5 Stages of Vulnerability Management Program Best Practices

Vulnerability management is a foundational cornerstone for reducing your organization’s cyber risk, but what are vulnerabilities and why is it important to create a strong vulnerability management program? The National Institute of Science and Technology (NIST) defines a vulnerability as, “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” With hundreds of thousands of vulnerabilities that have been discovered, it is increasingly more important to get vulnerability management right and keep evolving with the times.

5 Phased Approach to Vulnerability Management

If you search the internet for the phrase “vulnerability management,” you will notice that there are many different approaches to this topic. A good way to consolidate the various methods is with a 5 phased approach:

1. Asset Discovery
2. Asset Prioritization and Assessment
3. Reporting
4. Remediation/Mitigation
5. Verification

Asset Discovery                                                                                        

Asset discovery is the first step in building a vulnerability management policy. Many frameworks, such as NIST’s Cybersecurity Framework and the CIS Critical Controls documents, advise that asset discovery begins with a comprehensive authenticated and unauthenticated network scan of all assets on an organization’s network. This includes hardware and software. This gives your organization a baseline for identifying vulnerabilities or weakly configured software or hardware. It also allows organizations to build a documented inventory. This phase of the vulnerability management process is the most important because you can’t protect what you don’t know about. 

Asset Prioritization and Assessment

Prioritization of each asset and grouping them according to impact severity is the next step in vulnerability management. Most modern vulnerability scanning tools are linked to multiple regulatory rules, as well as the Common Vulnerability Scoring System (CVSS). The CVSS is a severity score given to vulnerabilities based on their properties. However, relying solely on CVSS scores for prioritizing assets is not recommended as the scores are static; they don’t consider the possibilities of new publications surrounding the vulnerability or the amount of time since the vulnerability was first published.

Just like the asset discovery phase, asset prioritization also has several frameworks and guides that can help an organization. The CISA Stakeholder-Specific Vulnerability Categorization (SSVC) Guide is, “a customized decision tree model that assists in prioritizing vulnerability response for the United States government . . . The goal of SSVC is to assist in prioritizing the remediation of vulnerability based on the impact exploitation would have to the organization.” While specific to United States government (USG), state, local, tribal, and territorial (SLTT) governments, and critical infrastructure (CI) entities, several of the factors SSVC explores are relevant outside of that scope:

1. (State of) Exploitation: This seeks to examine if the vulnerability is currently being exploited in the wild, and if there are publicly available Proof of Concept (PoC) examples.
2. Technical Impact: Similar to the base score of the CVSS, this is the severity score. This score is based on whether the vulnerability discloses authenticated or unauthenticated control of the component.
3. Automatable: This categorization is evaluated based on how easy it is for an attacker to cause exploitation events, particularly if the exploitation is wormable.
4. Mission Prevalence: Impact on business essential functions.

Asset prioritization reflects how much organizations need to incorporate continuous vulnerability management into their vulnerable process. This is also expressed in CIS control 7, which one expert paraphrased as, “if a vulnerability is patched, it cannot be exploited.”

Reporting

The reporting phase is important because the amount of detail reported will yield a more finite security plan for known vulnerabilities. While you will never be able to eliminate all vulnerabilities, a strong security plan will give you metrics that you can review to determine if progress is being made to reduce risks.

Remediation/Mitigation

Remediation occurs after you have prioritized which vulnerabilities pose the most threat to your organization and now you want to take action to remediate them. This is generally done through actions such as applying a patch. While patching is the preferred long-term course of action, it is not always an easy process. Organizations may experience downtime to critical components, which is where mitigation comes into play.

Mitigation reduces the impact of the vulnerability without fully eliminating it. It is usually achieved by changing configuration options or disabling a vulnerable component. This is usually done if a patch is not yet available. Mitigation is classified as a compensating control.

Verification

The final phase of the vulnerability management process is to verify that the previous efforts have been implemented correctly. Once a baseline is established with the previous sections, organizations can start looking at automation to reduce costs and improve efficiency. Automation can be used to verify remediation scans, process regular audits, ensure that patches have been applied successfully, and threats have been mitigated or eliminated.

Vulnerability management is often seen as an insurmountable mountain, however, with a systemized approach and the right tools, every organization can achieve the best security possible.

To find out more about effective tools to manage your organization’s security, visit us here.