With new vulnerabilities being discovered every day and an observed trend showing a steady increase in the total number of reported vulnerabilities year over year, it has become increasingly important for organizations to manage vulnerabilities in their environments responsibly. In 2019, NIST published over 17,000 vulnerabilities in the National Vulnerability Database. Thus, vulnerability management is an important step in maintaining a strong cybersecurity posture, allowing proactive organizations to mitigate any potential attack vectors before they have a chance to be exploited. Compounding the obvious problems associated with the sheer volume of vulnerabilities is the well-documented workforce shortage, estimated by the ISC2 Cyber Security Workforce Study to be 4 million train workers. As a solution to this challenge, security vendors tout machine learning and artificial intelligence tech to help teams take a risk-based approach to vulnerability management. While these improved tools certainly help, they are far from the magical black-box panacea described in vendor marketing material. To truly improve cybersecurity performance around vulnerability management, organizations must ensure elements such as maintaining continuous visibility of the relevant digital ecosystem, keeping up to date with newly reported vulnerabilities, tracking of identified vulnerabilities, having a remediation process to mitigate identified vulnerabilities, and having an automated and continuous audit process in place to measure progress over time.
According to the SolarWinds MSP, there are six steps to the Vulnerability Management Life Cycle: Discover, Prioritize Assets, Assess, Report, Remediate, and Verify. To satisfy the first four steps of the lifecycle, businesses must establish visibility over the organization’s digital environment, as that is what allows them to understand where the greatest risk lies within an organization. To accomplish this, many automated tools can be used to scan organizational systems for known vulnerabilities. Establishing a tracking procedure around the results of these periodic scans allows for the prioritization of critical or high-risk vulnerabilities. Being able to determine where the high-risk vulnerabilities lie in an organization allows for a more competent and cost-efficient vulnerability management program, greatly increasing the security of organizational systems and software.
Once visibility has been established, vulnerability management becomes a question of remediation and verification. How these last two steps are accomplished will depend largely on the nature of the vulnerabilities in question, the determined business risk associated with the exploitation of that vulnerability, and the amount of resources allocated to fix the vulnerability. Some vulnerabilities may only require a patch from the manufacturer of the vulnerable software, while other times the vulnerability may be so severe that the only remediation is to retire the system from use. Once a vulnerability has been remediated, there should also be a procedure in place to verify that the remediation was deployed successfully and that the affected systems are no longer vulnerable.
Maintaining a robust cybersecurity program is essential in today’s digital environment with businesses increasingly coming under assault by cybercriminals. One part of employing an effective cybersecurity program is to have a competent vulnerability management process in place, which deploys the correct tools and best practices of the industry to ensure that critical organizational systems and data are protected from discovered vulnerabilities.