The Ultimate Manual to the Vulnerability Management Process

Cybersecurity is one of the most important aspects of running a business in the 21st century. In today’s digital world, businesses are increasingly reliant on technology, which makes them more vulnerable to cyberattacks.

A cyberattack can have serious consequences for a business, including financial loss, reputational damage, and even legal liability.

That’s why it’s so important for businesses to have a vulnerability management process in place.

What Is Vulnerability Management Anyway?

Vulnerability management is the process of identifying, classifying, remediating, and mitigating vulnerabilities. It is a continuous process that should be incorporated into an organization’s overall security program.

The goal of vulnerability management is to reduce an organization’s exposure to known vulnerabilities such as those that exist in software, hardware, and firmware.

This is accomplished by identifying vulnerabilities, assessing their risk, and taking steps to mitigate or remediate them. Vulnerability management is a critical component of cybersecurity and helps organizations protect themselves from cyberattacks.

Why Is Vulnerability Management Important?

There are many reasons why vulnerability management is so important. Here are just a few:

  • It helps businesses stay compliant with industry regulations.
  • It protects businesses from financial loss in the event of a cyberattack.
  • It protects businesses from reputational damage in the event of a cyberattack.
  • It helps businesses avoid legal liability in the event of a data breach.
  • It helps businesses protect their critical infrastructure from cyberattacks.

Additionally, vulnerability management is important because it helps businesses identify and fix vulnerabilities before they can be exploited by cybercriminals, such as in the event of a zero-day exploit.

How the Vulnerability Management Process Works

The vulnerability management process is broken up into four main phases:

Phase 1: Identifying Vulnerabilities

In every business, there are four main types of vulnerabilities:

  • Operational: Vulnerabilities that exist due to the way an organization operates. Examples include outdated software, weak passwords, and unpatched systems.
  • Physical: Vulnerabilities that exist due to the physical security of an organization’s premises. Examples include unlocked doors and windows, poor lighting, and a lack of security cameras.
  • Technological: Vulnerabilities that exist due to the way an organization uses technology. Examples include unencrypted data, the use of default passwords, and poor access control measures.
  • Human: Vulnerabilities that exist due to the behavior of an organization’s employees. Examples include phishing scams, social engineering, and insider threats.

In order to identify vulnerabilities, businesses need to conduct vulnerability assessments. A vulnerability assessment is a process that helps businesses identify, classify, and prioritize vulnerabilities.

There are many different types of vulnerability assessments, but they all have the same goal: to help businesses improve their cybersecurity posture.

A few common types of vulnerability assessments include:

  • Network scans: A network scan is a process that uses automated tools to identify vulnerabilities in a network.
  • Web application scans: A web application scan is a process that uses automated tools to identify vulnerabilities in web applications.
  • Penetration tests: A penetration test (or “pentest”) is a simulated cyberattack that is conducted by ethical hackers. The goal of a pentest is to identify vulnerabilities that could be exploited by cybercriminals.
  • Social engineering: Social engineering is a process that uses human interaction to obtain information or access to systems. It is often used by cybercriminals to gain access to sensitive data or systems.

These all have different purposes and are used at different stages of the vulnerability management process.

Phase 2: Evaluating Vulnerabilities

Once vulnerabilities have been identified, they need to be assessed for risk. This is done by determining the likelihood of a vulnerability being exploited and the potential impact of exploitation.

There are a few ways that businesses can evaluate risks:

CVSS

Common Vulnerability Scoring System (CVSS) logo

The Common Vulnerability Scoring System (CVSS) is a framework that is used to score and rank the severity of vulnerabilities.

It consists of three metric groups: base, temporal, and environmental.

Each metric group has a different weight, and the final score is calculated by taking the weighted average of the scores from each metric group.

CVSS is a widely used framework, and it is often used by businesses to prioritize vulnerabilities when allocating resources.

NIST

National Institute of Standards and Technology (NIST) home page

The National Institute of Standards and Technology (NIST) is a government agency that provides guidance on cybersecurity best practices.

Its Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) is a widely used tool for assessing and managing cybersecurity risks.

The Framework consists of five core functions: identify, protect, detect, respond, and recover.

Each function has a set of associated activities that businesses can use to improve their cybersecurity posture.

Third-Party Risk Management

Third-party risk management (TPRM) is the process of assessing and managing the risks posed by third-party vendors.

When businesses outsource work to third-party vendors, they need to make sure that those vendors have adequate security measures in place.

TPRM involves conducting due diligence on potential vendors, setting expectations for security requirements, and monitoring the security of vendors on an ongoing basis.

Once risks have been evaluated, businesses need to decide how to respond to them. This is done by creating a risk treatment plan, which is a document that outlines the steps that a business will take to mitigate or accept the risks that have been identified.

The steps that a business takes will vary depending on the risks that have been identified, but some common risk treatment options include:

Qualys

Qualys home page

Qualys is a vulnerability management platform that includes a risk scoring engine. A risk scoring engine is a tool that uses CVSS to score and rank vulnerabilities.

Qualys includes a feature that allows businesses to create custom risk scores based on their own unique needs and priorities.

The Qualys Risk Scoring Engine uses a number of factors to score vulnerabilities, including the CVSS conducting patch management.

The engine produces a risk score that is used to prioritize vulnerabilities.

Qualys also offers a number of other features, including asset management and compliance reporting.

Nessus

Nessus home page

Nessus is a commercial vulnerability scanner that can be used to identify vulnerabilities in systems and networks.

It includes a risk scoring engine that uses the CVSS to score and rank vulnerabilities.

Nessus also includes a feature that allows businesses to create custom risk scores based on their own unique needs and priorities.

In addition to vulnerability scanning, Nessus can also be used for compliance checking and asset management.

Phase 3: Treating Vulnerabilities

After vulnerabilities have been identified and scored, businesses need to decide how to treat them.

This is done by creating a risk treatment plan, which is a document that outlines the steps that a business will take to mitigate or accept the risks that have been identified.

The steps that a business takes will vary depending on the risks that have been identified, but some common risk treatment options include:

  • Conducting patch management
  • Implementing security controls
  • Restricting access to systems and data
  • Training employees on cybersecurity best practices

Once a risk treatment plan has been created, businesses need to implement the steps that have been outlined.

This typically involves allocating resources, such as budget and staff, to carry out the necessary tasks.

Once the risk treatment plan has been implemented, businesses need to monitor their progress and make adjustments as needed.

This may involve re-assessing vulnerabilities regularly or modifying security controls if they are not effective.

Phase 4: Reporting

After vulnerabilities have been treated, businesses need to report on their progress.

This is typically done by creating a vulnerability management report, which is a document that outlines the steps that were taken to mitigate or accept the risks that were identified.

The report should include information on the vulnerabilities that were found, the steps that were taken to treat them, and the results of those steps.

It should also include information on any changes that were made to the risk treatment plan and how those changes affected the overall security of the organization.

The report should be shared with all stakeholders, such as senior management, IT staff, and employees.

Example 1: Ecommerce Business

An ecommerce business has decided to implement a vulnerability management program because it wants to improve its cybersecurity posture.

This includes conducting regular vulnerability scans, patching vulnerabilities in a timely manner, and creating a risk treatment plan.

The ecommerce business has decided to use Qualys for its vulnerability management needs.

Why?

Qualys offers a number of features that are beneficial for an ecommerce business, including asset management and compliance reporting.

It also has a robust risk scoring engine that can be used to prioritize vulnerabilities.

The first step the ecommerce company would take is to conduct a vulnerability scan of its systems and networks.

This would allow it to identify any vulnerabilities that exist.

Once the vulnerabilities have been identified, they would be scored using the CVSS.

The next step would be to create a risk treatment plan, which would outline the steps that need to be taken to mitigate or accept the risks that have been identified.

Finally, the ecommerce company would need to implement the risk treatment plan and monitor its progress.

Example 2: Zoom

Historically, Zoom has fallen victim to several cybersecurity attacks including a data breach and the exposure of user data, as well as infamous Zoombombings.

There were even a few zero-day exploits found in the wild.

In order to combat these threats, Zoom decided to implement a vulnerability management program.

This included conducting regular vulnerability scans, patching vulnerabilities in a timely manner, and creating a risk treatment plan.

The first step Zoom took was to conduct a vulnerability scan of its systems and networks.

Once the vulnerabilities were identified, they were scored using the CVSS.

The next step was to create a risk treatment plan, which outlined the steps that needed to be taken to mitigate or accept the risks that had been identified.

Finally, Zoom implemented the risk treatment plan and monitored its progress.

By implementing a vulnerability management program, Zoom has been able to improve its cybersecurity posture and protect its users from potential attacks.

How to Get Started With Vulnerability Management Programs

If you want to get started with a vulnerability management program for your organization, here are the steps you should take:

Step 1: Build Out Your Team

The first thing you need to do when building a vulnerability management program is to lay the groundwork.

And that starts with building out your team.

Your team should be composed of individuals with different backgrounds and expertise, including but not limited to:

  • A senior executive who will sponsor the program
  • An information security professional who will lead the program
  • IT staff who will be responsible for conducting scans and patching vulnerabilities
  • Employees who will be responsible for ensuring that all systems and networks are compliant

Each organization will be different, but these are a few of the roles that should be included on your team.

Step 2: Get the Right Tools

If you want your vulnerability management program to be successful, you need to have the right tools in place.

Vulnerability-finding tools can locate the vulnerabilities and track and assess them. Your organization might already have some of these tools in place, but you might need to invest in new ones as well.

Vulnerability management tools will help your organization keep track of its digital assets and infrastructure, as well as the potential risks to these assets.

After conducting a risk assessment, your organization can deploy the vulnerability management solution to help identify and prioritize the vulnerabilities that pose the greatest risk.

The solution then creates a remediation workflow, which is shared with IT and DevOps, to address these vulnerabilities. In this way, the solution helps to keep the organization’s digital assets and infrastructure safe and secure.

Some factors you should consider when choosing a tool include:

  • The size of your organization
  • The type of industry you’re in
  • Your budget
  • The features you need

Once you’ve considered all of these factors, you should be able to narrow down your options and choose the best tool for your organization.

Step 3: Compare the Threat With Your Overall Environment

When cross-referencing your threat landscape with your organization’s overall environment, you will be able to identify which systems and assets are most critical to your business.

You should also take into account the type of data that is stored on these systems, as well as the sensitivity of this data.

After you have a good understanding of your organization’s critical systems and assets, you can start to prioritize the vulnerabilities that pose the greatest risk to these systems.

While the standard toolsets for vulnerability management are a great starting point, they leave much to be desired in terms of comprehensive security. CVE lists, CPE information, and CWE enumerations are all essential data sources, but they only offer a limited view of the true security landscape.

To get a complete picture, you need a program that incorporates real-world data from a variety of sources. This data includes everything from historical vulnerabilities to current attack vectors.

By cross-referencing this information, you can get a clear understanding of the threats you face and the best way to protect your systems. With this knowledge in hand, you can make informed decisions about where to allocate your resources and how to best defend your network.

Step 4: Understand Your Organization’s Assets and Risk Aversion

To properly understand and manage vulnerabilities, you need to have a clear understanding of your organization’s assets.

You should also know how risk-averse your organization is. This will help you determine the acceptable level of risk for your organization and the best way to mitigate these risks.

There are a few different factors that can influence your risk tolerance, including the industry you work in and the specific guidelines of your company. It’s helpful to look for sources within your company that can provide guidance on how to assess risk and what the acceptable levels of risk are for different aspects of the business.

For each specific vulnerability, you need to weigh the costs and benefits of remediation. In some cases, it may be more cost-effective to wait and see if the problem resolves itself. In other cases, it may be worth it to take immediate action to mitigate the risk.

The key is to understand your own risk tolerance and use that knowledge to make informed decisions.

Step 5: Prioritize Your Vulnerabilities

Security teams have a lot of data to sift through these days and so the platform you choose is critical in this step. They need to know not just what’s happening on their network, but also what’s happening in the world at large in order to properly assess risk.

That’s why it’s so important to choose a platform that offers real-world vulnerability intelligence. Data science can help you make sense of all the data, and automated risk analysis can help you prioritize which risks are most important.

Customized risk metrics can help you track progress over time, and even risk-based SLAs can help you hold your service providers accountable. The best platforms will offer all of these features and more, giving you the insights you need to make informed decisions about your security posture.

When it comes time to prioritize your vulnerabilities, there are a few different factors you need to take into account. The first is the severity of the vulnerability. This can be determined by looking at the CVSS score or by using your own organization’s scoring system.

You also need to take into account the number of systems that are affected by the vulnerability. If a large percentage of your systems are affected, then it’s likely that you’ll need to take action sooner rather than later.

Finally, you need to consider the likelihood that the vulnerability will be exploited. This can be difficult to assess, but there are a few different resources you can use to get an idea of what the likelihood is. The NIST Vulnerability Database is one such resource.

Once you’ve taken all of these factors into account, you can prioritize your vulnerabilities and start working on remediation.

Step 6: Remediation and Reporting

The final step in the vulnerability management process is to remediate the vulnerabilities you’ve identified. This can be done in a number of different ways, depending on the severity of the vulnerability and the resources you have available.

For example, if a vulnerability is rated as high severity, you may need to take immediate action to patch the affected systems. In other cases, you may be able to mitigate the risk by implementing security controls or workarounds.

Once you’ve remediated a vulnerability, it’s important to track your progress and report on the results. This helps you measure your success and identify any areas where you need to improve.

The best way to do this is to choose a platform that offers reporting and analytics features. This way, you can see which vulnerabilities have been remediated, which are still open, and what the trends are over time.

You can also use this data to create reports for your executive team or board of directors. These reports can help them understand the state of your security posture and make informed decisions about your security budget.

By following these steps, you can create a comprehensive vulnerability management program that will help you keep your systems secure and your business safe.

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of GitLab

Incredible companies use Nira