Whether you’re a security analyst or a member of the vulnerability management team, you probably already know the drill. You’re sitting at your workstation, monitoring your company’s systems. Suddenly, your Twitter notifications or threat intelligence alerts explode with notice of another vulnerability. Immediately after the first announcement, industry reports start coming out about malicious actors exploiting the vulnerability in the wild.
The complex, interconnected nature of your company’s IT environment makes patching everything even more difficult. The vulnerability could be embedded in third-party software or unmanaged devices like an employee-owned laptop. Both the vulnerability management and security teams are now rushing around, spending time trying to fix everything and close any holes.
Understanding the vulnerability management lifecycle and how to put effective practices in place can help you maintain a cyber resilient security program more efficiently.
What is a vulnerability in cybersecurity?
In cybersecurity, a vulnerability is any flaw or weakness that malicious actors can potentially exploit during an attack. While most vulnerabilities are unintentional, they can often increase the likelihood that an attacker will successfully gain unauthorized access to systems, networks, and data.
Vulnerabilities can include weaknesses in:
- System security procedures
- Internal controls
- Software, firmware, and operating systems
How to Assess Vulnerabilities
Ideally, organizations would be able to install every security patch for every new vulnerability. In reality, they just can’t. For example, in 2021, security researchers reported 21,957 new common vulnerabilities and exposures (CVEs). No organization can keep pace with that. Unfortunately, malicious actors often can.
To manage vulnerabilities, you need to understand how attackers can use them and the likelihood that attackers can use them against you.
While the vulnerability is the weakness, the threat is the attack or exploit that can use the vulnerability.
An example of a vulnerability would be storing credentials in plaintext so that anyone with access to read the file can see them. The threat is the malicious actor’s ability to use these credentials to gain unauthorized access to sensitive information.
When assessing the risk a vulnerability poses to your organization, you need to know the potential impact exploitation would have on your organization.
Some questions to ask are:
- How important to my business are the assets with this vulnerability?
- How easily can attackers get to this asset from the internet?
- Do I have controls that make it more difficult for attackers to exploit this vulnerability?
What is Vulnerability Management?
Vulnerability management is the process of identifying and prioritizing vulnerabilities so that you can mitigate risk through remediation. Typically, organizations use vulnerability scanners to detect weaknesses in software, systems, networks, and devices, then apply the security patches.
Most tools can only tell you if a vulnerability exists, providing little visibility into associated threats or your organization’s potential risk. This means that robust vulnerability management requires security experts who can detect risks to work closely with IT specialists focused on applying updates.
Understanding the Vulnerability Management Lifecycle
To protect your systems and ensure cyber resilience, you need effective processes to prevent attacks, minimize attack damage, and quickly detect and respond to incidents. The steps in the vulnerability management lifecycle enable you to create a feedback loop for collaborating across the IT and security teams.
Asset discovery starts with scanning your systems and networks for all physical, virtual, software, hardware, and digital assets. Digital transformation makes asset discovery more challenging because you need to be continuously monitoring for new assets, like virtual machines or containers.
Every asset has value, but not all assets are equally valuable. Once you identify everything, you need to categorize them based on business impact, value, and risk.
For example, a corporate website and a customer-facing application might be categorized differently. If the company website suffers an outage, your business impact might be a few hours where people can’t read blogs. If your customer-facing application suffers an outage, you can lose revenue.
Define Critical Assets
Critical assets are the ones that impact your business the most. These are the assets that:
- Generate revenue
- Contain sensitive information, including sensitive customer information and intellectual property
- Fall under regulatory compliance requirements, like privacy laws
A successful attack against these assets can lead to:
- Lost revenue
- Business disruption
- Customer churn
Assign Owners To Critical Assets
Having people responsible for managing critical assets ensures accountability and governance. When you assign owners, you should make sure to:
- Have both technical and business level owners
- Define responsibilities for each party
- Establish procedures for assigning ownership to new assets
- Ensure everyone understands their responsibilities
- Document responsibilities, processes, and procedures
Often, critical assets are fundamental to ensuring compliance with regulations and industry standards. Assigning and documenting responsibilities enables you to meet these requirements.
Vulnerability identification is a continuous process, especially as CVE disclosures continue to increase.
You can identify vulnerabilities in a few ways:
- Penetration testing
- Red teaming
- Automated assessments, like vulnerability scanners
Continuous penetration testing is cost-prohibitive, and many organizations don’t have large enough security teams to engage in red teaming. Most companies rely on automated vulnerability scans for real-time detection and identification.
Assess and Prioritize Vulnerabilities
The vulnerability management lifecycle is getting more complicated in the assessment and prioritization stage. When you’re assessing impact, you need to consider the following:
- Severity: The Common Vulnerability Scoring System (CVSS) ratings of none, low, medium, high, and critical
- Commonality: The number of assets that contain the vulnerability
- Exploitability: The distance between the asset containing the vulnerability, the public internet, and critical assets
- Risk: The business impact of the asset containing the vulnerability and mitigating controls
For a lot of teams, assessing the vulnerability is a manual process. Your vulnerability scanner can tell you what assets contain the vulnerability and the CVSS score. However, you still need to look at your asset inventory to determine how many assets the vulnerability impacts.
From there, you need to look at the impacted assets and their connections. For example, an impacted low-risk database directly connected to the public internet may also connect to a critical asset. Since an attacker can use the low-risk database to gain access to the critical asset, the database’s vulnerability is now a higher risk to your organization.
Finally, you need to know if you have risk mitigation controls. For example, you might have ten devices containing a high severity CVE. If you mitigated risk by placing them on a separate network, then the risk is lower.
Once you asses the vulnerabilities, you can start prioritizing your next steps by starting with the ones that have the most impact to your organization.
Treat or Remediate Vulnerabilities
After establishing an order of importance, you can take action. You may choose any of the following:
- Accept: The impact and risk are low, and the cost to take action is too high
- Mitigate: The impact and risk concern you, but you can put additional controls in place that address the vulnerability’s potential impact
- Remediate: Planning, testing, and deploying a patch to fix the weakness
This is another case of “in an ideal world.” Ideally, you would remediate the vulnerability as soon as the vendor releases the update. Unfortunately, in the real world, you might need to make sure that the update doesn’t require system downtime or have an unintended impact.
In response, you may decide to start by isolating the impacted asset or limiting its access to the internet. This reduces risk while you test the impact that the patch may have.
Vulnerability management is a fundamental requirement across all compliance mandates. To avoid fines, You need to document your treatment and update the security baselines in your configuration management database.
Define, Review, and Report Metrics
You need to know your vulnerability management program’s effectiveness. Creating a feedback loop across all departments, including senior leadership, is fundamental to the vulnerability management lifecycle.
Compliance mandates often establish timelines for mitigating and remediating vulnerabilities. As part of their responsibilities, senior leadership needs to know that you’re complying with internal policies and external requirements.
Your metrics should include:
- Number of assets managed
- Number of assets scanned per month
- Frequency of scans
- Time spent scanning assets per month
- Percentage of scanned assets containing vulnerabilities
- Percentage of vulnerabilities fixed within 30, 60, and 90 days
Key Caliber: Building Vulnerability Management Around Business Impact
The vulnerability management lifecycle is more than just scanning and patching. Complex environments containing connected assets make assessing and prioritizing more challenging. Similarly, many companies still use manual processes for identifying and assessing critical assets
Key Caliber’s business impact metrics enable you to create a closed feedback loop across the entire vulnerability management lifecycle. Our analytics correlate data about your environment, like usage and IAM, with publicly available data breach information for data-driven critical asset identification. With our cyber resilience mapping, you have at-a-glance visibility into connected assets and distance from the internet.
With our prioritization capabilities, you can spend less time trying to assess impact so you can focus on treating and remediating vulnerabilities.
To see how Key Caliber can help you, schedule a demo today!