Vulnerability Management Fundamentals: What You Need to Know

In part one of our five-part series on Vulnerability Management fundamentals, we explore the four stages of the Cyber Exposure lifecycle. 

Truth is ever to be found in simplicity, and not in the multiplicity and confusion of things.

—Sir Isaac Newton

At Tenable, we are pioneering the discipline of Cyber Exposure to help cybersecurity teams measure and manage their cyber risk. Cyber Exposure is essential for communicating cyber risks to business stakeholders and ensuring cybersecurity is factored into strategic business decisions as a key input variable. 

Core to enabling Cyber Exposure is a robust vulnerability management (VM) program. In fact, Cyber Exposure cannot be effective without the basics of VM already in place. In today’s overcrowded world of security threats, shiny new tools and expanding regulations, it is easy to lose sight of the fundamentals of security: reducing cyber risk by identifying and remediating vulnerabilities in your most important assets. VM is a process of identifying and classifying all assets across your attack surface, assessing those assets for security weaknesses, prioritizing security issues for mitigation and applying the appropriate remediation measures. 

In fact, a closer look at the Cyber Exposure lifecycle reveals just how important VM is to Cyber Exposure. VM helps organizations discover, assess, analyze and fix exposures across the attack surface. In this five-part blog series we’ll look at the individual steps of this lifecycle to show how VM fundamentals can help you reduce cyber risk. Let’s start with an overview. 

1. Discover - asset discovery and classification 

As the age-old security adage goes, “you can’t protect what you can’t see.” Maintaining a comprehensive and continuously updated asset inventory is a fundamental and critical component of VM. With today’s complex IT environments spanning on-premises and cloud infrastructure, mobile devices, ephemeral and transitory assets, web applications, IoT devices, etc., maintaining a comprehensive asset inventory is anything but simple. It starts with comprehensive asset discovery and classification based on business impact and risk. Keep in mind, your infrastructure is ever-changing. So asset discovery and classification needs to be done on an ongoing basis.

Learn more: Attend our upcoming webinar, “How to Master the Fundamentals of Vulnerability Management Part 1: Asset Discovery and Classification,” 2pm ET, July 31, 2019, for practical advice on this topic.

2. Assess - comprehensive and continuous vulnerability assessment 

Once you have a comprehensive asset inventory, it is time to assess vulnerabilities on the assets, so you get a clear picture of your attack surface and risk. It is important to balance depth, breadth and frequency of vulnerability assessment, because it will be challenging to achieve all three on a consistent basis. Deep assessment, involving credentialed scans and agents, provides rich vulnerability data, but can take a lot of time and consume resources on the assets. Broad and frequent assessment can be also be limited by business operations. As with other security activities, you have to balance security and business needs and leverage process changes as well as tools to achieve your assessment goals. 

3. Analyze - vulnerability analysis and prioritization 

At this stage you will run into the classic challenge of all vulnerability management and security programs: data overload. Vulnerability assessment is likely to show you more critical and high severity vulnerabilities than you can act upon in a reasonable time frame. So how do you prioritize vulnerabilities for remediation? By focusing on the vulnerabilities and assets most likely to be exploited. Note: this does not mean you should ignore the rest of the vulnerabilities and assets, rather, you should prioritize based on business impact and risk.

4. Fix - vulnerability remediation and validation

Remediation of vulnerabilities and verification of results is the final step in the VM lifecycle. A lot of data breaches are caused by well-known vulnerabilities left unpatched for a long time. But as with other steps, patching comes with its own challenges. Getting accurate information on which patches to apply to achieve the maximum risk reduction is difficult. As is identifying asset owners and nudging them to prioritize patching over other business activities. Patching is also time consuming and can result in downtime for some assets. You may have to leverage other security systems to protect assets while patching is in progress. Finally, you need to validate patching is successful and business risk has actually been reduced.

Remember, VM is an ongoing process. The vulnerability management lifecycle steps discussed in this blog must be continuously repeated for your Cyber Exposure practices to be effective. In subsequent blog posts, we will dig deeper into each step of VM lifecycle. Stay tuned.