Modern enterprise networks are vast systems of remote and on-premises endpoints, locally installed software, cloud apps, and third-party services. Every one of these assets plays a vital role in business operations—and any of them could contain vulnerabilities that threat actors can use to sow chaos. Organizations rely on the vulnerability management process to head off these cyberthreats before they strike.
The vulnerability management process is a continuous process for discovering, prioritizing, and resolving security vulnerabilities across an organization’s IT infrastructure.
Security vulnerabilities defined
A security vulnerability is any weakness or flaw in the structure, function, or implementation of an IT asset or network that hackers or cybercriminals can exploit to cause harm. Coding errors—e.g., a bug in a web app that lets threat actors inject the system with malware—are a common type of vulnerability. Misconfigurations, like a cloud storage bucket that exposes sensitive data to the public internet, are also common.
A continuous vulnerability management process helps stop cyberattacks—and soften the blow of those that succeed—by finding and fixing flaws before threat actors can weaponize them. In short, it enables the security team to adopt a more proactive security posture, which is why vulnerability management is a key component of enterprise risk management strategies today.
The vulnerability management lifecycle
Corporate networks are not static. Every change—adopting a new app, updating an operating system—can introduce new vulnerabilities. Plus, hackers are always hunting for undiscovered flaws, and it only takes them about 12 days to start exploiting the ones they find.
To keep up with these adversaries and respond to cyberthreats in a timely manner, security teams address vulnerabilities in an ongoing process called the vulnerability management lifecycle. Each cycle leads directly into the next, and the intel collected in each cycle shapes how the next one plays out.
Typically the vulnerability management lifecycle includes five stages, plus an occasional planning phase.
Planning and prework
Before the lifecycle officially starts, the organization establishes its overall strategy for addressing security weaknesses. This includes identifying responsible stakeholders, earmarking resources, setting goals, and defining key performance metrics.
Organizations go through this stage once before implementing a formal vulnerability management process. Then, the overall strategy is revisited periodically and updated as needed.
1. Asset discovery and vulnerability assessment
Every round of the vulnerability management lifecycle starts with updating the inventory of all the hardware, software, and other IT assets active on the company network. Security teams often use attack surface management platforms or other asset discovery tools to automate this process.
Next, the security team conducts vulnerability scans to identify vulnerabilities in these assets. The team may use a combination of vulnerability management tools and methods to assess all assets, including automated vulnerability scanners, penetration tests, and logs from internal security tools.
2. Vulnerability prioritization
The security team uses the results of vulnerability assessments to sort out false positives and prioritize discovered vulnerabilities by level of criticality. Prioritization enables security teams to focus on the biggest security risks first.
Resources like the Common Vulnerability Scoring System (CVSS), MITRE’s list of Common Vulnerabilities and Exposures (CVEs), and NIST’s National Vulnerability Database (NVD) can help security teams get a baseline understanding of how critical their vulnerabilities are.
Cybersecurity teams then combine this external threat intelligence with company-specific data to understand how known vulnerabilities affect their unique networks.
3. Vulnerability resolution
The security team works through the list of vulnerabilities, moving from most critical to least. Generally, they have three options for resolving these flaws:
Remediation: Fully addressing a vulnerability so it can no longer be exploited, such as by patching software vulnerabilities or fixing device misconfigurations.
Mitigation: Making a vulnerability more difficult to exploit and/or lessening the impact of exploitation without removing the vulnerability entirely. For example, putting a firewall around a vulnerable asset and training employees on social engineering attacks would be forms of mitigation.
Acceptance: If a vulnerability is unlikely to be exploited or wouldn’t cause much impact, the company may accept it.
4. Reassessment and monitoring
To confirm that mitigation and remediation efforts worked—and to ensure they don’t introduce any new problems—the security team reassesses the assets. The team also takes stock of the overall network and the general cyberthreat landscape, as changes in either one may require updates to security controls or criticality ratings.
5. Reporting and improvement
Vulnerability management platforms typically provide dashboards for reporting metrics like mean time to detect (MTTD), mean time to respond (MTTR), and vulnerability recurrences. The security team can use these metrics to report back to stakeholders and audit the vulnerability management program, looking for opportunities to improve performance over time.
Best practices for an effective vulnerability management program
Security teams can better understand each vulnerability’s criticality by considering how a flaw relates to other vulnerabilities in the system. For example, a non-critical flaw in a non-critical asset may not seem important in isolation. If hackers can use that non-critical asset as a stepping stone to exploit a vulnerability in a more critical system, it may take on a higher priority.
Correlating vulnerabilities can also help find and fix underlying issues that may make the network more susceptible to cyberattacks. For example, if vulnerability assessments keep turning up outdated assets, it may be a sign the patch management process needs an overhaul.
According to Gartner, one of the most common vulnerability management mistakes is when security teams send raw vulnerability scan results to asset owners. These reports can contain hundreds or thousands of vulnerabilities, making it hard for IT teams to determine the most effective remediation strategy.
Security teams can use the prioritization stage to not only rank vulnerabilities but also curate threat intelligence and other information into digestible reports. That way, other stakeholders in vulnerability management can help move the process along instead of getting bogged down in the details.
Strategically schedule scans
Some organizations use continuous scanning tools to flag vulnerabilities in real time. Those that don’t need to be intentional about scheduling scans.
Vulnerability assessments can be time- and resource-intensive, so security teams may not want to scan every asset during every assessment. Generally, organizations group assets on their networks according to criticality level. More critical asset groups are scanned more often, typically weekly or monthly. Less critical assets may be scanned quarterly or less.
Scans can also affect the performance of some assets, so the organization may schedule assessments for off-hours when the assets aren’t being used.
Automate wherever possible
Given the sheer number of assets in the average enterprise network, manual vulnerability management processes typically aren’t feasible. Instead, security teams often use vulnerability management systems to automate key workflows like asset discovery, vulnerability assessment, prioritization, and patch management.
Explore vulnerability management solutions
Even with the right security tools in place, it can be hard for security teams to keep up with all the potential threats and risks in their enterprise networks.
IBM X-Force® Red can help streamline the vulnerability management process. The X-Force® Red team offers comprehensive vulnerability management services, working with organizations to identify critical assets, discover high-risk vulnerabilities, fully remediate weaknesses, and apply effective countermeasures. X-Force Red’s patented, hacker-developed ranking engine automatically prioritizes vulnerabilities based on weaponized exploits and key risk factors. And concurrent remediation helps even small security teams fix the most critical vulnerabilities first, and fast. The result can help organizations minimize risk of compromise while saving time and resources.
IBM Security® QRadar® Suite can further support resource-strained security teams with a modernized threat detection and response solution. QRadar Suite integrates endpoint security, log management, SIEM and SOAR products within a common user interface, and embeds enterprise automation and AI to help security analysts increase productivity and work more effectively across technologies.