Four key pillars of a successful vulnerability management system

By

A vulnerability management system bolsters an enterprise’s cybersecurity efforts by continuously identifying and evaluating vulnerabilities in its information ecosystem. By seeking out and flagging these vulnerabilities, the enterprise can then take action to fix the gaps in its defenses and accurately report on its cybersecurity posture with confidence.

Note how I called it the ‘information ecosystem’ and not network, infrastructure, or some other techy term. The cybersecurity landscape has evolved dramatically over the years, creating a diverse and complex environment for security teams to worry about. The cloud explosion, mobile technology, and IoT devices are just a few of the factors that have played a role in this ongoing and, some might say, accelerating evolution.

This information ecosystem, or whatever you’d like to call it, has tremendous value to the enterprise, and carries with it equal risk. Let’s explore the four key pillars that constitute a vulnerability management system and how they work.

Aren’t vulnerability management and vulnerability assessment the same?

These two terms, while related, aren’t the same thing. Vulnerability management takes place continuously, actively scanning the enterprise’s endpoints, network, cloud assets, and more for possible vulnerabilities, which it then evaluates and flags for action.

A vulnerability assessment, on the other hand, is a one-time activity to evaluate vulnerabilities. A vulnerability assessment is part of the overall vulnerability management process, which primarily consists of four steps:

  1. Identifying and monitoring
  2. Evaluating
  3. Fixing
  4. Reporting

Identifying and monitoring vulnerabilities

Vulnerability management starts with identifying existing vulnerabilities, typically using a vulnerability scanner that assesses information assets (again, avoiding a term like ‘endpoint’) and, based on its configuration, identifying if a vulnerability exists.

Configuration is vital here. Proper tuning limits the number of ‘false positives’ you’ll receive, which in turn reduces the amount of time your security team takes on vulnerabilities that don’t necessarily exist. Proper configuration also ensures the stability of your business systems; after all, you wouldn’t want to run a resource-intensive scan in the middle of your working day, would you?

Periodic, ongoing scans allow you to monitor your ecosystem for any new vulnerabilities as they arise, which they inevitably will.

Evaluating vulnerabilities

Just like in your daily job, not everything can be #1 on the priority list. Vulnerability management systems assign scores using an established methodology, such as the public Common Vulnerability Scoring System (CVSS) framework, to help you determine which vulnerabilities are the most important to address.

By using an agreed-upon framework like CVSS, your organization can prioritize and respond properly to the vulnerabilities it detects. Similar to other standardized measures, it’s important to note that you shouldn’t solely depend on these assessments. Instead of seeing them as a ‘vulnerability panacea,’ you should view them as the foundation upon which to build your remediation and mitigation strategy.

Fixing vulnerabilities

Taking action on vulnerabilities can be seen similarly to battlefield triage, where resources are allocated depending on the severity of the situation. Responding to vulnerabilities falls into three categories: remediation, mitigation, and acceptance.

Vulnerability remediation

The most severe, top priority vulnerabilities are fully remediated, either through applying available updated patches, performing a set of actions to fix the issue, or removing the offending system or application entirely from the environment. Remediation often takes the most time and effort, but is also the most effective response to a vulnerability.

Vulnerability mitigation

Vulnerability mitigation is used for lower-impact concerns or when a proper remediation isn’t available. Mitigation lessens the impact if the vulnerability is exploited or makes it less likely that something bad will happen.

Vulnerability acceptance

Some vulnerabilities carry a low risk to the enterprise, or the cost of remediation or mitigation is more than the damage that might be caused by that vulnerability being exploited. In this case, the enterprise may choose to accept the risk without taking any action, focusing instead on higher priorities based on the results of its evaluation phase.

Reporting vulnerabilities

Nearly every enterprise is subject to certain regulatory requirements. These vary in scope depending on the industry in question. Financial services and health organizations have well-defined and fairly extensive regulations to follow. These regulations include provisions for data security and privacy, both of which tie in closely with the work performed by your vulnerability management system.

Reporting on vulnerabilities in your ecosystem and the steps taken to correct them are central to your regulatory compliance efforts. Vulnerability management systems give you the capability to produce reports and visualizations to meet your regulatory requirements and make your ongoing vulnerability management efforts more effective.

Vulnerability management software

JupiterOne integrates with some of the most popular vulnerability management software on the market, pulling in vulnerability findings from these sources, correlating them with relevant cyber assets, and providing a centralized view of your environment. With this additional context at your disposal, you can more easily follow the four vulnerability management steps, quickly spotting vulnerabilities, assessing their impact, taking the appropriate steps to address them, and reporting on your results.

Learn more about JupiterOne’s vulnerability management capabilities and integrations and, when you’re ready, request a demo to see it in action.

New call-to-action
Corey Tomlinson
Corey Tomlinson

Corey is a Senior Product Marketing Manager at JupiterOne. Since 2005, he's combined his interest and experience in technology, including working on the insider threat and digital forensics frontlines, with an array of storytelling and content creation skills.

Keep Reading

JupiterOne and AWS together help customers strengthen security posture
November 30, 2022
Blog
JupiterOne and AWS together help customers strengthen security posture

To help organizations of all sizes secure their cloud assets, JupiterOne announced a number of key initiatives with AWS this week at re:Invent.

How to visualize your data by use case with JupiterOne
November 23, 2022
Blog
How to visualize your data by use case with JupiterOne

The new Properties Panel and Managed Dashboards in the JupiterOne platform empower you to prioritize speed, efficiency, and organization!

Security will give up on users as a line of defense in 2023
November 23, 2022
Blog
Security will give up on users as a line of defense in 2023

In a recent debate on cybersecurity predictions for 2023, panelists disagreed on plenty. But they agreed: in 2023, security will give up on users as a line of defense

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.