What is vulnerability management?

A security vulnerability is any flaw or weakness in the structure, functionality or implementation of a network or networked asset that hackers can exploit to launch cyberattacks, gain unauthorized access to systems or data or otherwise harm an organization.

Examples of common vulnerabilities include firewall misconfigurations that might allow certain types of malware to enter the network or unpatched bugs in an operating system’s remote desktop protocol that might allow hackers to take over a device.

Today’s enterprise networks are so distributed, and various new vulnerabilities are discovered daily, making effective manual or ad hoc vulnerability management nearly impossible. Cybersecurity teams typically rely on vulnerability management solutions to automate the process.

The Center for Internet Security (CIS) lists continuous vulnerability management as one of its Critical Security Controls to defend against the most common cyberattacks. Vulnerability management allows IT security teams to adopt a more proactive security posture by identifying and resolving vulnerabilities before they can be exploited.

Because new vulnerabilities can arise at any time, security teams approach vulnerability management as a continuous lifecycle rather than a discrete event. This lifecycle comprises five ongoing and overlapping workflows: Discovery, categorization and prioritization, resolution, reassessment and reporting.

The discovery workflow centers around vulnerability assessment, a process for checking all an organization’s IT assets for known and potential vulnerabilities. Typically security teams automate this process by using vulnerability scanner software. Some vulnerability scanners perform periodic, comprehensive network scans on a regular schedule, while others use agents installed on laptops, routers and other endpoints to collect data on each device. Security teams can also use episodic vulnerability assessments, such as penetration testing, to locate vulnerabilities that elude a scanner.

Once vulnerabilities are identified, they’re categorized by type (for example, device misconfigurations, encryption issues, sensitive data exposures) and prioritized by level of criticality. This process provides an estimation of each vulnerability’s severity, exploitability and the likelihood of an attack.

Vulnerability management solutions typically draw on threat intelligence sources such as the Common Vulnerability Scoring System (CVSS), an open cybersecurity industry standard, to score the criticality of known vulnerabilities on a scale of 0 to 10. Two other popular intelligence sources are MITRE’s list of Common Vulnerabilities and Exposures (CVEs) and NIST’s National Vulnerability Database (NVD).

Once vulnerabilities are prioritized, security teams can resolve them in one of three ways:

• Remediation: fully addressing a vulnerability so it can no longer be exploited, such as by installing a patch that fixes a software bug or retiring a vulnerable asset. Many vulnerability management platforms provide remediation tools such as patch management for automatic patch downloads and testing, and configuration management for addressing network and device misconfigurations from a centralized dashboard or portal.
• Mitigation: making a vulnerability more difficult to exploit and lessening the impact of exploitation without removing the vulnerability entirely. Leaving a vulnerable device online but segmenting it from the rest of the network is an example of mitigation. Mitigation is often performed when a patch or other means of remediation is not yet available. 
• Acceptance: choosing to leave a vulnerability unaddressed. Vulnerabilities with low criticality scores, which are unlikely to be exploited or unlikely to cause significant damage, are often accepted.

When vulnerabilities are resolved, security teams conduct a new vulnerability assessment to ensure that their mitigation or remediation efforts worked and did not introduce any new vulnerabilities.

Vulnerability management platforms typically provide dashboards for reporting on metrics like mean time to detect (MTTD) and mean time to respond (MTTR). Many solutions also maintain databases of identified vulnerabilities, which allow security teams to track the resolution of identified vulnerabilities and audit past vulnerability management efforts.

These reporting capabilities enable security teams to establish a baseline for ongoing vulnerability management activities and monitor program performance over time. Reports can also be used to share information between the security team and other IT teams who may be responsible for managing assets but not directly involved in the vulnerability management process.

Risk-based vulnerability management (RBVM) is a relatively new approach to vulnerability management. RVBM combines stakeholder-specific vulnerability data with artificial intelligence and machine learning capabilities to enhance vulnerability management in three important ways.

More context for more effective prioritization. Traditional vulnerability management solutions determine criticality by using industry-standard resources like the CVSS or the NIST NVD. These resources rely on generalities that can determine the average criticality of a vulnerability across all organizations. But they lack stakeholder-specific vulnerability data that can result in dangerous over- or under-prioritization of a vulnerability’s criticality to a specific company.

For example, because no security team has the time or resources to address every vulnerability in its network, many prioritize vulnerabilities with a “high” (7.0-8.9) or “critical” (9.0-10.0) CVSS score. However, if a “critical” vulnerability exists in an asset that doesn’t store or process any sensitive information, or offers no pathways to high-value segments of the network, remediation may not be worth it.

Vulnerabilities with low CVSS scores can be a bigger threat to some organizations than others. The Heartbleed bug, discovered in 2014, was rated as “medium” (5.0) on the CVSS scale. Even so, hackers used it to pull off large-scale attacks, such as stealing the data of 4.5 million patients from one of the largest US hospital chains.

RBVM supplements scoring with stakeholder-specific vulnerability data, the number and criticality of the asset that is affected, how the assets are connected to other assets, and the potential damage an exploit might cause as well as data on how cybercriminals interact with vulnerabilities in the real world. It uses machine learning to formulate risk scores that more accurately reflect each vulnerability’s risk to the organization specifically. This enables IT security teams to prioritize a smaller number of critical vulnerabilities without sacrificing network security.

Real-time discovery. In RBVM, vulnerability scans are often conducted in real-time rather than on a recurring schedule. Additionally, RBVM solutions can monitor a broader array of assets: Whereas traditional vulnerability scanners are usually limited to known assets directly connected to the network, RBVM tools can typically scan on-premises and remote mobile devices, cloud assets, third-party apps, and other resources.

Automated reassessment. In an RBVM process, reassessment can be automated by continuous vulnerability scanning. In traditional vulnerability management, reassessment may require an intentional network scan or penetration test.

Vulnerability management is closely related to attack surface management (ASM). ASM is the continuous discovery, analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors that make up an organization’s attack surface. The core difference between ASM and vulnerability management is one of scope. While both processes monitor and resolve vulnerabilities in an organization’s assets, ASM takes a more holistic approach to network security.

ASM solutions include asset discovery capabilities that identify and monitor all known, unknown, third-party, subsidiary, and malicious assets connected to the network. ASM also extends beyond IT assets to identify vulnerabilities in an organization’s physical and social engineering attack surfaces. It then analyzes these assets and vulnerabilities from a hackers perspective to understand how cybercriminals might use them to infiltrate the network.

With the rise of risk-based vulnerability management (RBVM), lines between vulnerability management and ASM have become increasingly blurred. Organizations often deploy ASM platforms as part of their RBVM solution, because ASM provides a more comprehensive view of the attack surface than vulnerability management alone.