Your Guide to Vulnerability Management

A guide in adopting a risk-based approach, and how to build a scalable, high-quality vulnerability management program (VMP) using comprehensive vulnerability intelligence that accounts for volatility and exploitability—by first focusing on issues that affect critical assets, rather than attempting to patch top-down.

What is vulnerability management?

Vulnerability management is the process of determining the level or risk each vulnerability poses, prioritizing them, and then remediating them based on asset-contextualized intelligence.

To do this, the vulnerability management process takes the vulnerability intelligence an organization uses and builds upon it, performing the following functions: 

  1. Identify deployed assets and then collect known vulnerabilities affecting them.
  2. Map those vulnerabilities to deployed assets used by the organization.
  3. Prioritize issues based on asset criticality, exploitability, severity, threat likelihood, and other factors.
  4. Remediate identified issues, or mitigate them via security controls or system hardening.

Understanding the vulnerability management lifecycle

A risk-based approach enables organizations to more accurately assess the level of risk a vulnerability poses. To accomplish this, the vulnerability management lifecycle involves the following stages:

  1. Reveal
  2. Prioritize
  3. Remediation
  4. Verify

Stage 1: Surface your assets and reveal the vulnerabilities affecting them

The first step of the vulnerability management lifecycle is revealing the vulnerabilities affecting your organization’s deployed assets. Assets can include servers, desktops, mobile devices, applications, and more. Identifying them leads into prioritization, which then enables your security teams to map vulnerabilities to any affected assets.

The purpose of this stage is to understand your attack surface, while also providing visibility into where your organization may be at-risk. Therefore, having comprehensive, detailed, and timely vulnerability intelligence is vital for this stage’s success. Public vulnerability intelligence sources like CVE and NVD fail to report over 99,500 vulnerabilities, meaning that if you’re relying on it, you are likely unaware of many unreported and highly exploitable issues affecting your assets.

Stage 2: Prioritizing vulnerabilities

Vulnerability prioritization takes place once organizations have identified at-risk assets and aggregated the known vulnerabilities affecting them. Then out of those vulnerabilities, based on their impact and likelihood of being exploited, organizations decide which of them they will focus their efforts to remediate.

To prioritize better, organizations should use asset risk scores to contextualize risk, rather than solely relying on CVSS. An asset risk score is a numerical value showing the overall importance of an asset based on use and type of data being stored. It considers the likelihood of that asset being compromised and its exposure to vulnerabilities.

Without doing this, security teams will likely experience the following problems:

1. Being overwhelmed by the amount of new vulnerabilities

Last year, over 28,400 vulnerabilities were newly disclosed and of those, 33% had CVSSv2 scores between 7.0 - 10.0. This means that over the course of the year, security teams would have had to triage thousands of vulnerabilities—which is simply too many to patch within a year.

Most vulnerability management frameworks dictate that organizations should address high-to-critical issues within 15 to 30 calendar days of initial detection. However, with limited resources, this is nearly impossible without using a risk-based approach.

Related Resource: Swisscom Frees Up Limited Resources with Better Data

2. Lacking visibility of exploitable vulnerabilities

Prioritization based solely on CVSS scores fails to account for exploitability. CVSSv2 and CVSSv3 do not factor exploitability in their scoring, meaning that highly rated issues are not guaranteed to be actively used by threat actors. Sometimes weaponized vulnerabilities have ‘moderate’ or even ‘low’ CVSSv2 scores. Therefore, tunneling only on high-to-critical issues will likely create a gap in visibility and your vulnerability management program will need to prepare for this.

Stage 3: Vulnerability remediation

During the vulnerability remediate stage, security teams patch, fix, or mitigate the vulnerabilities affecting the organization’s assets. Depending on the quality of your vulnerability intelligence feeds, remediation should be relatively straightforward. However, organizations have less time than ever to patch vulnerabilities in a timely fashion.

Poor data slows down remediation. A comprehensive source of vulnerability intelligence allows vulnerability managers to know which specific products and versions are vulnerable. Therefore, the only remaining task is keeping track of owners and getting feedback.

Find out about the vulnerabilities affecting you to act fast. This helps vulnerability management.

Detect and Remediate Vulnerabilities Faster with Flashpoint and Risk Based Security

This recording will showcase how Flashpoint will prioritize and automate the actions needed to remediate potential threats.

Stage 4: Verify (getting feedback)

Large organizations have thousands of employees and millions of endpoints, so it is often a challenge finding out who is responsible for a particular asset. In addition, security teams often patch vulnerabilities; not the vulnerability managers who prioritize them. This makes monitoring progress and getting feedback difficult.

However, Flashpoint’s VulnDB gives vulnerability managers the exact intelligence they need to start managing issues, rather than trying to research and track down owners.

Vulnerability management best practices

Organizations can implement a risk-based approach to vulnerability management by following these best practices:

  • Use comprehensive vulnerability intelligence. Most vulnerability management tools source their findings from CVE/NVD, which fails to report nearly one-third of all known vulnerabilities. In addition, the public source often omits vulnerability metadata such as exploitability and solution information. Using an independently researched vulnerability intelligence solution gives security teams all the details they need to research possible issues.
  • Create a Configuration Management Database (CMDB). A CMDB captures all the configuration items in your network—including hardware, software, personnel, and documentation. It can be extremely useful for listing and categorizing deployed assets, facilitates asset risk scoring, and provides long-term benefits if maintained.
  • Create a SBOM. Known as a Software Bill of Materials, a SBOM is technical documentation that lists the various components used in a specific piece of software. It often includes third-party libraries, Open Source Software, and commercial libraries. Having a SBOM is important because Log4Shell showed that vendors are sometimes unsure if their own products contain certain versions of third-party libraries. Track this kind of information internally. This helps you to act fast.
  • Assign asset risk scores. Asset risk scores are data-driven and communicate which assets, if compromised, pose the most risk. Assigning values to specific assets enables organizations to map vulnerabilities to them, and gives them a clear picture of which ones require immediate attention. This will help make prioritization workloads more manageable and save future resources.
  • Prioritize vulnerabilities not only on severity, but also on exploitability and threat likelihood. Organizations can reduce thousands of high-to-critical vulnerabilities down to a serviceable level by filtering them based on actionable, high-severity and threat likelihood.

    Actionable, high-severity sorts vulnerabilities into the following groups: remotely exploitable, known public exploit, and available solution. Remediating vulnerabilities that meet all three criteria first will best protect the organization as they progress through their workload, while maximizing resources.

    In addition, paying attention to deep and dark web (DDW) chatter and illicit communities can improve your prioritization process. Whenever threat actors are actively discussing a vulnerability such as Log4Shell, and how to exploit it, you need to be aware and address it.

Related resource: Log4j Chatter: What Threat Actors Are Sharing About the Log4Shell Vulnerability

  • Update your CMDB and SBOM. Whenever vulnerabilities are remediated, update your CMDB with new information regarding versions, location, and etc. Vice versa, update your SBOM whenever possible. It may be a time-consuming task, but consistently maintaining both your CMDB and SBOMs will be useful. The version of a product can dictate the remediation, and sometimes vendors fail to disclose, or aren’t aware that underpinned third party libraries are out-of-date or are affected by newly disclosed vulnerabilities. Ensuring that details are current will save time triaging and will make remediation easier. It also reduces the possibility of wasting resources reacting to false positives or emergency vulnerability assessment reports.

Vulnerability Management using Flashpoint

"VulnDB has solved many challenges. For me, our vulnerability intelligence and vulnerability management processes are taken care of. Now it's on to the next challenge."

Christophe Rome, Chief Security Officer at Lineas

Thousands of vulnerabilities are identified every year, and the exploitation of them has dramatically increased. Organizations have even less time than before to respond to critical issues. To better protect your network, enterprises need to proactively manage risk in a timely manner.

If you’re interested in learning more about vulnerability intelligence and vulnerability management processes, check out the following resources:

Get the latest news and insights delivered to your inbox.

Interested to see top news from Flashpoint hit your inbox directly? Subscribe to our newsletter to receive curated content on a regular basis.