What is the vulnerability management lifecycle?

Every month, the National Institute of Standards and Technology (NIST) adds over 2,000 new security vulnerabilities to the National Vulnerability Database. Security teams don’t need to track all of these vulnerabilities, but they do need a way to identify and resolve the ones that pose a potential threat to their systems. That’s what the vulnerability management lifecycle is for.

A typical round of the lifecycle has five stages:

1. Asset inventory and vulnerability assessment.
2. Vulnerability prioritization.
3. Vulnerability resolution.
4. Verification and monitoring.
5. Reporting and improvement.

The vulnerability management lifecycle allows organizations to improve security posture by taking a more strategic approach to vulnerability management. Instead of reacting to new vulnerabilities as they appear, security teams actively hunt for flaws in their systems. Organizations can identify the most critical vulnerabilities and put protections in place before threat actors strike.

A vulnerability is any security weakness in the structure, function or implementation of a network or asset that hackers can exploit to harm a company.

Vulnerabilities can arise from fundamental flaws in an asset’s construction. Such was the case with the infamous Log4J vulnerability, where coding errors in a popular Java library allowed hackers to remotely run malware on victims’ computers. Other vulnerabilities are caused by human error, like a misconfigured cloud storage bucket that exposes sensitive data to the public internet.

Every vulnerability is a risk for organizations. According to IBM’s X-Force Threat Intelligence Index, the exploitation of vulnerabilities in public-facing apps is one of the most common cyberattack vectors. 

Hackers have a growing stockpile of vulnerabilities at their disposal. In response, enterprises have made vulnerability management a key component of their cyber risk management strategies. The vulnerability management lifecycle offers a formal model for effective vulnerability management programs in an ever-changing cyberthreat landscape. By adopting the lifecycle, organizations can see some of the following benefits:

• Proactive vulnerability discovery and resolution: Businesses often don’t know about their vulnerabilities until hackers have exploited them. The vulnerability management lifecycle is built around continuous monitoring so security teams can find vulnerabilities before adversaries do.
  
  
• Strategic resource allocation: Tens of thousands of new vulnerabilities are discovered yearly, but only a few are relevant to an organization. The vulnerability management lifecycle helps enterprises pinpoint the most critical vulnerabilities in their networks and prioritize the biggest risks for remediation.
  
  
• A more consistent vulnerability management process: The vulnerability management lifecycle gives security teams a repeatable process to follow, from vulnerability discovery to remediation and beyond. A more consistent process produces more consistent results, and it enables companies to automate key workflows like asset inventory, vulnerability assessment and patch management.

New vulnerabilities can arise in a network at any time, so the vulnerability management lifecycle is a continuous loop rather than a series of distinct events. Each round of the lifecycle feeds directly into the next. A single round usually contains the following stages:

Stage 0: Planning and prework

Technically, planning and prework happen before the vulnerability management lifecycle, hence the “Stage 0” designation. During this stage, the organization irons out critical details of the vulnerability management process, including the following:

• Which stakeholders will be involved, and the roles they will have
  
  
• Resources—including people, tools, and funding—available for vulnerability management
  
  
• General guidelines for prioritizing and responding to vulnerabilities
  
  
• Metrics for measuring the program’s success

Organizations don’t go through this stage before every round of the lifecycle. Generally, a company conducts an extensive planning and prework phase before it launches a formal vulnerability management program. When a program is in place, stakeholders periodically revisit planning and prework to update their overall guidelines and strategies as needed.

Stage 1: Asset discovery and vulnerability assessment

The formal vulnerability management lifecycle begins with an asset inventory—a catalog of all the hardware and software on the organization’s network. The inventory includes officially sanctioned apps and endpoints and any shadow IT assets employees use without approval.

Because new assets are regularly added to company networks, the asset inventory is updated before every round of the lifecycle. Companies often use software tools like attack surface management platforms to automate their inventories.

After identifying assets, the security team assesses them for vulnerabilities. The team can use a combination of tools and methods, including automated vulnerability scanners, manual penetration testing and external threat intelligence from the cybersecurity community.

Assessing every asset during every round of the lifecycle would be onerous, so security teams usually work in batches. Each round of the lifecycle focuses on a specific group of assets, with more critical asset groups receiving scans more often. Some advanced vulnerability scanning tools continuously assess all network assets in real-time, enabling the security team to take an even more dynamic approach to vulnerability discovery.

Stage 2: Vulnerability prioritization

The security team prioritizes the vulnerabilities they found in the assessment stage. Prioritization ensures that the team addresses the most critical vulnerabilities first. This stage also helps the team avoid pouring time and resources into low-risk vulnerabilities. 

To prioritize vulnerabilities, the team considers these criteria:

• Criticality ratings from external threat intelligence: This can include MITRE’s list of Common Vulnerabilities and Exposures (CVE) or the Common Vulnerability Scoring System (CVSS).
  
  
• Asset criticality: A noncritical vulnerability in a critical asset often receives higher priority than a critical vulnerability in a less important asset. 
  
  
• Potential impact: The security team weighs what might happen if hackers exploited a particular vulnerability, including the effects on business operations, financial losses and any possibility of legal action.
  
  
• Likelihood of exploitation: The security team pays more attention to vulnerabilities with known exploits that hackers actively use in the wild.
  
  
• False positives: The security team ensures that vulnerabilities actually exist before dedicating any resources to them.

Stage 3: Vulnerability resolution

The security team works through the list of prioritized vulnerabilities, from most critical to least critical. Organizations have three options to address vulnerabilities:

1. Remediation: Fully addressing a vulnerability so it can no longer be exploited, such as by patching an operating system bug, fixing a misconfiguration or removing a vulnerable asset from the network. Remediation isn’t always feasible. For some vulnerabilities, complete fixes aren’t available at the time of discovery (e.g., zero-day vulnerabilities). For other vulnerabilities, remediation would be too resource-intensive.
   
   
2. Mitigation: Making a vulnerability more difficult to exploit or lessening the impact of exploitation without removing the vulnerability entirely. For example, adding stricter authentication and authorization measures to a web application would make it harder for hackers to hijack accounts. Crafting incident response plans for identified vulnerabilities can soften the blow of cyberattacks. Security teams usually choose to mitigate when remediation is impossible or prohibitively expensive. 
   
   
3. Acceptance: Some vulnerabilities are so low-impact or unlikely to be exploited that fixing them wouldn’t be cost-effective. In these cases, the organization can choose to accept the vulnerability.

Stage 4: Verification and monitoring

To verify that mitigation and remediation efforts worked as intended, the security team rescans and retests the assets they just worked on. These audits have two primary purposes: to determine if the security team successfully addressed all known vulnerabilities and ensure that mitigation and remediation didn’t introduce any new problems.

As part of this reassessment stage, the security team also monitors the network more broadly. The team looks for any new vulnerabilities since the last scan, old mitigations that have grown obsolete, or other changes that may require action. All of these findings help inform the next round of the lifecycle.

Stage 5: Reporting and improvement

The security team documents activity from the most recent round of the lifecycle, including vulnerabilities found, resolution steps taken and outcomes. These reports are shared with relevant stakeholders, including executives, asset owners, compliance departments and others. 

The security team also reflects on how the most recent round of the lifecycle went. The team may look at key metrics like mean time to detect (MTTD), mean time to respond (MTTR), total number of critical vulnerabilities and vulnerability recurrence rates. By tracking these metrics over time, the security team can establish a baseline for the vulnerability management program’s performance and identify opportunities to improve the program over time. Lessons learned from one round of the lifecycle can make the next round more effective.