Vulnerability management, a subdomain of IT risk management, is the continuous discovery, prioritization and resolution of security vulnerabilities in an organization’s IT infrastructure and software.
A security vulnerability is any flaw or weakness in the structure, functionality or implementation of a network or networked asset that hackers can exploit to launch cyberattacks, gain unauthorized access to systems or data or otherwise harm an organization.
Examples of common vulnerabilities include firewall misconfigurations that might allow certain types of malware to enter the network or unpatched bugs in an operating system’s remote desktop protocol that might allow hackers to take over a device.
Today’s enterprise networks are so distributed, and various new vulnerabilities are discovered daily, making effective manual or ad hoc vulnerability management nearly impossible. Cybersecurity teams typically rely on vulnerability management solutions to automate the process.
The Center for Internet Security (CIS) lists continuous vulnerability management as one of its Critical Security Controls (link resides outside ibm.com) to defend against the most common cyberattacks. Vulnerability management allows IT security teams to adopt a more proactive security posture by identifying and resolving vulnerabilities before they can be exploited.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Register for the Cost of a Data Breach report
Because new vulnerabilities can arise at any time, security teams approach vulnerability management as a continuous lifecycle rather than a discrete event. This lifecycle comprises five ongoing and overlapping workflows: Discovery, categorization and prioritization, resolution, reassessment and reporting.
1. Discovery
The discovery workflow centers around vulnerability assessment, a process for checking all an organization’s IT assets for known and potential vulnerabilities. Typically security teams automate this process by using vulnerability scanner software. Some vulnerability scanners perform periodic, comprehensive network scans on a regular schedule, while others use agents installed on laptops, routers and other endpoints to collect data on each device. Security teams can also use episodic vulnerability assessments, such as penetration testing, to locate vulnerabilities that elude a scanner.
2. Categorization and Prioritization
Once vulnerabilities are identified, they’re categorized by type (for example, device misconfigurations, encryption issues, sensitive data exposures) and prioritized by level of criticality. This process provides an estimation of each vulnerability’s severity, exploitability and the likelihood of an attack.
Vulnerability management solutions typically draw on threat intelligence sources such as the Common Vulnerability Scoring System (CVSS), an open cybersecurity industry standard, to score the criticality of known vulnerabilities on a scale of 0 to 10. Two other popular intelligence sources are MITRE’s list of Common Vulnerabilities and Exposures (CVEs) and NIST’s National Vulnerability Database (NVD).
3. Resolution
Once vulnerabilities are prioritized, security teams can resolve them in one of three ways:
- Remediation—fully addressing a vulnerability so it can no longer be exploited, such as by installing a patch that fixes a software bug or retiring a vulnerable asset. Many vulnerability management platforms provide remediation tools such as patch management for automatic patch downloads and testing, and configuration management for addressing network and device misconfigurations from a centralized dashboard or portal.
- Mitigation—making a vulnerability more difficult to exploit and lessening the impact of exploitation without removing the vulnerability entirely. Leaving a vulnerable device online but segmenting it from the rest of the network is an example of mitigation. Mitigation is often performed when a patch or other means of remediation is not yet available.
- Acceptance—choosing to leave a vulnerability unaddressed. Vulnerabilities with low criticality scores, which are unlikely to be exploited or unlikely to cause significant damage, are often accepted.
4. Reassessment
When vulnerabilities are resolved, security teams conduct a new vulnerability assessment to ensure that their mitigation or remediation efforts worked and did not introduce any new vulnerabilities.
5. Reporting
Vulnerability management platforms typically provide dashboards for reporting on metrics like mean time to detect (MTTD) and mean time to respond (MTTR). Many solutions also maintain databases of identified vulnerabilities, which allow security teams to track the resolution of identified vulnerabilities and audit past vulnerability management efforts.
These reporting capabilities enable security teams to establish a baseline for ongoing vulnerability management activities and monitor program performance over time. Reports can also be used to share information between the security team and other IT teams who may be responsible for managing assets but not directly involved in the vulnerability management process.
Risk-based vulnerability management (RBVM) is a relatively new approach to vulnerability management. RVBM combines stakeholder-specific vulnerability data with artificial intelligence and machine learning capabilities to enhance vulnerability management in three important ways.
More context for more effective prioritization. Traditional vulnerability management solutions determine criticality by using industry-standard resources like the CVSS or the NIST NVD. These resources rely on generalities that can determine the average criticality of a vulnerability across all organizations. But they lack stakeholder-specific vulnerability data that can result in dangerous over- or under-prioritization of a vulnerability’s criticality to a specific company.
For example, because no security team has the time or resources to address every vulnerability in its network, many prioritize vulnerabilities with a “high” (7.0-8.9) or “critical” (9.0-10.0) CVSS score. However, if a “critical” vulnerability exists in an asset that doesn’t store or process any sensitive information, or offers no pathways to high-value segments of the network, remediation may not be worth it.
Vulnerabilities with low CVSS scores can be a bigger threat to some organizations than others. The Heartbleed bug, discovered in 2014, was rated as “medium” (5.0) on the CVSS scale (link resides outside ibm.com). Even so, hackers used it to pull off large-scale attacks, such as stealing the data of 4.5 million patients (link resides outside ibm.com) from one of the largest US hospital chains.
RBVM supplements scoring with stakeholder-specific vulnerability data—the number and criticality of the asset that is affected, how the assets are connected to other assets, and the potential damage an exploit might cause—as well as data on how cybercriminals interact with vulnerabilities in the real world. It uses machine learning to formulate risk scores that more accurately reflect each vulnerability’s risk to the organization specifically. This enables IT security teams to prioritize a smaller number of critical vulnerabilities without sacrificing network security.
Real-time discovery. In RBVM, vulnerability scans are often conducted in real-time rather than on a recurring schedule. Additionally, RBVM solutions can monitor a broader array of assets: Whereas traditional vulnerability scanners are usually limited to known assets directly connected to the network, RBVM tools can typically scan on-premises and remote mobile devices, cloud assets, third-party apps, and other resources.
Automated reassessment. In an RBVM process, reassessment can be automated by continuous vulnerability scanning. In traditional vulnerability management, reassessment may require an intentional network scan or penetration test.
Vulnerability management is closely related to attack surface management (ASM). ASM is the continuous discovery, analysis, remediation, and monitoring of the vulnerabilities and potential attack vectors that make up an organization’s attack surface. The core difference between ASM and vulnerability management is one of scope. While both processes monitor and resolve vulnerabilities in an organization’s assets, ASM takes a more holistic approach to network security.
ASM solutions include asset discovery capabilities that identify and monitor all known, unknown, third-party, subsidiary, and malicious assets connected to the network. ASM also extends beyond IT assets to identify vulnerabilities in an organization’s physical and social engineering attack surfaces. It then analyzes these assets and vulnerabilities from a hackers perspective to understand how cybercriminals might use them to infiltrate the network.
With the rise of risk-based vulnerability management (RBVM), lines between vulnerability management and ASM have become increasingly blurred. Organizations often deploy ASM platforms as part of their RBVM solution, because ASM provides a more comprehensive view of the attack surface than vulnerability management alone.
Adopt a vulnerability management program that identifies, prioritizes and manages the remediation of flaws that might expose your most-critical assets.
Manage IT risk, establish governance structures and increase cybersecurity maturity with an integrated governance, risk and compliance approach.
Simplify and optimize your application management and technology operations with generative AI-driven insights.
Attack surface management helps organizations discover, prioritize and remediate vulnerabilities to cyberattack.
DevSecOps automatically bakes in security at every phase of the software development lifecycle.
Data security practices and technologies protect digital information from unauthorized access, corruption or theft.