process. The problem with this is that it’s easy to lose sight of the end goal: security.

Risk and Vulnerability Management

If we step back, we’ll see that we are really trying to minimize the risk factor by eliminating vulnerabilities that could lead to potential exploits. But the mere existence of a vulnerability doesn’t constitute risk. Risk is the combination of a vulnerability, access to that vulnerability, the ability to exploit it and, most importantly, something of value that could be extracted.

Unfortunately, many vulnerability management efforts tend to revolve around scanning and patching, while risk assessment and management is ignored. Risk management puts the vulnerability in context within the IT environment and helps security professionals understand if a particular risk is really something they should prioritize over other issues. Often it can be mitigated through other means, such as updating relevant firewall rules, changing application configuration or patching network layer to block a vulnerability for a large set of assets.

It’s safe to say that risk management is a common need among enterprise security programs. To implement an effective risk management approach, IT teams must first have:

  • An accurate and efficient vulnerability assessment tool;
  • An understanding of which assets and information are most important to the organization;
  • Knowledge of the network topology for visibility into how an attack would spread;
  • Current asset information;
  • Visibility into suspect behavior and activities;
  • Updates on the latest vulnerability disclosures;
  • Understanding of key stakeholders, such security officers, vulnerability engineers, asset owners and IT engineers;
  • Buy-in and participation from executives; and
  • Communication, communication and communication!

What Does It Take?

This is not an exhaustive list, but it should show you that it takes more than a scanning engine and a patch management solution to run an effective security program. You can’t buy it in a box: It takes tools, people, processes, expertise and investment to have a meaningful solution. It takes a program with active participation from people across security and IT operations. It also takes visibility and an understanding of known vulnerabilities in context with your environment.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today