Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimizing their attack surface.
Vulnerability management software can help automate this process. They’ll use a vulnerability scanner and sometimes endpoint agents to inventory a variety of systems on a network and find vulnerabilities on them. Once vulnerabilities are identified, the risk they pose needs to be evaluated in different contexts so decisions can be made about how to best treat them. For example, vulnerability validation can be an effective way to contextualize the real severity of a vulnerability.
The vulnerability management process can be broken down into the following four steps:
1) Identifying Vulnerabilities
2) Evaluating Vulnerabilities
3) Treating Vulnerabilities
4) Reporting Vulnerabilities
Step 1: Identifying Vulnerabilities
At the heart of a typical vulnerability management solution is a vulnerability scanner. The scan consists of four stages:
1) Scan network-accessible systems by pinging them or sending them TCP/UDP packets.
2) Identify open ports and services running on scanned systems.
3) If possible, remotely log in to systems to gather detailed system information.
4) Correlate system information with known vulnerabilities.
Vulnerability scanners are able to identify a variety of systems running on a network, such as laptops and desktops, virtual and physical servers, databases, firewalls, switches, printers, etc. Identified systems are probed for different attributes: operating system, open ports, installed software, user accounts, file system structure, system configurations, and more. This information is then used to associate known vulnerabilities to scanned systems. In order to perform this association, vulnerability scanners will use a vulnerability database that contains a list of publicly known vulnerabilities.
Properly configuring vulnerability scans is an essential component of a vulnerability management solution. Vulnerability scanners can sometimes disrupt the networks and systems that they scan. If available network bandwidth becomes very limited during an organization’s peak hours, then vulnerability scans should be scheduled to run during off hours.
If some systems on a network become unstable or behave erratically when scanned, they might need to be excluded from vulnerability scans, or the scans may need to be fine-tuned to be less disruptive. Adaptive scanning is a new approach to further automating and streamlining vulnerability scans based on changes in a network. For example, when a new system connects to a network for the first time, a vulnerability scanner will scan just that system as soon as possible instead of waiting for a weekly or monthly scan to start scanning that entire network.
Vulnerability scanners aren’t the only way to gather system vulnerability data anymore, though. Endpoint agents allow vulnerability management solutions to continuously gather vulnerability data from systems without performing network scans. This helps organizations maintain up-to-date system vulnerability data whether or not, for example, employees’ laptops are connected to the organization’s network or an employee’s home network. Regardless of how a vulnerability management solution gathers this data, it can be used to create reports, metrics, and dashboards for a variety of audiences.
Step 2: Evaluating Vulnerabilities
After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an organization’s risk management strategy. Vulnerability management solutions will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful in telling organizations which vulnerabilities they should focus on first, but the true risk posed by any given vulnerability depends on some other factors beyond these out-of-the-box risk ratings and scores.
Here are some examples of additional factors to consider when evaluating vulnerabilities:
– Is this vulnerability a true or false positive?
– Could someone directly exploit this vulnerability from the Internet?
– How difficult is it to exploit this vulnerability?
– Is there known, published exploit code for this vulnerability?
– What would be the impact to the business if this vulnerability were exploited?
– Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
– How old is the vulnerability/how long has it been on the network?
Like any security tool, vulnerability scanners aren’t perfect. Their vulnerability detection false-positive rates, while low, are still greater than zero. Performing vulnerability validation with penetration testing tools and techniques helps weed out false-positives so organizations can focus their attention on dealing with real vulnerabilities. The results of vulnerability validation exercises or full-blown penetration tests can often be an eye-opening experience for organizations that thought they were secure enough or that the vulnerability wasn’t that risky.
Step 3: Treating Vulnerabilities
Once a vulnerability has been validated and deemed a risk, the next step is prioritizing how to treat that vulnerability with original stakeholders to the business or network. There are different ways to treat vulnerabilities, including:
– Remediation: Fully fixing or patching a vulnerability so it can’t be exploited. This is the ideal treatment option that organizations strive for.
– Mitigation: Lessening the likelihood and/or impact of a vulnerability being exploited. This is sometimes necessary when a proper fix or patch isn’t yet available for an identified vulnerability. This option should ideally be used to buy time for an organization to eventually remediate a vulnerability.
– Acceptance: Taking no action to fix or otherwise lessen the likelihood/impact of a vulnerability being exploited. This is typically justified when a vulnerability is deemed a low risk, and the cost of fixing the vulnerability is substantially greater than the cost incurred by an organization if the vulnerability were to be exploited.
Vulnerability management solutions provide recommended remediation techniques for vulnerabilities. Occasionally a remediation recommendation isn’t the optimal way to remediate a vulnerability; in those cases, the right remediation approach needs to be determined by an organization’s security team, system owners, and system administrators. Remediation can be as simple as applying a readily-available software patch or as complex as replacing a fleet of physical servers across an organization’s network.
When remediation activities are completed, it’s best to run another vulnerability scan to confirm that the vulnerability has been fully resolved.
However, not all vulnerabilities need to be fixed. For example, if an organization’s vulnerability scanner has identified vulnerabilities in Adobe Flash Player on their computers, but they completely disabled Adobe Flash Player from being used in web browsers and other client applications, then those vulnerabilities could be considered sufficiently mitigated by a compensating control.
Step 4: Reporting vulnerabilities
Performing regular and continuous vulnerability assessments enables organizations to understand the speed and efficiency of their vulnerability management program over time. Vulnerability management solutions typically have different options for exporting and visualizing vulnerability scan data with a variety of customizable reports and dashboards. Not only does this help IT teams easily understand which remediation techniques will help them fix the most vulnerabilities with the least amount of effort, or help security teams monitor vulnerability trends over time in different parts of their network, but it also helps support organizations’ compliance and regulatory requirements.
Staying Ahead of Attackers through Vulnerability Management
Threats and attackers are constantly changing, just as organizations are constantly adding new mobile devices, cloud services, networks, and applications to their environments. With every change comes the risk that a new hole has been opened in your network, allowing attackers to slip in and walk out with your crown jewels.
Every time you get a new affiliate partner, employee, client or customer, you open up your organization to new opportunities, but you’re also exposing it to new threats. Protecting your organization from these threats requires a vulnerability management solution that can keep up with and adapt to all of these changes. Without that, attackers will always be one step ahead.
How are vulnerabilities defined?
While security vendors can choose to build their own vulnerability definitions, vulnerability management is commonly seen as being an open, standards-based effort using the security content automation protocol (SCAP) standard developed by the National Institute of Standards and Technology (NIST). At a high level, SCAP can be broken down into a few components:
– Common vulnerabilities and exposures (CVE) – Each CVE defines a specific vulnerability by which an attack may occur.
– Common configuration enumeration (CCE) – A CCE is a list of system security configuration issues that can be used to develop configuration guidance.
– Common platform enumeration (CPE) – CPEs are standardized methods of describing and identifying classes of applications, operating systems, and devices within your environment. CPEs are used to describe what a CVE or CCE applies to.
– Common vulnerability scoring system (CVSS) – This scoring system works to assign severity scores to each defined vulnerability and is used to prioritize remediation efforts and resources according to the threat. Scores range from 0 to 10, with 10 being the most severe.