The first stage in your vulnerability management program will be to identify all of the vulnerabilities that exist across your IT ecosystems. In order to achieve this you will need to define your IT assets and find the right vulnerability scanners for each asset.
The vulnerability scanner you’ll use to identify vulnerabilities in your network and in your applications will not be the same. When it comes to application security, you will need to use multiple AST (application security testing) tools in order to detect vulnerabilities in your proprietary code and open source libraries.
This is an essential part of vulnerability management and one that is becoming increasingly challenging as organizations’ IT ecosystems become more expansive, complex, and interconnected.
According to the Center for Internet Security, organizations should perform automated vulnerability scans at least once a week. More frequent scanning will give you greater clarity on the progress of your remediation and help you identify new risks based on updated vulnerability information.
After you’ve identified the vulnerabilities that exist across your systems, the next step is to evaluate the risks they pose and determine how to manage them. While it’s important to understand the risk ratings that your vulnerability management solution provides, such as Common Vulnerability Scoring System (CVSS) scores, you will also want to understand other real-world risk factors.
Some additional factors to consider include:
- How easily could someone exploit this vulnerability, and is there published exploit code available?
- Does the vulnerability directly impact the security of our product?
- What would the business impact be if this vulnerability was exploited?
- Do we have any existing security protocols that would reduce the likelihood/consequence of these vulnerabilities being exploited?
It’s also important to know whether any identified vulnerabilities are false positives. With tools and techniques that enable vulnerability validation, such as penetration testing, you can identify false positives and focus on the vulnerabilities that pose the biggest risk to your organization.
After you’ve identified and evaluated vulnerabilities, the next step is to determine how to prioritize and address them.
Your vulnerability management solution will likely recommend which remediation technique you should use for each vulnerability. It’s best that your security team, system owners, and system administrators weigh-in to determine the right strategy.
There are three general routes you can take:
- Remediation: Completely preventing exploitation by patching, correcting, or replacing code that contains a vulnerability.
- Mitigation: Reducing the probability or impact of a vulnerability. This is usually a temporary solution that organizations use until they can remediate the vulnerability.
- No action: Acknowledging and accepting the vulnerability. Organizations typically only do this when the cost of remediating the vulnerability is much higher than the consequences of it being exploited.
After you’ve finished the remediation process, you can check to see that the vulnerability was completely resolved by performing another scan.
By making vulnerability assessments a routine practice, you’ll gain greater insight into the efficacy, speed, and cost of your vulnerability management program.
Most vulnerability management systems let you export the data from your various vulnerability scanners so your security team can more easily understand the security posture of each asset and track it with time to identify trends like increased vulnerability detection or decreased remediation velocity.
Consistent reporting will help your security team to comply with your organization’s risk management KPIs as well as regulatory requirements.