How to Build a Vulnerability Management Program
Share with Your Network
A vulnerability management program systematically identifies, evaluates, prioritizes, and mitigates vulnerabilities that can pose a risk to an enterprise’s infrastructure and applications. A modern vulnerability management program combines automation, threat intelligence, and data science to predict which vulnerabilities represent the greatest risk to a specific environment.
Why is a vulnerability management program critical?
The number of vulnerabilities observed in devices, networks and applications has grown dramatically in recent years. A glance at the National Vulnerability Database reveals that the number of Common Vulnerabilities and Exploits (CVEs) has tripled since 2016.
Also on the rise: Highly sophisticated efforts to exploit those vulnerabilities. According to the Identity Theft Resource Center (ITRC), the number of recorded data breaches jumped 17% from 2018 to 2019. In just the first two months of 2020, 1.66 billion records were exposed in 11,476 breaches.
Yet most companies are still not adequately prepared. In 2019, PwC found that “less than half of companies globally are sufficiently prepared for a cybersecurity attack.” Cybercriminals are becoming more advanced and organizations are struggling to ensure their team’s cybersecurity skill sets, tools and processes can address these threats.
All this comes at a real cost to businesses. By 2021, Cybersecurity Ventures predicts damages caused by cybercrime will cost the world $6 trillion annually (up from $3 trillion in 2015)—costs that, in a time of historic economic disruption, businesses can scarcely afford.
As vulnerabilities and diversified attacks continue to grow, you need a vulnerability management program to properly protect your infrastructure, applications, and data.
Can a traditional vulnerability management program keep up?
Many enterprises still rely on the habit of patching anything above a certain threshold, such as Common Vulnerability Scoring System (CVSS) scores of seven or above. Some continue to use huge spreadsheets of vulnerabilities that they then sort based on intuition, the public profile of a vulnerability, or the number of assets affected. For the most part, this basic approach to a vulnerability management program worked—that is, until attackers grew more sophisticated and infrastructures grew more intricate, sensitive, and expansive.
The problem for today’s organizations is that these traditional vulnerability management program models force them to try to prioritize vulns without the context necessary to accurately assess the risk a vulnerability poses to their specific organization. For example, a vulnerability might be making the headlines and cause anxiety among stakeholders and executives. Many vulnerabilities have been patched under these conditions. But in many cases, the vulnerability may not be one that is actively exploited within your industry; in other words, it poses a relatively low risk to your infrastructure. Having this context would help you determine what vulnerabilities are worth fixing—and then defend to others your decision to deprioritize remediation for headline-grabbing vulnerabilities.
Now consider that only 2%-5% of an organization’s vulnerabilities are likely to be exploited. Traditional ways of managing vulnerabilities aren’t likely to be much help in pinpointing those most likely to be weaponized. Vulnerability scanners and CVSS scores offer IT and Security teams little insight into the specific risk that each vulnerability poses to an organization.
This leaves Security teams attempting to coax IT and DevOps into remediating a high volume of vulnerabilities that ultimately might not lower risk and waste precious cycles that could be dedicated to more strategic and meaningful initiatives. The friction between Security and IT teams is something organizations with traditional vulnerability management programs know all too well.
Traditional vs. risk-based vulnerability management programs
A more modern alternative to traditional methods is called risk-based vulnerability management, which infuses data science, real-time vulnerability intelligence and automation to create a prioritized and efficient approach to better isolating and understanding the risks that actually pose a real threat to an organization. Companies looking to save time, create more efficient remediation workflows, and lower their risk profile have been turning to risk-based vulnerability management.
According to leading analysts, the future of vulnerability management programs is risk-based. In recent months, as vulnerabilities and threats continue to increase and evolve, Gartner has recognized the necessity for vulnerability prioritization based on risk. “Gartner has called out the critical need to assess assets for configuration issues and vulnerabilities, and to be able to prioritize what you do with that assessment, based on the risk to your organization.” [Gartner, Inc.: Market Guide for Vulnerability Assessment, Craig Lawson, Mitchell Schneider, Prateek Bhajanka, Dale Gardner, Nov. 20, 2019.]
And at the end of last year, Forrester also observed that risk-based prioritization will define future modern vulnerability management programs.
What are the steps to building a vulnerability management program?
Organizations looking to establish or strengthen their vulnerability management programs should begin by following these six key steps.
- Assemble your team. Start laying the groundwork for your program by identifying all the key players needed. Organizations often have a Security director or manager tasked with handling vulnerability management and at least one analyst who identifies, tracks, and assesses vulnerabilities across your environment. Your remediation team member, in charge of fixing the vulnerabilities, may span multiple departments such as IT, DevOps, and AppSec.
- Acquire the right tools. Common vulnerability-finding tools used by Security teams unearth vulnerabilities within the environment. Once these vulns are located, a configuration management database provides detailed information about all the hardware and software assets in an organization. A vulnerability management solution makes sense of and sorts this acquired data, which identifies the top vulnerabilities that pose the greatest risk to the organization. These are then fed into a remediation workflow (typically using a ticketing system) which is shared with IT and DevOps.
- Cross-reference the threat landscape with your environment. Take your understanding of your assets and known vulnerabilities within your organization and cross-reference them with your threat intelligence. This will help you determine the impact of a potential exploit—another key factor in determining risk. Tools such as CVE lists, CPE (common platform enumeration) and CWE (common weakness enumeration) information offer a start, but to effectively cross-reference, you need broad, real-world data that a only modern vulnerability management program will incorporate.
- Know your assets, applications, and risk tolerance. Understanding your current assets and your organization’s acceptable level of risk is critical for effective prioritization. To develop a detailed asset inventory, look to automated tools to help with this discovery task, which will scan your organization to identify assets like servers, workstations, virtual machines, storage arrays, and network devices. Your risk tolerance might be informed by your industry or specific company guidelines. Look for sources within your company to point you to risk assessment guidelines involving other aspects of the business. For specific vulnerabilities, it’s critical to understand how much risk you can accept and the trade-offs that come with either remediating now or waiting.
- Measure, evaluate and prioritize your vulnerabilities. This is the stage at which your choice of vulnerability management platform becomes critical. When considering the right platform for your organization, look for one that integrates real-world vulnerability intelligence, data science, automated risk analysis, customized risk metrics, and even risk-based SLAs. The best modern platforms combine all this into a metric—or score—that is simple, understandable, and repeatable.
- Communicate, remediate, and report. Your vulnerability management solution should help—not hinder—your internal communication between key teams. It should also support your ability to remediate quickly and efficiently while keeping everyone up to speed, and make reporting on your progress simple and intuitive. Make sure you look for a platform offering integration to popular ticketing systems and the ability to develop metrics and custom dashboards so key stakeholders have a constant, easy-to-understand window into your company’s risk management progress. Most organizations employ a mix of three common remediation tactics including automated patches, patch management tools, and manual updates.
Learn how to implement a modern, risk-based vulnerability management program
The need for a business to establish a modern vulnerability management program is clear. Leaning on traditional methods of vulnerability management leaves remediation teams chasing down vulnerabilities that may not reduce their overall risk and creates inefficiencies within workflows. Modern vulnerability management programs allow organizations to take a proactive, data-driven stance against threats and streamlines internal operations to save time and money, reduce wasted efforts, improve collaboration across teams, and make a meaningful impact on their risk profiles.
For an in-depth look at how to implement a risk-based vulnerability management program, download How to Implement Risk-Based Vulnerability Management Now: A Practical Guide. Filled with practical tips and best practices, this eBook details the importance of a modern vulnerability management program amid today’s evolving threat landscape and walks through in detail the six key steps to establishing a risk-based vulnerability management program outlined above.
Download the eBook today, and start future-proofing your business.