Vulnerability management, a subdomain of IT risk management, is the continuous discovery, prioritization, and resolution of security vulnerabilities in an organization’s IT infrastructure and software.

A security vulnerability is any flaw or weakness in the structure, functionality, or implementation of a network or networked asset that hackers can exploit to launch cyberattacks, gain unauthorized access to systems or data, or otherwise harm an organization. Examples of common vulnerabilities include firewall misconfigurations that might allow certain types of malware to enter the network, or unpatched bugs in an operating system’s remote desktop protocol that could allow hackers to take over a device.

Because today’s enterprise networks are so distributed, and so many new vulnerabilities are discovered every day, effective manual or ad hoc vulnerability management is all but impossible. Cybersecurity teams typically rely on vulnerability management solutions to automate the process.

The Center for Internet Security (CIS) lists continuous vulnerability management as one of its Critical Security Controls (link resides outside ibm.com) to defend against the most common cyberattacks. Vulnerability management allows IT security teams to adopt a more proactive security posture by identifying and resolving vulnerabilities before they can be exploited. 

Because new vulnerabilities can arise at any time, security teams approach vulnerability management as a continuous lifecycle rather than a discrete event. This lifecycle comprises five ongoing and overlapping workflows: Discovery, categorization and prioritization, resolution, reassessment, and reporting.

1. Discovery

The discovery workflow centers around vulnerability assessment, a process for checking all an organization’s IT assets for known and potential vulnerabilities. Typically security teams automate this process using vulnerability scanner software. Some vulnerability scanners perform periodic, comprehensive network scans on a regular schedule, while others use agents installed on laptops, routers, and other endpoints to collect data on each device. Security teams may also use episodic vulnerability assessments, such as penetration testing, to locate vulnerabilities that may elude a scanner.  

2. Categorization and Prioritization

Once vulnerabilities have been identified, they’re categorized by type (e.g., device misconfigurations, encryption issues, sensitive data exposures) and prioritized by level of criticality, which is an estimation of each vulnerability’s severity, exploitability, and likelihood of leading to an attack.

To determine criticality, vulnerability management solutions typically draw on threat intelligence sources such as the Common Vulnerability Scoring System (CVSS), an open cybersecurity industry standard that scores the criticality of known vulnerabilities on a scale of 0 to 10; MITRE’s list of Common Vulnerabilities and Exposures (CVEs); and NIST’s National Vulnerability Database (NVD). 

3. Resolution

Once vulnerabilities have been prioritized, security teams can resolve them in one of three ways:

• Remediation—fully addressing a vulnerability so it can no longer be exploited, such as by installing a patch that fixes a software bug or retiring a vulnerable asset. Many vulnerability management platforms provide remediation tools such patch management, for automatic patch downloads and testing, and configuration management, for addressing network and device misconfigurations from a centralized dashboard or portal.
• Mitigation—making a vulnerability more difficult to exploit, and/or lessening the impact of exploitation without removing the vulnerability entirely. Leaving a vulnerable device online but segmenting it from the rest of the network would be an example of mitigation. Mitigation is often performed when a patch or other means of remediation is not yet available. 
• Acceptance—choosing to leave a vulnerability unaddressed. Vulnerabilities with low criticality scores, which are unlikely to be exploited or unlikely to cause significant damage, are often accepted. 

4. Reassessment

When vulnerabilities are resolved, security teams will typically conduct a new vulnerability assessment to ensure their mitigation or remediation efforts worked and did not introduce any new vulnerabilities.

5. Reporting

Vulnerability management platforms typically provide dashboards for reporting on metrics like mean time to detect (MTTD) and mean time to respond (MTTR). Many solutions also maintain databases of identified vulnerabilities, which allow security teams to track the resolution of identified vulnerabilities and audit past vulnerability management efforts.

These reporting capabilities enable security teams to establish a baseline for ongoing vulnerability management activities and monitor program performance over time. Reports can also be used to share information between the security team and other IT teams who may be responsible for managing assets but not directly involved in the vulnerability management process. 

Risk-based vulnerability management (RBVM) is a relatively new approach to vulnerability management. RVBM combines stakeholder-specific vulnerability data with artificial intelligence and machine learning capabilities to enhance vulnerability management in three important ways.

More context for more effective prioritization. As noted above, traditional vulnerability management solutions determine criticality using industry-standard resources like the CVSS or the NIST NVD. These resources rely on generalities that can determine the average criticality of a vulnerability across all organizations. But they lack stakeholder-specific vulnerability data that can result in dangerous over- or under-prioritization of a vulnerability’s criticality to a specific company.

For example, because no security team has the time or resources to address every vulnerability in its network, many prioritize vulnerabilities with a “high” (7.0-8.9) or “critical” (9.0-10.0) CVSS score. But if a “critical” vulnerability exists in an asset doesn’t store or process no sensitive information, or offers no pathways to high-value segments of the network, remediation may be a misallocation of the security team’s valuable time. On the other hand, vulnerabilities with low CVSS scores may be more of a threat to some organizations than others. The Heartbleed bug, discovered in 2014, was rated “medium” (5.0) on the CVSS scale (link resides outside ibm.com), yet hackers used it to pull off large-scale attacks, such as stealing the data of 4.5 million patients (link resides outside ibm.com) from one of the largest U.S. hospital chains.

RBVM supplements scoring with stakeholder-specific vulnerability data—the number and criticality of the asset affected, how the assets are connected to other assets, and the potential damage an exploit might cause—as well as data on how cybercriminals interact with vulnerabilities in the real world. It uses machine learning to formulate risk scores that more accurately reflect each vulnerability’s risk to the organization specifically. This enables IT security teams to prioritize a smaller number of critical vulnerabilities without sacrificing network security.

Real-time discovery. In RBVM, vulnerability scans are often conducted in real-time rather than on a recurring schedule. Additionally, RBVM solutions can monitor a broader array of assets: Whereas traditional vulnerability scanners are usually limited to known assets directly connected to the network, RBVM tools can typically scan on-premises and remote mobile devices, cloud assets, third-party apps, and other resources.

Automated reassessment. In an RBVM process, reassessment may be automatically carried out by continuous vulnerability scanning. In traditional vulnerability management, reassessment may require an intentional network scan or penetration test. 

Vulnerability management is closely related to attack surface management (ASM). ASM is the continuous discovery, analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors that make up an organization’s attack surface. The core difference between ASM and vulnerability management is one of scope. While both processes monitor and resolve vulnerabilities in an organization’s assets, ASM takes a more holistic approach to network security. 

ASM solutions include asset discovery capabilities that identify and monitor all known, unknown, third-party, subsidiary, and malicious assets connected to the network. ASM also extends beyond IT assets to identify vulnerabilities in an organization’s physical and social engineering attack surfaces. It then analyzes these assets and vulnerabilities from a hackers perspective, to understand how cybercriminals might use them to infiltrate the network.

With the rise of risk-based vulnerability management (RBVM), lines between vulnerability management and ASM have become increasingly blurred. Organizations often deploy ASM platforms as part of their RBVM solution, because ASM provides a more comprehensive view of the attack surface than vulnerability management alone.