A guide to vulnerability management in 2022

Enterprise Security Magazine | Wednesday, January 18, 2023

A more granular risk management approach requires the consideration of interconnected systems and components.

FREMONT, CA: It is cyclical to manage vulnerabilities in today's threat landscape. In the complex interplay between people and technology, there are constantly new vulnerabilities emerging due to a dynamic and expanding attack surface. Vulnerability management is more than just finding vulnerabilities, fixing them, and calling it good.

Vulnerabilities are flaws in computer systems that can be exploited by malicious actors to infect the system. It is crucial to emphasize that vulnerabilities aren't just caused by weak software or hardware design or implementation; they can also arise from the way in which a system is operated or managed.

6 steps in vulnerability management cycle

Discover: First, vulnerabilities must be discovered and inventoried in order to conduct vulnerability scanning. It is important to conduct comprehensive discovery to avoid situations in which there are vulnerabilities in your systems or apps that aren't being tracked properly.

A network scanner, a cloud management console, and a dedicated asset discovery platform are useful tools for tracking all IT assets. An inventory can be refined or updated once it has been established, due to the iterative nature of the vulnerability lifecycle.

Prioritize Assets: The importance of every asset varies for businesses, so systems should be grouped according to their priority. A high-priority asset is one that is vital to the operation of the business, which cannot tolerate faults, or that stores sensitive information.

In light of the fact that vulnerability management programs are often constrained by a lack of resources, it's prudent to concentrate on hunting down vulnerabilities in high-priority assets. Organizations face a significantly higher risk of compromise when high-impact systems are neglected and left vulnerable. Despite taking a back seat in vulnerability assessments, lower priority assets are not ignored.

Assess: Traditional vulnerability scans are performed during the assessment stage, ideally with a high level of automation. The goal should be both breadth and depth. The breadth of your security comes from deploying dedicated tools that scan web applications, cloud infrastructure, and all other assets in your inventory for vulnerabilities, misconfigurations, etc. Penetration testing can add depth to your security program, as expert security testers probe for vulnerabilities not easily detected by scans.

Combining your prioritized assets with your vulnerabilities list is essential after enumerating vulnerabilities. An assessment of the vulnerability's risk level and the asset's exposure level is included in this contextual information. These details lay the foundation for accurate and meaningful reporting on vulnerabilities and their remediation priorities.

Report: Documented findings should be presented to stakeholders in the form of compiled data collected during previous steps. It is important to tailor reports to different audiences based on their technical needs. Communication of high-level trends at the executive level and to other technology decision-makers needs to be concise. To facilitate smooth remediation efforts, security teams need reports that are clear and detailed, ideally with suggested fixes included.

Remediate: In the remediation phase, all actions to fix vulnerabilities are included, such as applying security patches, upgrading hardware, and changing configurations. There are times when direct remediation is not possible, so the best course of action will be to mitigate the risk of exploitation until a fix becomes practical, for example, isolating a vulnerable system from the rest of the network. Prioritizing remediation will depend on the severity of a vulnerability and the criticality of the underlying system.

Verify: By checking whether any mitigation attempts or removal attempts have been successful, the verification phase completes the vulnerability management lifecycle. Because organizations need to regularly scan and assess their IT environments for vulnerabilities, the verification phase can overlap with the discovering and assessing phases of the next cycle. To verify success of remediation actions, follow-up audits involving separate re-scans or penetration tests can be conducted.

Weekly Brief