Free trial

Free trial

What is vulnerability management?

What is vulnerability management?

What is vulnerability management?

If top notch cybersecurity is the goal, vulnerability management can help a company get there. 

Don’t believe us? Then take the word of the US Cybersecurity & Infrastructure Security Agency (CISA): 

It is reasonable to say that vulnerability management is central to cyber resilience.

Here’s everything you need to understand about vulnerability management including how it works and key best practices.

If top notch cybersecurity is the goal, vulnerability management can help a company get there. 

Don’t believe us? Then take the word of the US Cybersecurity & Infrastructure Security Agency (CISA): 

It is reasonable to say that vulnerability management is central to cyber resilience.

Here’s everything you need to understand about vulnerability management including how it works and key best practices.

If top notch cybersecurity is the goal, vulnerability management can help a company get there. 

Don’t believe us? Then take the word of the US Cybersecurity & Infrastructure Security Agency (CISA): 

It is reasonable to say that vulnerability management is central to cyber resilience.

Here’s everything you need to understand about vulnerability management including how it works and key best practices.

What are vulnerabilities?

At their essence, vulnerabilities are essentially weaknesses in an organization’s data, assets, or resources. Many areas of an organization can potentially contain vulnerabilities, and the sheer volume can complicate discovery and remediation. In most cases it’s not possible for an organization to address every vulnerability - the trick is to find and deal with those that are exploitable (by a bad actor) because they are at highest risk of causing maximum damage.

How are vulnerabilities categorized?

To help sift through the vulnerability noise, the Common Vulnerability Scoring System offers an open source rating that can be used to level-set the threat risk. The CVSS ranges from 0 to 10. The National Vulnerability Database (NVD) provides another threat reality check and works with the CVSS to help teams decipher the potential for exploitable vulnerabilities. The NVD provides another useful tool - a library of common vulnerabilities and exposures (CVEs) - organizations can use as a reference.

All that said, we can’t stress enough that every vulnerability isn’t necessarily exploitable, and we’re seeing lots of evidence of vulnerability “inflation” that can truly muddy the waters for everyone. The Exploit Prediction Scoring System (EPSS) is a newer (and potentially more clear-headed) resource for organizations struggling to make sense of the threat landscape.

What is vulnerability management?

Today’s organization’s have a laundry list of security best practices to follow of which vulnerability management is just one in a series of steps. With so many potential “weaknesses” floating around, vulnerability management is a continuous and codified effort to dispassionately assess the threats and risks and create a systematic response for discovery and remediation. Vulnerability management is a close cousin to attack surface management but its focus is more sharply on the “soft spots” rather than an organization’s network as a whole. A vulnerability assessment is something that happens as part of vulnerability management, but the terms aren’t interchangeable: vulnerability management is an ongoing process while a vulnerability assessment is meant to be a one-time effort.

Why does vulnerability management matter now?

Cybersecurity attacks have dramatically increased in number, scope and damage level, and that doesn’t look likely to change for the foreseeable future. Organizations have never had more to lose - including sales, reputation points, investors and even potential employees - so adopting a detailed vulnerability management plan makes sense. It’s impossible to prevent all cyberattacks, but instead, as CISA has suggested, organizations need to build the vulnerability management processes that will allow for better resilience. 

How to get started with vulnerability management

Like any cross functional effort, a vulnerability management effort is going to require a good bit of groundwork ahead of time in order to make sure it’s targeting the right areas. Market research firm Gartner offers a Vulnerability Management Guidance Framework that includes some critical homework teams need to do before they consider anything.

Gartner suggests teams ask the following questions, with security professionals taking the lead:

  • How broad should the vulnerability management effort be?

  • Which roles are required to participate? What should their areas of ownership be?

  • Which vulnerability management solutions are available? How would they fit in the tech stack?

  • What should our vulnerability management policies be? What should our service level agreements and objectives entail?

  • As we categorize our assets, can we surface all necessary context?

What are the key steps in vulnerability management?

Experts suggest organizations tackle a vulnerability management strategy by dividing it into five parts: define the scope, emphasize what matters most, roll out, track the performance and improve as necessary.

  1. Define the scope: Thanks to work done beforehand, teams should have a good idea of the challenges and the landscape, and can focus on a detailed strategy that will lead to a plan of attack.

  2. Understand what matters most: Organizational change is always hard, so make it easier by ensuring the plan is focused on vulnerabilities that are the most threatening. Mapping a vulnerability management plan to a team’s priorities is going to make it easier to sell, implement, and evolve over time. It’s also important to make sure the right roles and responsibilities are included in this effort because confusion over responsibilities can make it harder to achieve success, particularly during an emergency.

  3. Implement: Roll out the plan (with training available as needed), and follow the steps including vulnerability assessments, discovery, cataloging, exposure management and root cause analysis. As vulnerabilities are found choose to remediate, mitigate or live with them, decisions that can be made based on organizational priorities.

  4. Take the temperature: After a trial run it’s key to clearly evaluate the entire process. Retrospectives with key players and all data points will be key to helping to identify potential changes or weaknesses. Double check that the vulnerability management process didn’t accidentally introduce additional weak spots.

  5. Go for 2.0: Tweak the vulnerability management process as needed and then try again.

How risk and speed play a role in vulnerability management

Although the broad brush strokes of vulnerability management will likely be similar in most organizations, there are two areas where it is important to fully understand the corporate appetites, priorities and potential legal restrictions: risk and speed. 

Every business has a unique comfort level with risk, and that has to be baked into a vulnerability management effort right from the beginning. What might be reckless in one entity is business as usual in another, so take the time to thoroughly understand all the risk-related factors. Regulated industries will likely have a far lower tolerance for risk - so when in doubt, consult with legal, compliance and audit experts. Also, even non-regulated businesses may be under intense performance pressure due to contracts with SLOs, so, again, it is key to keep these sometimes hidden priorities in mind.

The other potential wrinkle with a vulnerability management program is around speed. We believe the most important metric is the time from vulnerability disclosure to detection, but how fast is fast enough? The perception of speed is going to vary from organization to organization, but it’s a key issue to raise, discuss, and continue to revisit in order to ensure the vulnerability management plan is the most effective it can be.

How to choose a vulnerability management tool

The right vulnerability management tools can automate discovery and remediation and make it easier for key players to stay on top of the many moving parts. Start with open source - avoid vendor lock-in and take advantage of security hive mind contributions from community members. Opt for “set and forget” automation that also offers attack surface management capabilities. Choose a tool that lets teams act like hackers because that’s the best way to see what the hackers are seeing. Don’t forget about real-time reporting, because no matter what audits are going to happen, so a tool that tracks data is particularly valuable. And finally, don’t forget that integration will save time, money, energy and probably team sanity.

Ready to get started?

ProjectDiscovery Cloud Platform

Use automation, integration, and continuous scanning to help defend the modern tech stack.

Free trial

Join our Community

Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.

Ready to get started?

ProjectDiscovery Cloud Platform

Use automation, integration, and continuous scanning to help defend the modern tech stack.

Free trial

Join our Community

Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.

Ready to get started?

ProjectDiscovery Cloud Platform

Use automation, integration, and continuous scanning to help defend the modern tech stack.

Free trial

Join our Community

Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.