4 Stages of Vulnerability Management: A Process for Risk Mitigation

Vulnerability management strategies and tools enable organizations to quickly evaluate and mitigate security vulnerabilities in their IT infrastructure. A vulnerability management process can vary between environments, but most should follow these four stages, typically performed by a combination of human and technological resources:

1. Identifying vulnerabilities
2. Evaluating vulnerabilities
3. Ereating vulnerabilities
4. Reporting vulnerabilities

In this article, you will learn:

• What is vulnerability management
• The importance of vulnerability management
• 4 stages of vulnerability management
• Building effective vulnerability management programs

What is vulnerability management?

Vulnerability management is a strategy that organizations can use to track, minimize, and eradicatevulnerabilities in their systems. This process involves identifying and classifying vulnerabilities, so that appropriate protections or remediations can be applied.

Often, vulnerability management processes employ the use of vulnerability scanners, vulnerability databases, manual or automated vulnerability testing, and other tools. This combination of tools and processes helps teams ensure that all threats are accounted for.

This includes:

• Vulnerabilities in code, such as SQL injection or cross site-scripting (XSS) opportunities
• Insufficient authentication and authorization mechanisms
• Insecure or misconfigured settings, such as weak access controls or passwords

Why do you need a vulnerability management process?

Vulnerabilities provide openings for attackers to enter your systems. Once inside, they can abuse resources, steal data, or deny access to services. If you do not identify and patch vulnerabilities, you are essentially leaving the doors and windows open for attackers to enter your network.

Vulnerability management programs provide structured guidelines to help you evaluate and secure your network. Rather than ignoring vulnerabilities or taking the risk of vulnerabilities being overlooked, this process can help you conduct a thorough search.

Vulnerability management strategies can help you ensure that vulnerabilities in your system have the shortest possible life span. It can also provide proof of your due diligence in case your network is compromised despite your efforts.

The 4 stages of vulnerability management

When creating a vulnerability management program, there are several stages you should account for. By building these stages into your management process, you help ensure that no vulnerabilities are overlooked. You also help ensure that discovered vulnerabilities are addressed appropriately.

1. Identify vulnerabilities

The first stage of the management process requires identifying which vulnerabilities might affect your systems. Once you know which vulnerabilities or vulnerability types you are looking for, you can begin identifying which ones exist.

This stage uses threat intelligence information and vulnerability databases to guide your search. It also often uses vulnerability scanners to identify affected components and create an inventory for use in patch management.

As part of this phase, you want to create a full map of your system that specifies where assets are, how those assets can potentially be accessed, and which systems are currently in place for protection. This map can then be used to guide the analysis of vulnerabilities and ease remediation.

2. Evaluating vulnerabilities

After you have identified all possible vulnerabilities in your system, you can begin evaluating the severity of the threats. This evaluation helps you prioritize your security efforts and can help reduce your risks more quickly.

If you start remediating the most severe vulnerabilities first, you can reduce the chance of an attack occurring while you’re securing the rest of your system. When evaluating vulnerabilities, there are several systems you can use to establish the risk of a vulnerability being exploited.

One system is the Common Vulnerability Scoring System (CVSS). This is a standardized system used by many vulnerability databases and researchers. CVSS evaluates the level of vulnerability according to inherent characteristics, temporal traits, and the specific effect of the vulnerability to your systems. The challenge with CVSS is that once a risk level is assigned, it is permanent, so it’s important to include other factors from threat intelligence and your own business risk information, in order to determine prioritization.

3. Remediating vulnerabilities

With a prioritized vulnerability management plan in place, you can begin your remediation efforts. During this phase, you may also want to increase monitoring or reduce access to areas identified as at-risk. This can help prevent successful exploitation of vulnerabilities until you can apply patches or permanently increase protections to those areas.

After vulnerabilities are addressed, make sure that you verify successful remediation. Penetration testing is useful for this, as it can help you gauge the effectiveness of your fix. It can also help you ensure that new vulnerabilities weren’t created during your remediation efforts.

4. Reporting vulnerabilities

Reporting vulnerabilities after remediation may seem unnecessary, but it can help you improve your security and responses in the future. Having a record of vulnerabilities and when those issues were fixed shows accountability for security and is required for many compliance standards. It can also be useful when investigating future events. For example, if you find evidence that an attack has been ongoing, you can look at your patch histories to narrow down possible routes and times of entry.

Additionally, reporting on your vulnerability management process creates a baseline for future efforts. This can help you improve the effectiveness of future efforts, and can help you avoid the inclusion of new vulnerabilities by reflecting the lessons you’ve learned.

How to build an effective vulnerability management program

Developing an effective vulnerability management program can take some time, and you are unlikely to get it exactly righton the first try. The following vulnerability management best practices can help you build a strong program from the start, and reduce the number of refinements you need to make.

Perform regular penetration testing

One of the best ways to ensure that new vulnerabilities aren’t being included in your system is to perform regular penetration tests. Provided you use up-to-date techniques and tools, these tests can also help you ensure that newly discovered vulnerabilities are identified and addressed quickly.

Penetration testing can also help security teams better understand how attackers operate, and provide an objective view of the strength of your protections. This provides security teams a realistic basis for dedicating resources, and can help them respond to attacks more effectively.

Account for all IT assets and components

During identification and testing, it is vital to account for all of your assets and components. If you don’t, you are likely to overlook vulnerabilities and beunable to fully secure your systems.

Ensuring that you have a complete inventory can help prevent surprises later on. It can also provide an opportunity to clean house. When creating your inventory, you are likely to discover legacy applications and data that are no longer necessary. Eliminating these outdated assets can help reduce your liability with minimal effort and possibly improve your system performance. However, this can be hard to achieve only by performing network scans, as assets such as laptops and mobile devices often reside off-network, especially with so many people now working remotely. Ensuring that you have the correct tools to locate and assess these assets is paramount to reducing vulnerability risk.

Maintain threat intelligence

Knowing which vulnerabilities exist, how they are being exploited, and the available remediation options is key. You can try to determine all of these aspects on your own. However, this method is highly inefficient and threats will likely be overlooked. A better route is to use the intelligence that already exists in security communities.

Threat intelligence feeds, forums, and databases can provide you with a wealth of information and best practices. These sources are especially helpful for providing specific expertise that may otherwise be lacking in small security teams.

Visualize data for education

It’s impossible to eliminate all vulnerabilities in your systems, but you can make efforts to minimize risks — for example, vulnerabilities introduced by users. You cannot simply eliminate user permissions, but you can educate users on identifying, reducing, and reporting risks.

One method of doing this is to create visualizations of your vulnerability data. This can help users understand where vulnerabilities come from and how these risks can be avoided. It can also help establish the importance of mitigating risks, and what is at stake if systems are breached.

Vulnerability management is not always quite as easy as scan, patch, and validate. Patching critical systems can affect system uptime, especially if a reboot is required. In addition to this, certain connected device types may only function with software running on out-of-date operating systems for which patches are no longer available. Secondary security measures will need to be in place to protect such systems from exploits if business impact or necessity preclude patches from being applied in a timely manner.

Using vulnerability management data with a next-generation SIEM

Vulnerability management log data has great value when combined with security and network logs and analyzed in a next generation SIEM, such as the Exabeam Security Management Platform:

• Critical assets which are vulnerable but currently unable to be patched can be added to a watch list, providing security operations teams with a clear view into any risky activities occurring on those systems.
• Data from vulnerability scans can be included in Exabeam Smart Timelines, providing security analysts with an automated end-to-end picture of events.
• Device information can be enriched with Exabeam’s threat intelligence data, enabling security operations teams to understand specific external threat indicators related to their environment.

The following Exabeam modules and functionality can be used to analyze and enrich data from vulnerability management tools:

• Advanced analytics — using behavioral analytics to identify anomalous behavior that might indicate an attack, and correlating with threat analytics data to identify the type and source of the attack
• Cloud connectors — can be used to easily collect data from a number of popular cloud-based vulnerability management solutions
• Smart forensic analysis — collecting all relevant information about a security incident, across multiple users, IP addresses, and IT systems, combining it with threat intelligence data, and laying it out on an incident timeline
• Incident response automation — gathering data from hundreds of tools, automatically identifying incidents, cross-referencing them with threat intelligence data, and even automatically orchestrating containment and mitigation steps
• Threat hunting — using threat intelligence data combined with free exploration of internal security data to identify new and unknown threats that might be affecting your organization

In addition to these tools, Exabeam also offers a Threat Intelligence Service, a cloud-based solution with proprietary threat intelligence technology. This system collects and analyzes threat indicators from multiple feeds.

The Threat Intelligence Service service is free for Exabeam customers as part of the Exabeam Security Management Platform, and can also integrate with TIP vendors for a broader source of indicators of compromise (IoCs).

Learn more about the Exabeam Security Management Platform.

Further reading

• Information Security: Goals, Types and Applications
• The 8 Elements of an Information Security Policy
• What is MITRE ATT&CK: An Explainer
• MITRE Publishes Domain Generation Algorithm T1483 in the ATT&CK Framework