A vulnerability is a flaw or weakness in a system that, if exploited, would allow a user to gain unauthorized access to conduct an attack. Vulnerability management is the process of identifying, prioritizing, remediating, and reporting on vulnerabilities to proactively reduce your cyber risk. Because new vulnerabilities are constantly being introduced, vulnerability management is not a one-time project but an ongoing lifecycle. As a result, you will never completely eliminate all vulnerabilities, but you can effectively prioritize which ones to remediate.
Your vulnerability management process should include these four key areas:
The first step to successful vulnerability management is discovering the vulnerabilities that exist within your systems. Because of the sheer volume of vulnerabilities in today’s environments, the most popular way this is done is through vulnerability scanning, which uses automated tools to detect and classify system weaknesses. Vulnerabilities are then mapped to asset inventories so that vulnerabilities can be effectively prioritized based on the assets they impact, and remediation teams can pinpoint the systems that need remediation.
For new environments currently being built, security is shifting left, meaning that security is incorporated into the development process earlier, or directionally left, in the development workflow. This is a departure from traditional development, in which security was often introduced only after an environment was built. This DevSecOps approach avoids bottlenecks at the final stage of deployment, which is essential to the Continuous Integration, Continuous Delivery (CI/CD) pipeline. Today’s vulnerability scanning tools are designed to integrate into the application development process and function in a cloud environment.
Additionally, scanning of open-source frameworks, libraries, and dependencies, should be an essential part of your discovery process. While using open-source code saves developers time and money by borrowing from the collective expertise of the community, this code is often more vulnerable than proprietary code. It is publicly available to hackers to search for unpatched zero-days and written by various developers that may not be applying rigorous security standards as you would in your own organization.
Once vulnerabilities are detected, the next step is to prioritize which ones are the most important to remediate. Modern vulnerability scanning tools will provide suggestions for prioritization based on the Common Vulnerability Scoring System (CVSS) rating of the vulnerability. A vulnerability’s CVSS score is the severity score assigned to it as part of its record in the Common Vulnerabilities and Exposures (CVE) database, a standardized database of known vulnerabilities. This score is calculated using the CVSS, which uses a base score to determine severity based solely on the properties of the vulnerability.
While this score can be augmented by temporal and environmental metrics, the CVSS base score alone is lacking in context and is therefore not the only factor to consider in prioritizing vulnerabilities. A risk-based approach to prioritization should be applied, which takes into account other factors such as the conditions needed for exploitation, as well the importance of the asset to business operations. That being said, high-scoring CVE vulnerabilities shouldn’t be ignored, and they need to be remediated to comply with regulatory requirements. For example, the Payment Card Industry Data Security Standard (PCI-DSS), which governs the storage of credit card information, requires that vulnerabilities above CVSS 4.0 in the cardholder data environment be addressed to maintain compliance.
Generally, however, you will want to take into account the vulnerability’s severity, as well as likelihood of exploitation, and the business impact of a successful exploit. Penetration testing can be conducted during this phase to confirm these factors in a real-world simulation.
Once you have prioritized which vulnerabilities pose a threat to your business, you want to take steps to remediate them. Remediation is taking action to eliminate the vulnerability, such as applying a patch, in the case of third-party software. Remediation is generally the preferred long-term course of action, but it is not always an option, which is where mitigation comes into play.
Mitigation is taking other efforts, such as changing configurations or applying compensating controls, that reduce the impact of a vulnerability, as opposed to completely removing it. Patching is not always an easy, seamless process. It can result in downtime to critical business functions, which may not be ideal, particularly during peak seasons, such as during the holidays for retailers. Similarly, a patch, or fix for propriety code, may not be readily available. In these situations, mitigation tactics may be used until remediation can be accomplished.
Remediation and mitigation will also only apply to the vulnerabilities that you’ve prioritized to be fixed. There may be low-severity vulnerabilities that won’t require a course of action, or you may find that a vulnerability is not applicable, as it is not being used in a live environment, or other settings have already rendered it obsolete.
Lastly, you want to make sure that your remediation efforts have worked by conducting a follow-up assessment after actions have been taken. You’ll never be able to completely eliminate all vulnerabilities from your environment, but you do want to have metrics in place for determining the success of your vulnerability management program. This may include keeping track of the percentage of your systems that have high-priority vulnerabilities, the mean time it takes you to remediate a vulnerability after discovery, and the number of false positives and negatives detected, as these will slow productivity if time is being invested in remediating non-issues. Reporting ensures that there is accountability in your vulnerability management program and progress is being made to reduce risk.
Are you interested in collaborating with other security professionals to improve your vulnerability management program? RH-ISAC members can join RH-ISAC’s vulnerability management working group to participate in vulnerability management discussions and exchange of best practices. Learn more about RH-ISAC membership.