IT infrastructure is more complex and interconnected than ever. For attackers, this provides a gold mine for easy attack vectors. In fact, approximately 60% of breaches involve unpatched software. This means that a majority of attacks were actually avoidable had the proper oversight and maintenance been in place.
With an established vulnerability management process, IT organizations can greatly reduce their threat of attack and minimize the need for manual analysis or maintenance. Automation can and should be used to make sure this process is done correctly and consistently, reducing room for human error.
What is vulnerability management?
Vulnerability management is the process of identifying, analyzing, triaging and resolving computer security vulnerabilities. It is an end-to-end process that handles the full lifecycle of vulnerabilities to ensure that nothing slips through the cracks in a complex environment.
With modern IT infrastructure composed of numerous different operating systems, applications, databases, firewalls, orchestration tools and more, the attack surface for potential vulnerabilities has never been greater. The traditional process of manually analyzing the status of security is no longer feasible nor scalable.
Vulnerability management automates this process in a comprehensive manner to ensure that all of these different solutions are constantly set up and configured in a way to minimize potential threats. Note that this is an ongoing process, as the security landscape is a highly dynamic environment with new attacks and threats added daily.
Vulnerability management, assessment and scanning: What’s the difference?
Vulnerability management is often confused with two related concepts – vulnerability assessment and vulnerability scanning. These are actually subsets of vulnerability management and are key steps in the process.
Vulnerability assessment is the part of vulnerability management that involves analyzing the current state of the system and helps to determine any necessary steps to solve potential weaknesses. This is effectively the part of the management process that reviews the current state of the world and helps decide on how to fix it.
Vulnerability scanning, on the other hand, is the part of the vulnerability management process that monitors security on an ongoing basis. This includes port scanning and software version checking. Vulnerability scanning ideally runs consistently, via automated means, and on an ongoing basis to seed the assessment process with data to analyze the threats and determine necessary courses of action.
Penetration testing, meanwhile, sometimes referred to as ethical hacking, can be performed manually or automated, and is meant to exploit vulnerabilities and illustrate what an attacker can achieve when targeting a particular system.
How to build an effective vulnerability management program: A five-step process
To properly resolve vulnerabilities, the vulnerability management process must be broken down into five key steps.
Step 1: Checking for vulnerabilities
Security vulnerabilities can manifest in a number of different ways – unpatched software can accidently allow users to breach an application or operating system, an old database can be prone to SQL injections to allow for inappropriate database modifications, a firewall can be misconfigured to allow access to unauthenticated users, and so on. This problem is compounded by the fact that IT systems are now highly distributed and run a wide range of software. Further, with the increased exposure to the internet, older software is being tested and stressed in new ways.
Given these complexities, software automation must be used to properly understand the state of security. Vulnerability management software will need to scan all of the systems to determine, for example, the current software patches running, IP table configurations, ports and protocols, the network topology, and user configurations This will allow the software to build a comprehensive picture of the current state of the environment in order to identify and take appropriate next steps.
Step 2: Identifying vulnerabilities
Once the vulnerability management tool has an up-to-date and comprehensive dataset built up around the current state of the systems, it must then determine what vulnerabilities exist. This is a complex process, as new threats are constantly added and cannot be done statically.
The vulnerability management tool will need to run the system configurations against a database of known security issues to determine which are applicable. As this typically involves complex networked and distributed solutions,, it’s important that the database contains relevant information about how the vulnerabilities engage with different systems and how network configurations can affect them.
The database must be maintained and constantly reviewed and updated. As new threats are discovered, it’s essential to continuously scan your system to be proactive to new potential security risks. That includes zero-day vulnerabilities, which, once known, may not immediately be resolvable with a vendor patch and may require interim mitigations.
Step 3: Evaluating the vulnerabilities
With the state of the system known and the vulnerabilities located, the program must then determine what the risk, potential implications and solutions are so that an analyst can determine the ideal route to take in solving them.
By understanding the relationship of the networked systems and how the topology of them is set up, the program should also provide a level of risk to the user to help in prioritization and triaging. For instance, a vulnerability that is accessible to the public internet is potentially much more severe than one that is firewalled off. However, seemingly “benign” vulnerabilities should not be ignored, as misconfigurations can increase the threat to them as new attack vectors could be introduced to exploit them.
Step 4: Resolving vulnerabilities
Next, the vulnerability management program should be used to determine the ideal course of action to resolve the identified vulnerabilities in the system. This could include patching, reconfiguring network settings, removing stale user accounts, eliminating unused applications and so on.
At this stage, the IT department and/or the SOC will need to determine the trade-offs between promptly fixing the issue and the impacts it may have on system uptime and implementation costs. These are typically done on a case-by-case basis, yet the vulnerability management tool should provide sufficient information to determine what these compromises are and what the course of action is for when the implementation is to be made.
Step 5: Reporting & patching vulnerabilities
With the course of action determined, the IT department will then need to actually implement the fix. Even for simple software patches, however, this is not a small task. Systems have complex inter-dependencies, and there’s always the potential for human error. The vulnerability management process must involve both automation for deploying fixes and testing to determine their efficacy.
To ensure that everything is going to plan, the vulnerability management program will also include reporting capabilities to determine what the state of the system is and how the progress of the updates and tests are going. This will ensure that if there are any issues in the process that they can be responded to in a timely manner with minimal downtime or errors.
Automate your vulnerability management
Given the complexity and highly distributed nature of modern IT environments, the vulnerability management process must integrate with an automated tool like a security orchestration, automation and response (SOAR) solution to properly address security threats. Siemplify helps businesses develop playbooks, allowing security teams to have a predictable process for patching security vulnerabilities.
Streamline vulnerability management by automating how threats are handled in order to keep your business safe. Test drive Siemplify through a free trial of the SOAR platform, or by downloading Siemplify Community Edition.