A vulnerability management system bolsters an enterprise’s cybersecurity efforts by continuously identifying and evaluating vulnerabilities in its information ecosystem. By seeking out and flagging these vulnerabilities, the enterprise can then take action to fix the gaps in its defenses and accurately report on its cybersecurity posture with confidence.
Note how I called it the ‘information ecosystem’ and not network, infrastructure, or some other techy term. The cybersecurity landscape has evolved dramatically over the years, creating a diverse and complex environment for security teams to worry about. The cloud explosion, mobile technology, and IoT devices are just a few of the factors that have played a role in this ongoing and, some might say, accelerating evolution.
This information ecosystem, or whatever you’d like to call it, has tremendous value to the enterprise, and carries with it equal risk. Let’s explore the four key pillars that constitute a vulnerability management system and how they work.
Aren’t vulnerability management and vulnerability assessment the same?
These two terms, while related, aren’t the same thing. Vulnerability management takes place continuously, actively scanning the enterprise’s endpoints, network, cloud assets, and more for possible vulnerabilities, which it then evaluates and flags for action.
A vulnerability assessment, on the other hand, is a one-time activity to evaluate vulnerabilities. A vulnerability assessment is part of the overall vulnerability management process, which primarily consists of four steps:
- Identifying and monitoring
Identifying and monitoring vulnerabilities
Vulnerability management starts with identifying existing vulnerabilities, typically using a vulnerability scanner that assesses information assets (again, avoiding a term like ‘endpoint’) and, based on its configuration, identifying if a vulnerability exists.
Configuration is vital here. Proper tuning limits the number of ‘false positives’ you’ll receive, which in turn reduces the amount of time your security team takes on vulnerabilities that don’t necessarily exist. Proper configuration also ensures the stability of your business systems; after all, you wouldn’t want to run a resource-intensive scan in the middle of your working day, would you?
Periodic, ongoing scans allow you to monitor your ecosystem for any new vulnerabilities as they arise, which they inevitably will.
Just like in your daily job, not everything can be #1 on the priority list. Vulnerability management systems assign scores using an established methodology, such as the public Common Vulnerability Scoring System (CVSS) framework, to help you determine which vulnerabilities are the most important to address.
By using an agreed-upon framework like CVSS, your organization can prioritize and respond properly to the vulnerabilities it detects. Similar to other standardized measures, it’s important to note that you shouldn’t solely depend on these assessments. Instead of seeing them as a ‘vulnerability panacea,’ you should view them as the foundation upon which to build your remediation and mitigation strategy.
Taking action on vulnerabilities can be seen similarly to battlefield triage, where resources are allocated depending on the severity of the situation. Responding to vulnerabilities falls into three categories: remediation, mitigation, and acceptance.
The most severe, top priority vulnerabilities are fully remediated, either through applying available updated patches, performing a set of actions to fix the issue, or removing the offending system or application entirely from the environment. Remediation often takes the most time and effort, but is also the most effective response to a vulnerability.
Vulnerability mitigation is used for lower-impact concerns or when a proper remediation isn’t available. Mitigation lessens the impact if the vulnerability is exploited or makes it less likely that something bad will happen.
Some vulnerabilities carry a low risk to the enterprise, or the cost of remediation or mitigation is more than the damage that might be caused by that vulnerability being exploited. In this case, the enterprise may choose to accept the risk without taking any action, focusing instead on higher priorities based on the results of its evaluation phase.
Nearly every enterprise is subject to certain regulatory requirements. These vary in scope depending on the industry in question. Financial services and health organizations have well-defined and fairly extensive regulations to follow. These regulations include provisions for data security and privacy, both of which tie in closely with the work performed by your vulnerability management system.
Reporting on vulnerabilities in your ecosystem and the steps taken to correct them are central to your regulatory compliance efforts. Vulnerability management systems give you the capability to produce reports and visualizations to meet your regulatory requirements and make your ongoing vulnerability management efforts more effective.
Vulnerability management software
JupiterOne integrates with some of the most popular vulnerability management software on the market, pulling in vulnerability findings from these sources, correlating them with relevant cyber assets, and providing a centralized view of your environment. With this additional context at your disposal, you can more easily follow the four vulnerability management steps, quickly spotting vulnerabilities, assessing their impact, taking the appropriate steps to address them, and reporting on your results.