What is a Vulnerability Management Program?

The Equifax breach was caused by a vulnerability. The WannaCry virus exploited a vulnerability. The stories don’t seem to end but it seems like no one is talking about how to solve this problem which is: start a vulnerability management program.

“Manage the vulnerabilities in my network? Sounds easy” well, not so much, but not so difficult that you shouldn’t be spending time and resources on it. This blog covers the planning and set up of vulnerability management programs. 

What is Vulnerability Management?

Vulnerability Management is widely described as the practice of identifying, classifying, remediating and mitigating vulnerabilities. It is also described as the discovery, reporting, prioritization, and response to vulnerabilities in your network.

Vulnerability management is no longer an option for organizations, in fact, it is becoming required by multiple compliance, audit and risk management frameworks. SANS Security Controls lists continuous vulnerability assessment and remediation as number four on their most recent framework citing that it needs to “Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, and to remediate and minimize the window of opportunity for attackers.”

You can’t stop what you can’t see. That’s why vulnerability management should be the foundation of your security program because you have to know what is on your network in order to monitor and protect it. A good vulnerability management program can help you proactively understand the risks to ever asset in order to keep it safe. 

Four Stages of Vulnerability Management 

1. Discovery

Build a list of every computing asset you have on your network and then build a database that vulnerability management solutions can use. This list will be constantly changing so it will need to be constantly refreshed. However, make sure all assets are found, categorized and assessed.

2. Reporting

This will include all data from your network assets in their current state. Typically, this is done with a vulnerability scanner which will produce a report of all known vulnerabilities on any assets in your network.

3. Prioritization

Depending on the size of your organization or the age of your assets, the list of known vulnerabilities can be pages long. In this step, the vulnerabilities will be ranked from highest to lowest risk depending on multiple factors. Your vulnerability management solution should prioritize these by the MITRE Common Vulnerabilities and Exposure (CVE) Score and by the unique risk they pose to your organization. 

4. Response

The goal of discovering, reporting and prioritizing your vulnerabilities is so that your team can focus its remediation to the largest risks in your network. Once you remediate or patch these vulnerabilities, you should conduct a penetration test to ensure that the patch is valid and that you no longer have an issue before moving on to the next vulnerability.

How can you benefit from a vulnerability management program?

There are thousands of known vulnerabilities in the wild, most of them with patches. However, not all vulnerabilities are the equal which is why you need to manage them. Using a vulnerability management program you can:

• Intelligently Manage Vulnerabilities: Not all vulnerabilities carry the same risks. With a vulnerability management program, your organization can more intelligently prioritize remediation, apply security patches and allocate security resources more effectively. 
• Meet Regulatory Requirements and Avoid Fines: Vulnerability management programs not only help your organization by keeping you compliant across industry regulations but it can also help you to provide detailed reports to help avoid significant fines for non-compliance and allow you to provide ongoing due diligence during an audit.

Who needs a vulnerability management program?

Anyone who has assets connected to the internet needs a vulnerability management program. Many industries are requiring one in order to be compliant with regulations. Attacks resulting in data loss are often caused by breaches using known, unpatched vulnerabilities. If you have any asset on your network that is not patched regularly, a vulnerability management program is for you.