Vulnerability Management Fundamentals

Vulnerability management is a combination of processes and products aimed at maintaining an inventory of an organization’s digital infrastructure, probing it for vulnerabilities, and remediating the identified weaknesses. It is a cyclical practice and the antipode of the well-known IT adage that says, “If it ain’t broke, don’t fix it.” This principle simply does not work in enterprise security these days. If digital assets are not monitored and fortified continuously, they turn into low-hanging fruit.

A scanner is not enough

Unlike vulnerability scanners, the main goal of vulnerability management is to harden infrastructure security and provide emergency response to some super-hazardous threats. Finding a loophole in a system is half the battle, but it must be fixed so that threat actors cannot exploit it as an entry point. The methods of vulnerability assessment and prioritization of detected issues based on the customer’s infrastructure are just as important. Scanners do not do that.

Vulnerability management is, essentially, an add-on to the scanning process that evaluates, prioritizes, and remediates detected vulnerabilities. Customers’ needs are changing whereas the key objective used to boil down to discovering a vulnerability, now it is more about the ways to address the problem.

As for the licensing models used by vulnerability management systems, they are typically based on the number of protected IP addresses. It does not matter where they are located or how many installations the customer requires. The cost of a vulnerability scanner, on the other hand, depends on the installation count and scanning parameters, such as the number of hosts.

In addition, there are different types of installations, with some vendors offering unlimited use of their systems. The price tag can also be influenced by the set of features, some of which are available as paid extras.

Criteria for choosing a vulnerability management system

The most important characteristics include the size of the organization, the number of its branches located in different time zones, as well as product localization, which is the ability to detect region-specific and industry-specific vulnerabilities.

An interesting factor relates to how well the company’s InfoSec and IT departments can negotiate the necessary features of the solution. InfoSec specialists usually prioritize vulnerability detection, while IT teams are mainly focused on patch deployment. Therefore, the overlapping of these two areas will define the parameters of the system.

It is also worth looking at the completeness and frequency of updates as well as at the operating systems that the scanner supports. The ideal vulnerability management system should also fit the context of the industry the organization represents and the applications it is currently using.

At the stage of contract signing, the vendor may reassure the customer of its readiness to add new products and features down the road. Unfortunately, some providers do not always carry through with such commitments. Therefore, it is best to focus on the readily available functionality of the solution.

A useful feature of any vulnerability management system is the ability to enrich your own vulnerability database with information from third-party sources. It is also great if the solution can provide an example of an exploit that piggybacks on a specific vulnerability.

Most customers are faced with a classic dilemma: to use a free scanner or purchase a commercial solution from the get-go. Maintaining an up-to-date vulnerability database is a tedious and expensive process. Therefore, in the case of a free product, the development team may have to prioritize other areas of their activity in pursuit of alternative sources of income, which explains why these scanners have some limitations.

Tools under the vulnerability management umbrella

The set of solutions needed to organize the vulnerability management process within a company may include:

•       Different instruments for gathering information about vulnerabilities, such as scanners, tools for processing data from third-party sources, and repositories of information independently obtained by InfoSec specialists.
•       Vulnerability prioritization tools that define CVSS Scores and gauge the value of the asset potentially affected by the flaw.
•       Tools for interaction with external databases.
•       Systems that handle a vulnerability in the context of the organization, its infrastructure, and the global attack surface.

Asset management and automatic patches

The asset management process should have a maximum degree of automation, cover the entire infrastructure of the organization, and take place on a regular basis. It is impossible to prioritize vulnerabilities unless these conditions are met. Also, there is no way to control the IT infrastructure of an organization without knowing exactly what it consists of. Therefore, asset management is a hugely important part of vulnerability management.

The main prerequisite for automating the patch management process is to assign a specific identifier to each vulnerability signature and make sure that the next update addresses it. This is a complex workflow with many pitfalls. The consequences of skipping a single update can be disastrous, so patch deployment must be as well-orchestrated as possible.

It is also important to adjust automatic patches to a specific application area. For workstations, it is acceptable to restrict updates to the operating system and basic software such as browsers and office apps. In the case of servers, things are more complicated because there is a lot at stake, and a buggy update can affect the availability of business-critical IT resources.

When it comes to monitoring the enterprise infrastructure, most companies prefer scanning over installing agents on endpoints as they often become malware entry points. However, if the host cannot be reached in any other way, you must use data collection applications.

As previously mentioned, seamless interaction between InfoSec and IT departments makes a difference. The two teams must agree on policies that specify who is responsible for installing updates for certain resources and how often this will occur. Essentially, the vulnerability management process should come down to monitoring the compliance with such agreements and installing urgent patches.

What does the future hold for vulnerability management systems?

At this point, there is a distinct trend toward increasing automation of asset monitoring and patch deployment. As enterprise infrastructures continue to migrate into the cloud, it is within the realms of possibility that the process of vulnerability scanning will be reduced to checking cloud security settings. Another evolutionary vector boils down to improving vulnerability assessment systems. Vulnerability prioritization tools will include more data, especially regarding the most “exploitable” vulnerabilities.

There is also a good chance that these systems will switch to an all-in-one logic in the next few years, where a single solution will provide a full spectrum of InfoSec management instruments. The emergence of an all-embracing platform that includes vulnerability management, asset management, and risk management capabilities along with other protection features is quite likely. Perhaps, there will be a one-stop vulnerability management console for all elements of digital infrastructure – from a server or printer to a container on a dedicated host.