Modern organizations operate in a world where technology creates both opportunities and risks. The opportunities are created by digitization, automation, and hyper-connectivity, while many of the risks stem from vulnerabilities in software and in hardware devices like endpoints.
Vulnerabilities are weaknesses that increase the risk of cyberattacks and data breaches. To minimize these challenges, organizations need to proactively and continually identify, analyze, and remediate the vulnerabilities in their IT ecosystem. Here’s where vulnerability management (VM) comes in.
According to the International Organization for Standardization (ISO), a vulnerability is a “weakness or exposure that allows a security impact or consequence”. Threat actors can exploit these weaknesses to compromise enterprise assets, exfiltrate sensitive data, install malware on company devices, disrupt operations, and generally damage an organization and its stakeholders.
Unfortunately, hundreds of thousands of vulnerabilities already exist in enterprise assets. Per one vulnerability trends report, over 20,000 new vulnerabilities were reported in 2021 alone – an all-time high. To make matters worse, threat actors are exploiting these vulnerabilities faster. Case in point: 24% more vulnerabilities were exploited in 2021 compared to 2020. Robust VM processes, controls, and tools are crucial to prevent threat actors from exploiting these vulnerabilities and damaging business assets, data, and customers.
Security researchers and companies regularly publish updated information about the global vulnerability landscape. One of the most reliable sources of this information is the Common Vulnerability Scoring System (CVSS) that’s maintained by the non-profit Forum of Incident Response and Security Teams (FIRST).
A CVSS score, which can range from 0 to 10, provides a qualitative measure of a vulnerability’s severity and risk. This measure can then be translated into a qualitative representation of the vulnerability, such as low, medium, high, and critical, which will then inform enterprise vulnerability remediation efforts. For example, a vulnerability with a CVSS score of 0.1-3.9 would be rated low while a vulnerability with a score of 7.0-8.9 would be rated high.
The National Institute of Standards and Technology (NIST) maintains a National Vulnerability Database (NVD) that provides CVSS scores for almost all known vulnerabilities. The NVD is fully synchronized with the Common Vulnerabilities and Exposures (CVE) list of publicly-disclosed vulnerabilities maintained by MITRE. The CVE is a unique identifier for each vulnerability in the NVD.
In 2022, the NVD received over 22,000 CVEs. By November, the total number of CVE vulnerabilities in the NVD had crossed 200,000. These numbers show that security weaknesses and blind spots are a growing problem for organizations. Fortunately, they can minimize the impact of these vulnerabilities on enterprise assets and data with regular and ongoing vulnerability management.
Vulnerability management cannot – and should not – be a one-time-only effort. As we have already seen, the number of vulnerabilities in the wild are constantly increasing. Organizations must identify and address them regularly by following a systematic VM process.
The VM process is a proactive and ongoing way to identify, assess, manage, and mitigate (or remediate) vulnerabilities to improve the security of enterprise devices, applications, users, and data. It is also known as the vulnerability management lifecycle.
This VM process consists of several steps:
Vulnerabilities must first be identified before they can be assessed and mitigated. Security teams can employ numerous ways to identify vulnerabilities, including network scanning, firewall logging, and penetration testing. Another popular method is to employ an automated vulnerability scanner.
These scanners scan the enterprise network for vulnerabilities. They use a known vulnerability database like the NVD to confirm the severity of a discovered vulnerability. The best vulnerability scanners can:
After the scanner identifies vulnerabilities, the security team must assess them to determine the remediation strategy. To enable assessment, it’s useful to have a quantitative measure of the severity of each vulnerability, such as CVSS scores.
Security personnel can also use other criteria to assess vulnerabilities. For example, they may try to determine if someone could exploit a vulnerability from the Internet. They may also look for published exploit codes, assess the possible impact of exploitation, and review if existing security controls may reduce the probability or impact of exploitation.
Based on the CVSS score and other criteria, security staff will prioritize vulnerabilities depending on their severity, the probability of impact if exploited, or both. Prioritization is important because it highlights the key problem areas and enables organizations to efficiently assign their resources to remediate vulnerabilities and lower the risk of a malicious breach.
Vulnerability verification/validation is a good way to weed out the false positives generated by the scanner. It also helps the team to focus their remediation efforts on real vulnerabilities and thus strengthen enterprise defenses instead of wasting time on false positives.
Real vulnerabilities can either be remediated or mitigated, depending on their severity and the tools available. Remediation is the ideal strategy because it prevents threat actors from exploiting a vulnerability. But if remediation is not possible – say, because patches are not yet available – mitigation strategies can help to lessen its likelihood and/or impact.
Reporting is important because it enables company leadership to assess the effectiveness of the VM program and to determine if additional investments are required to strengthen it. Detailed reports also allow security teams to understand the company’s vulnerability landscape, monitor vulnerability trends over time, refine remediation techniques, and create a common “language” among all personnel.
In addition to the above steps, Gartner also suggests some “prework” steps in its vulnerability management cycle. This cycle is part of Gartner’s vulnerability management guidance framework. These steps are:
The goal of these steps is to assess current VM resources and processes in order to identify gaps and implement fixes. Pre-work also helps clarify the scope of the VM program and creates a strong foundation to implement a robust VM process.
Short answer: yes!
As we have seen, the vulnerability and threat landscape is constantly expanding. To keep the bad guys out of your enterprise network and protect your business-critical assets from their malicious hands, you need a robust vulnerability management program. This program should include tools to assess the threats in your the network’s– tools like NovaTA!
Powered by advanced detection technology, NovaTA is a world-class NDR platform that can find many network vulnerabilities, hidden malware, and weaknesses in security controls. With NovaTA, you can uncover everything captured on the NovaCommand unified command center. You will also be able to uncover possible hidden threats, investigate attack events, and improve your security posture with advisory from experienced security professionals. Attackers are getting smarter and increasingly leveraging open vulnerabilities in enterprise ecosystems. Don’t let them get the upper hand. Implement proactive threat detection and threat posture assessment with NovaTA. Click here to request a free demo.