September 6, 2023 By Matt Kosinski 4 min read

Modern enterprise networks are vast systems of remote and on-premises endpoints, locally installed software, cloud apps, and third-party services. Every one of these assets plays a vital role in business operations—and any of them could contain vulnerabilities that threat actors can use to sow chaos. Organizations rely on the vulnerability management process to head off these cyberthreats before they strike.

The vulnerability management process is a continuous process for discovering, prioritizing, and resolving security vulnerabilities across an organization’s IT infrastructure.

Security vulnerabilities defined

A security vulnerability is any weakness or flaw in the structure, function, or implementation of an IT asset or network that hackers or cybercriminals can exploit to cause harm. Coding errors—e.g., a bug in a web app that lets threat actors inject the system with malware—are a common type of vulnerability. Misconfigurations, like a cloud storage bucket that exposes sensitive data to the public internet, are also common.

According to the IBM X-Force Threat Intelligence Index, the exploitation of vulnerabilities like these is the second most common cyberattack vector (method of infiltrating the target system or network).

A continuous vulnerability management process helps stop cyberattacks—and soften the blow of those that succeed—by finding and fixing flaws before threat actors can weaponize them. In short, it enables the security team to adopt a more proactive security posture, which is why vulnerability management is a key component of enterprise risk management strategies today.

The vulnerability management lifecycle  

Corporate networks are not static. Every change—adopting a new app, updating an operating system—can introduce new vulnerabilities. Plus, hackers are always hunting for undiscovered flaws, and it only takes them about 12 days to start exploiting the ones they find

To keep up with these adversaries and respond to cyber threats in a timely manner, security teams address vulnerabilities in an ongoing process called the vulnerability management lifecycle. Each cycle leads directly into the next, and the intel collected in each cycle shapes how the next one plays out.

Typically the vulnerability management lifecycle includes five stages, plus an occasional planning phase.

Planning and prework  

Before the lifecycle officially starts, the organization establishes its overall strategy for addressing security weaknesses. This includes identifying responsible stakeholders, earmarking resources, setting goals, and defining key performance metrics.

Organizations go through this stage once before implementing a formal vulnerability management process. Then, the overall strategy is revisited periodically and updated as needed.

1. Asset discovery and vulnerability assessment

Every round of the vulnerability management lifecycle starts with updating the inventory of all the hardware, software, and other IT assets active on the company network. Security teams often use attack surface management platforms or other asset discovery tools to automate this process.   

Next, the security team conducts vulnerability scans to identify vulnerabilities in these assets. The team may use a combination of vulnerability management tools and methods to assess all assets, including automated vulnerability scanners, penetration tests, and logs from internal security tools.

2. Vulnerability prioritization

The security team uses the results of vulnerability assessments to sort out false positives and prioritize discovered vulnerabilities by level of criticality. Prioritization enables security teams to focus on the biggest security risks first.

Resources like the Common Vulnerability Scoring System (CVSS), MITRE’s list of Common Vulnerabilities and Exposures (CVEs), and NIST’s National Vulnerability Database (NVD) can help security teams get a baseline understanding of how critical their vulnerabilities are.

Cybersecurity teams then combine this external threat intelligence with company-specific data to understand how known vulnerabilities affect their unique networks.

3. Vulnerability resolution

The security team works through the list of vulnerabilities, moving from most critical to least. Generally, they have three options for resolving these flaws:

  • Remediation: Fully addressing a vulnerability so it can no longer be exploited, such as by patching software vulnerabilities or fixing device misconfigurations.
  • Mitigation: Making a vulnerability more difficult to exploit and/or lessening the impact of exploitation without removing the vulnerability entirely. For example, putting a firewall around a vulnerable asset and training employees on social engineering attacks would be forms of mitigation.
  • Acceptance: If a vulnerability is unlikely to be exploited or wouldn’t cause much impact, the company may accept it.

4. Reassessment and monitoring

To confirm that mitigation and remediation efforts worked—and to ensure they don’t introduce any new problems—the security team reassesses the assets. The team also takes stock of the overall network and the general cyberthreat landscape, as changes in either one may require updates to security controls or criticality ratings.

5. Reporting and improvement

Vulnerability management platforms typically provide dashboards for reporting metrics like mean time to detect (MTTD), mean time to respond (MTTR), and vulnerability recurrences. The security team can use these metrics to report back to stakeholders and audit the vulnerability management program, looking for opportunities to improve performance over time.

Learn more about the vulnerability management lifecycle

Best practices for an effective vulnerability management program  

Correlate vulnerabilities

Security teams can better understand each vulnerability’s criticality by considering how a flaw relates to other vulnerabilities in the system. For example, a non-critical flaw in a non-critical asset may not seem important in isolation. If hackers can use that non-critical asset as a stepping stone to exploit a vulnerability in a more critical system, it may take on a higher priority. 

Correlating vulnerabilities can also help find and fix underlying issues that may make the network more susceptible to cyberattacks. For example, if vulnerability assessments keep turning up outdated assets, it may be a sign the patch management process needs an overhaul. 

Curate information

According to Gartner, one of the most common vulnerability management mistakes is when security teams send raw vulnerability scan results to asset owners. These reports can contain hundreds or thousands of vulnerabilities, making it hard for IT teams to determine the most effective remediation strategy.   

Security teams can use the prioritization stage to not only rank vulnerabilities but also curate threat intelligence and other information into digestible reports. That way, other stakeholders in vulnerability management can help move the process along instead of getting bogged down in the details.

Strategically schedule scans

Some organizations use continuous scanning tools to flag vulnerabilities in real time. Those that don’t need to be intentional about scheduling scans.  

Vulnerability assessments can be time- and resource-intensive, so security teams may not want to scan every asset during every assessment. Generally, organizations group assets on their networks according to criticality level. More critical asset groups are scanned more often, typically weekly or monthly. Less critical assets may be scanned quarterly or less.  

Scans can also affect the performance of some assets, so the organization may schedule assessments for off-hours when the assets aren’t being used.

Automate wherever possible

Given the sheer number of assets in the average enterprise network, manual vulnerability management processes typically aren’t feasible. Instead, security teams often use vulnerability management systems to automate key workflows like asset discovery, vulnerability assessment, prioritization, and patch management.

Explore vulnerability management solutions

Even with the right security tools in place, it can be hard for security teams to keep up with all the potential threats and risks in their enterprise networks.

Learn more about IBM vulnerability management services
Was this article helpful?
YesNo

More from Security

CIOs must prepare their organizations today for quantum-safe cryptography

7 min read - Quantum computers are emerging from the pure research phase and becoming useful tools. They are used across industries and organizations to explore the frontiers of challenges in healthcare and life sciences, high energy physics, materials development, optimization and sustainability. However, as quantum computers scale, they will also be able to solve certain hard mathematical problems on which today's public key cryptography relies. A future cryptographically relevant quantum computer (CRQC) might break globally used asymmetric cryptography algorithms that currently help ensure…

Addressing the cybersecurity skills gap with higher education

4 min read - As cyberattacks and security incidents continue to rise, the demand for skilled cybersecurity professionals in government and private sectors has reached unprecedented levels. The United States faces a critical challenge in defending its national security in the digital realm, highlighting the urgent need for a robust cyber workforce. On July 31, 2023, the White House published its National Cyber Workforce and Education Strategy and called upon public and private institutions and ecosystems to make it successful. Pillar Two of the strategy…

Fortressing the digital frontier: A comprehensive look at IBM Cloud network security services

6 min read - The cloud revolution has fundamentally transformed how businesses operate. Its superior scalability, agility and cost-effectiveness have made it the go-to platform for organizations of all sizes. However, this shift to the cloud has introduced a new landscape of ever-evolving security threats. Data breaches and cyberattacks continue to hit organizations, making robust cloud network security an absolute necessity. IBM®, a titan in the tech industry, recognizes this critical need, provides a comprehensive suite of tools and offers unmatched expertise to fortify…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters