November 1, 2016 By Vinaykumar Sukumar 2 min read

Vulnerability assessment and management is one of the essential functions of any enterprise security program. It is so critical that it can make or break the security of an organization. Before we explore the nuances of what constitutes an effective vulnerability management program, it is important to understand what we mean by vulnerability management.

The term vulnerability management itself represents a misguided vision of how vulnerabilities are handled in a security program. A vulnerability is nothing but a weakness on a system that can be exploited by malicious outsiders. These vulnerabilities need to be remediated, not simply managed. Plugging them would eradicate 90 percent of your security concerns. So then what is the problem?

Too Many Assets, Too Little Time

If you are remotely interested in enterprise security, you already know the problem: There are millions of assets to assess, report on and remediate. The process is time consuming, repetitive and uncertain to actually solve any problems. You might believe it is working until a breach rocks your boat.

Can we remediate all these vulnerabilities? Not just yet — you would never be able to get to all of them in time. This is when most people start managing vulnerabilities. Manage which assets need to be scanned first, determine if the discovered vulnerabilities are accurate, create reports, determine which ones need to be remediated first and continue the process. The problem with this is that it’s easy to lose sight of the end goal: security.

Risk and Vulnerability Management

If we step back, we’ll see that we are really trying to minimize the risk factor by eliminating vulnerabilities that could lead to potential exploits. But the mere existence of a vulnerability doesn’t constitute risk. Risk is the combination of a vulnerability, access to that vulnerability, the ability to exploit it and, most importantly, something of value that could be extracted.

Unfortunately, many vulnerability management efforts tend to revolve around scanning and patching, while risk assessment and management is ignored. Risk management puts the vulnerability in context within the IT environment and helps security professionals understand if a particular risk is really something they should prioritize over other issues. Often it can be mitigated through other means, such as updating relevant firewall rules, changing application configuration or patching network layer to block a vulnerability for a large set of assets.

It’s safe to say that risk management is a common need among enterprise security programs. To implement an effective risk management approach, IT teams must first have:

  • An accurate and efficient vulnerability assessment tool;
  • An understanding of which assets and information are most important to the organization;
  • Knowledge of the network topology for visibility into how an attack would spread;
  • Current asset information;
  • Visibility into suspect behavior and activities;
  • Updates on the latest vulnerability disclosures;
  • Understanding of key stakeholders, such security officers, vulnerability engineers, asset owners and IT engineers;
  • Buy-in and participation from executives; and
  • Communication, communication and communication!

What Does It Take?

This is not an exhaustive list, but it should show you that it takes more than a scanning engine and a patch management solution to run an effective security program. You can’t buy it in a box: It takes tools, people, processes, expertise and investment to have a meaningful solution. It takes a program with active participation from people across security and IT operations. It also takes visibility and an understanding of known vulnerabilities in context with your environment.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today