Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Vulnerability Management: Five Steps to Cybersecurity Success

Take charge of your cybersecurity program foundation with these five steps: discover, assess, prioritize, remediate and measure all assets across your computing environments.

Tenable Named a Leader in The Forrester Wave™: Vulnerability Risk Management, Q4 2019

Looking for a system of record to measure and reduce cyber risk? Check out the definitive analyst guide for evaluating vulnerability risk management vendors.

Forrester, Leader in Vulnerability Risk Management

Effective risk-based vulnerability management requires a strong process mapped directly to these five Cyber Exposure phases:

1. Discover
Discover

Discover

The first step in your vulnerability management program is to inventory all hardware and software assets across your entire attack surface. This can be difficult because you likely have diverse asset types such as traditional IT, transitory, mobile, dynamic and operational technology, which often require different discovery technologies. To discover these diverse assets, you may be using disparate technologies from multiple vendors, which increases your acquisition and management costs. Using a variety of disjointed discovery products also results in asset inventory silos, making it difficult—if not impossible—to map diverse assets to your business services.

Understand your complete attack surface.

The foundation of your vulnerability program includes taking a complete inventory of every hardware and software asset across all of your computing environments, including IT, mobile, cloud and operational technology. You must identify all of the assets in your attack surface before you can adequately protect it.

Tenable Lumin Cyber Exposure Score Trend

Know which assets support specific business systems.

Group assets by business system to identify critical assets and inform vulnerability assessment and remediation. You can also group assets by type, geography and other user-defined criteria.

Streamline IT asset management processes.

Integration between Tenable platforms and your IT Configuration Management Database (CMDB) provides you with an enterprise-class system of record for your assets. The Tenable platform improves CMDB data integrity by adding assets identified during the Discover phase that may have been previously unrecorded in the CMDB. Asset attributes in the CMDB, such as asset owner, administrator, location and SLA will inform downstream vulnerability management phases. Rich CMDB data facilitates IT service management processes, including asset management and change management.

Netskope
[We have] live discovery of every Netskope asset, providing dynamic and holistic visibility across the modern attack surface (cloud, data center, IoT, etc.). This includes automating asset discovery, particularly assets in their cloud infrastructure, including containers. Netskope Read the Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

See Everything.
Predict What Matters.
Managed On-Prem.
Gain Complete Visibility, Security and Control of Your OT Network.
2. Assess
Assess

Assess

Assessing assets for vulnerabilities and misconfigurations across your complete attack surface is challenging due to diverse asset types. Your asset mix likely includes traditional IT, transitory, mobile, dynamic and operational technology assets. These diverse asset types require different assessment technologies, but they all must be supported in a single vulnerability management platform that delivers a unified view of exposures.

Understand cyber exposures across your attack surface.

Identify vulnerabilities, misconfigurations and other weaknesses in traditional IT, transitory, mobile, dynamic and operational technology assets.

Tenable Lumin
Audit patching and configuration changes.

Audit patching and configuration changes.

Ensure that you remediate vulnerabilities and misconfigurations as expected.

Inform incident management.

Inform incident management.

Automatically send vulnerability and misconfiguration information to your security information and event management (SIEM) to enrich event data, help prioritize events for investigation and inform responses.

Francis Pereira
Tenable.io provides us with a unified view of the state of all of our assets. We use it to run compliance scans in addition to system and network vulnerability scans across all our assets every night. Francis Pereira, Head of Infrastructure, CleverTap Check Out the Video Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

See Everything.
Predict What Matters.
Managed On-Prem.
Gain Complete Visibility, Security and Control of Your OT Network.
3. Prioritize
Prioritize

Prioritize

Understand vulnerabilities in the context of business risk and use that data to prioritize your team’s efforts. With a risk-based approach to vulnerability management, your security team can focus on the vulnerabilities and assets that matter most, so you can address your organization’s true business risk instead of wasting valuable time on vulnerabilities attackers may not likely exploit. By understanding the full context of each vulnerability, including the criticality of affected assets and an assessment of current and likely future attacker activity, you can take decisive action to reduce the greatest amount of business risk with the least amount of effort.

Identify vulnerabilities requiring immediate attention.

Prioritize vulnerabilities based on a combination of threat intelligence, exploit availability, vulnerability metadata and asset criticality.

Tenable Lumin
Provide comprehensive vulnerability information to IT Operations for remediation.

Provide comprehensive vulnerability information to IT Operations for remediation.

Focus remediation resources on vulnerabilities with the highest potential to adversely impact your organization. Document what the vulnerability is, why it is a top priority and how it can be remediated.

Inform incident management.

Inform incident management.

Automatically send vulnerability and misconfiguration information to your SIEM to enrich event data, help prioritize events for investigation and inform responses.

Dan Bowden
We can’t dump that list of 10,000 [vulnerabilities] on the IT team and expect them to engage with us. If I give them a list of a couple of hundred? [...] They’ll engage. Dan Bowden, CISO, Sentara Healthcare Check Out the Video Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

See Everything.
Predict What Matters.
Managed On-Prem.
Calculate, Communicate and Compare Cyber Exposure While Managing Risk
4. Remediate
Fix

Remediate

Remediating high-priority vulnerabilities, misconfigurations and other weaknesses often requires more than simply installing patches. Patching and other remediation activities require a handoff to IT operations staff, along with clear expectations and instructions. There are some instances when patch application isn't feasible. For example: a patch is not available; applying a patch may do more harm than good; or there are concerns about the system’s sensitivity. In these instances, your security team should consider applying compensating controls as an alternative. By taking a risk-based approach that prioritizes vulnerabilities and assets, you can reduce time and effort needed to secure your attack surface.

Reduced attack surface.

Successful remediation of vulnerabilities, misconfigurations and other weaknesses greatly reduces the probability a business-impacting cyber event may occur.

Tenable Lumin
Improved operational efficiency.

Improved operational efficiency.

Focus remediation resources on vulnerabilities with the greatest potential impact on your organization. Document the vulnerability, why it is a top priority and how it can be remediated.

Increased confidence.

Increased confidence.

A closed-loop vulnerability management process ensures you accomplish remediation as expected. Remediation scans validate if your vulnerability remediation actions on targets are successful. If a remediation scan cannot identify a vulnerability on previously identified targets, the system changes the status of vulnerability instances to "mitigate."

Mike Koss
By putting in the right tools, IT security is now able to get ahead and patch and remediate and resolve security issues before they are discovered by the bad guys. Mike Koss, Head of IT Security & Risk, N Brown Group Watch the Video

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

See Everything.
Predict What Matters.
Managed On-Prem.
5. Measure
Measure

Measure

Calculate, communicate and compare key metrics to understand your security program's effectiveness. Track your Cyber Exposure Score (CES), time to assess, and time to remediate and compare those metrics internally and against industry peers. Then communicate those results with your team and key stakeholders to build confidence in your program's success.

Automatically calculate your cyber exposure.

Advanced analysis and risk-based exposure scoring weigh asset value and criticality, vulnerabilities and their context.

Tenable Lumin
Communicate status to stakeholders.

Communicate status to stakeholders.

Visualizations of your entire attack surface allow anyone—from analyst to executive—to quickly understand and communicate your organization’s Cyber Exposure.

Benchmark your performance.

Ensure complete and timely data.

Increase confidence in your risk-based reporting by monitoring the integrity of your risk-based vulnerability management program with metrics, such as scan frequency, scan depth, time to assess new vulnerabilities and time to remediate.

Compare your effectiveness internally.

Compare your effectiveness internally.

Measure the effectiveness of your risk-based vulnerability management program to enable a clear dialogue between technical and business leaders to focus on areas for improvement and investment.

Matthew S American Eagle Outfitters
Metrics are an important part of information security, and being able to speak the language of executives and to be able to present information in the appropriate fashion. Tenable does a really nice job of helping me do that. American Eagle Outfitters Check Out the Video Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

See Everything.
Predict What Matters.
Managed On-Prem.
Calculate, Communicate and Compare Cyber Exposure While Managing Risk
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Get FREE Advanced Support

with purchase of Nessus Professional

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.