Vulnerability management (VM) is a proactive process that involves identifying, evaluating, categorizing, prioritizing, remediating, and reporting on vulnerabilities that can take place in an organization’s hardware or software infrastructure, as well as its internal or third-party applications or operating systems.
This can be done using a combination of tools, processes, and strategies, and often requires efforts from multiple teams. Parts of the process can be automated, but with the sheer number of exploitable vulnerabilities being uncovered daily, there is always a need for manual intervention to help analyze and prioritize. Vulnerability management always has been and continues to be a critical part of any cybersecurity program.
Vulnerabilities are analyzed by the National Institute of Standards and Technology (NIST). All vulnerability and analysis information that they find is National Vulnerability Database (NVD).
A few components make up their vulnerability guidance:
Common Vulnerabilities and Exposures (CVE)
Each CVE defines a specific vulnerability by which an attack may occur.
Common Configuration Enumeration (CCE)
A CCE is a list of system security configuration issues that can be used to develop configuration guidance.
Common Platform Enumeration (CPE)
CPEs are standardized methods of describing and identifying classes of applications, operating systems, and devices within your environment. CPEs are used to describe what a CVE or CCE applies to.
Common Vulnerability Scoring System (CVSS)
This scoring system works to assign severity scores to each defined vulnerability and is used to prioritize remediation efforts and resources according to the threat. CVSS scores range from 0 to 10, with 10 being the most severe.
As the attack surface expands and cyber breaches continue to become more frequent and impactful, the total number of overall vulnerabilities has followed suit. The United States’ National Vulnerability Database (NVD) reveals a steady year-over increase in common vulnerabilities and exposures (CVEs) since a considerable uptick occurred in 2017.
That spike—which took place just five years ago—arguably sparked the start of a rapid evolution in the cyber threat landscape that has yet to slow down. In fact, the number of CVEs in the first half of 2022 (12,440) alone nearly equated to the total published for all of 2017 (14,714).
Keeping up with the volume of patches is the biggest challenge throughout vulnerability management. Too many alerts leave teams spread thin, most (77%) organizations indicate not having enough resources to keep up with the volume of patches.
If the sheer quantity isn’t enough to make the case for new-and-improved processes, the severity of the threats and exposures should. The number of critical vulnerabilities—those with a CVSS score between 9.0-10.0—increased 49% in 1H 2022 compared to 1H 2021.
Yet, rather than continue to fuel the fire that’s burning out the cybersecurity community, teams most focus their efforts on the activities that will drive the most value according to overall business impact.
Despite allocating more money and manpower towards vulnerability management processes, 60% of IT security professionals admit their organization suffered a data breach because an available patch was not applied. So, although organizations are investing in preventing, detecting, and remediating vulnerabilities, the adversary is taking advantage of a clear gap between the efforts and effectiveness of today’s vulnerability management programs.
“Year over year, more time is spent on prevention, detection and remediation of vulnerabilities with no improvements in reducing the risk of an attack.”
—Ponemon Institute
The first step in any cybersecurity initiative is preparation—and is especially crucial to developing a vulnerability management framework. Fortunately, there are many guides and resources that have laid the foundation for those just starting out on their journey with threat and vulnerability management.
The CRR Supplemental Resource Guide for Vulnerability Management breaks down planning for vulnerability management into the following steps:
Once the pre-work is complete, the vulnerability management lifecycle begins. While there are many activities associated with each phase, Gartner® outlines five stages for effective VM:
Assess your attack surface
Prioritize efforts according to risk
Act to remediate or accept risk
Reassess to validate efforts
Improve overall security hygiene
Phase I: Assess
The first step in reducing an attack surface is assessing its current state. Although capturing a holistic inventory of all access points is essential to close the pathways to any organization, most tools are limited in terms of their compatibility with hybrid environments. Additionally, both unknown and rogue assets introduce additional layers of complexity.
Beyond lack of visibility, many obstacles during the discovery phase stem from manual processes and conflicting data sources. While environments can drastically change within seconds, teams still spend an average of over 130 hours per week on monitoring systems for threats and vulnerabilities alone.
The success of VM programs depend on the asset intelligence that it’s built on. As a result, having a dedicated tool to automatically pull and centralize data from existing systems can significantly improve the VM process without requiring additional manpower. This is a key tactic for modern environments, as many organizations still rely on spreadsheets to piece together the puzzle.
Phase II: Prioritize
The maturity of an organization’s vulnerability program depends on its ability to prioritize vulnerabilities that pose the most immediate risk. Yet, most organizations still rely on CVSS scoring as a sole metric for vulnerability prioritization. Therefore, it’s no surprise that the inability to understand asset exploitability, exposure, and impact on critical systems in their environment is still one of the biggest challenges for incident responders.
Instead of throwing more money at asset intelligence or vulnerability scanning tools, organizations should prioritize aggregating and correlating the insights they already must go beyond the surface of any single score or individual data source.
Some factors to consider when prioritizing vulnerabilities include:
Phase III: Act
No organization will ever have the luxury of being completely free of all threats and exposures. Instead, regardless of how limited resources may be, teams that focus their efforts according to impact will be most successful.
Say, for example, a vulnerability scan on one network reveals 100s of devices contain a vulnerability with a CVSS score above 9.0. Dozens of patches are available, but there aren’t enough resources to patch all associated vulnerabilities. While most programs would default to the highest CVSS score, mature programs know to assess this situation using a multidimensional risk lens.
The more context an organization has when developing a course of action, the more efficient it becomes in reducing the attack surface.
Phase IV: Reassess
While validation is an essential follow-up for all remediation efforts, it’s even more important as VM programs evolve and leverage technology. During this stage, organizations have really leaned on automation to scale by expediting and verifying patch application, as well as to further justify the reason for leaving noncritical vulnerabilities unpatched.
Phase V: Improve
Teams may find it difficult to report on VM success—especially when the conversation internally has yet to shift away from measuring performance on the number of critical threats. To be fair, communicating risk to stakeholders without a cybersecurity background has never been a small feat.
However, with contextual insights and consolidated reports, today’s security leaders are getting creative in the way they justify and track investments over time. A more centralized approach also enables teams to better understand which tools and systems aren’t working, as well as additional areas that could benefit from automation.
There are many different approaches to addressing the vulnerability management problem. While different solutions play their own role in the VM lifecycle, many organizations will use a combination of them as part of a wider vulnerability assessment program. For example, some are primarily focused on vulnerability identification, while others may proactively report and manage the risks.
Depending on maturity level, organizations may use a combination of the following tools for threat and vulnerability management:
This is the traditional, core approach to vulnerability management for most organizations. The technology has been around for a long time and is mature in the market, with well-established players. The technology approach to vulnerability scanning is generally either agent-based or network-based. Agent-based scanning is likely to provide better depth, but network-based can uncover unknown assets.
Vulnerability assessment providers will cover common platforms and devices, including mobile, cloud, and often OT/IoT support. They may also offer capabilities around vulnerability prioritization and automated remediation.
Example Vulnerability Scanners: Tenable, Rapid7, Qualys
As the name implies, EDR vendors have historically focused on virtual and physical machines. With the industry’s shift to Extended Detection & Response (XDR), additional cloud and network telemetry is now moving into scope.
EDR technology has always played a role in the vulnerability remediation process, as a compensating control to protect insecure endpoints. More and more EDR solutions are now more actively involved in vulnerability management, leveraging their deployed agents to identify and manage vulnerabilities across the endpoint estate, often in conjunction with an existing vulnerability scanner.
Example EDR providers: SentinelOne, CrowdStrike, VMWare Carbon Black
Risk-based vulnerability management, or vulnerability prioritization technology (VPT) has developed over the past few years to build on top of existing scanning technology and leverage other intelligence and context to improve the overall vulnerability management process. Solutions here typically use threat and exploitability intelligence, combined with attack path analysis to consolidate vulnerability information, and present a prioritized dashboard for the security team.
Example VPT Solutions: Kenna Security (Cisco), RiskSense (Ivanti)
Patch management is not a core function, but rather the critical component of the remediation phase. Therefore, a close partnership between the IT and security teams is required to patch the most high-risk vulnerabilities in a timely fashion.
High-performing organizations integrate patch management into their vulnerability management program, as well as managing patching exceptions and virtual patching as part of the process.
Example Patch Management Tools: Microsoft, BigFix (HCL),
Cloud security posture management (CSPM) is more commonly associated with cloud and container configuration issues, but it can also play an important part in the vulnerability management process.
Research from IBM has shown a sixfold increase in cloud vulnerabilities over the past 6 years, by aligning cloud security with vulnerability management, security teams can ensure that they are focused on this significant attack vector. The major cloud providers have also introduced specific vulnerability scanning capabilities for their own cloud environments which provide value.
Example CSPM platforms: Wiz, Amazon Inspector, Azure Security Center
The cybersecurity ratings industry is primarily focused on helping security teams to manage third-party and supply chain risk. As such, they build a cyber risk profile based on publicly available information and external scanning of the environment. This information will also include data on an organization’s vulnerability and patch management posture which is valuable as part of a wider vulnerability management program.
Cyber ratings tools often provide important insights into attack surface and exposure analysis, as well as trends in attacker behavior.
Example cybersecurity ratings providers: BitSight, Security Scorecard and Black Kite
According to Gartner, IT Service Management (ITSM) platforms provide ‘workflow management and related insights that enable organizations to design, automate, manage and deliver integrated IT services and digital experiences.’[1]
ITSM tools are an integral part of the vulnerability and patch management process as organizations will typically use them to align workload between security and IT teams for prioritizing vulnerability and patching.
Companies will often integrate the vulnerability and patch management tooling with the ITSM to automate the creation and assignment of patch rollout. It is also the home for standard change management processes, including what testing needs to take place prior to patching, and triggering rescanning to ensure the problem has been fixed.
Example ITSM tools: ServiceNow, Atlassian (Jira), BMC
[1] Gartner: Magic Quadrant for IT Service Management Platforms, October 2022
Understanding your asset landscape and criticality are key elements to a successful vulnerability management program. Historically, prioritization has focused more on the severity and exploitability of an exploit, what CAASM tools are able to provide is much greater context on the impacted assets.
By factoring in the ‘criticality’ of the asset–what business services it supports, what sensitive datasets it has access to, etc. –security teams can build a context-driven vulnerability prioritization process that truly reflects business risk.
Example CAASM providers: Noetic Cyber, Axonius and JupiterOne
Explore more use cases for CAASM in our exclusive eBook by Brad Laporte, advisor and former Gartner analyst.
Security teams with a more mature vulnerability management program are beginning to look at it as part of a wider continuous threat exposure management (CTEM) initiative, which requires a refined approach to managing the attack surface in a constantly changing digital world.
A modern approach considers vulnerability prioritization and remediation, mitigating controls, and detection and response capabilities as part of a wider initiative. In a recent report, Gartner states that ‘the objective of CTEM is to get a consistent, actionable security posture remediation and improvement plan that business executives can understand, and architecture teams can act upon.’
As security leaders think about how best to reduce their attack surface and improve their vulnerability management process, they need to work on how to gain the asset visibility and context that will allow them to effectively scope, discover and prioritize their CTEM program.
Gartner subscribers can access the full report and its recommendations here.