Skip to content

Vulnerability Management

Vulnerability management is a continuous, proactive, and often automated process that keeps your computer systems, networks, and enterprise applications safe from cyber-attacks and data breaches by ensuring any weaknesses in the underlying software are updated.

While vulnerability management and patch management are two different disciplines, their end goals are aligned - to ensure your systems' weaknesses are identified and closed off. In a typical workflow, vulnerability management would identify the gaps, whereas patch management would close the gap.

Terminology

  • A Weakness or a Vulnerability is the susceptibility or flaw in a system, network, application, or process that, if exploited, could compromise the confidentiality, integrity, or availability of information and resources, potentially leading to unauthorized access, data breaches, or service disruptions.
  • A Threat is a potential or actual circumstance, event, or action that poses a risk of harm to the security, integrity, or functionality of a system, network, or organization, and may exploit vulnerabilities to cause damage, unauthorized access, or disruption.
  • A CVE (Common Vulnerabilities and Exposures) is a standardized identifier assigned to a specific vulnerability or weakness in software, hardware, or systems, providing a common reference point for the cybersecurity community to share information about and address potential security risks. Remember Log4j a few years ago? It was reported under CVE-2021-44228.
  • An exploitable vulnerability is a specific weakness or flaw in a system, application, or network that can be leveraged by attackers to gain unauthorized access, manipulate data, or disrupt normal operations, potentially leading to security breaches or compromise of the targeted environment.
  • A zero-day vulnerability is a type of security flaw in software, hardware, or systems that is actively exploited by cyber attackers before the vendor or developer becomes aware of it or releases a patch. The term "zero-day" indicates that there are zero days of protection available, as there is no official fix or defense against the newly discovered vulnerability.
  • A risk is a potential or anticipated adverse event or circumstance that may hurt the objectives, assets, or operations of an organization, involving the possibility of harm, loss, damage, or disruption and is typically characterized by its likelihood and potential consequences.
  • Vulnerability Management is the systematic process of identifying, assessing, prioritizing, and mitigating vulnerabilities in a computing environment, aiming to enhance the overall cybersecurity posture by reducing the risk of exploitation and potential impact on systems, networks, and data.
  • Patch Management is the systematic and strategic approach to acquiring, testing, and deploying software updates, patches, and security fixes across an organization's systems and applications to address known vulnerabilities, enhance system reliability, and safeguard against potential cyber threats and exploits.

How does Vulnerability Management work?

Agent-based scan

Typically an agent is installed on the operating system. It is a piece of software that would scan the system and inventory all software installed on it. Some scanners may also review the Windows Registry, or configuration files to determine if configuration issues can also result in a system compromise.

Agent-based scanners also tend to be very thorough, finding issues on all installed software, even if the software is not accessible to the internet. In a situation where you may have a vulnerability, however, if the internet port is completely blocked, the scanner will still report the vulnerability, even though it is not exploitable.

Agentless scan

In an agentless scenario (typically cloud-based), some Cloud Security Posture Management tools (CSPM) can take a snapshot of the virtual machine and scan the snapshot for vulnerabilities. This has a lot of advantages, like the ability to get your entire cloud environment scanned for vulnerabilities without having to deploy agents, or open network ports to allow the agent to report back to the central server.

Network scan

In a network scan, an appliance is installed on the network. This appliance will then perform a network scan and focus on the exposed network port. By enumerating the open ports, and running attacks against the open ports, the scanner can identify any exposed vulnerabilities. Like an agentless scan, no agent needs to be installed on the individual servers.

While a network appliance has a lot of benefits, it may not see all vulnerabilities that might exist on the individual system.

A simple data model

Regardless of the vulnerability management system you use, they all have a similar data model.

Host Inventory

The systems scanned need to be known. The inventory does vary from vendor to vendor, however, typically they will record information like the IP address, hostname, operating system, and date & time the server last contacted the vulnerability management system.

Vulnerabilities

Once a vulnerability scan has been completed, the list of vulnerabilities is recorded in a vulnerability table. This table will be linked to the host and the respective CVE.

CVE Database

The CVE database is the full list of all known vulnerabilities. You can view these databases online.

Impacted Applications

Each CVE impacts a specific application. By linking the CVE to the application, you will also have a remediation plan, knowing which patch needs to be applied to resolve a particular vulnerability.

vulnerability management data model

When developing metrics, a basic set of data fields need to be available to allow metrics to be created.

Field Description
hostname The system being measured, or any other identifier used to identify the specific host
dimensions Any criteria used to filter the specific host or vulnerability. Is it internet facing, a workstation, belonging to a specific business unit, etc
cve_id The specific CVE detected
cve_description Details on what the vulnerability is about
cve_severity How critical is this issue?
cve_published_date The date the CVE was published, used to determine if this is a new vulnerability, or an older one that may have been missed
cve_remediation What steps should be taken to resolve this issue
detection_first_seen_date The date when this issue was first detected on the host. Can be used to determine if the vulnerability is still ongoing, and how long it has been open.
detection_last_seen_date How old is the data? Knowing when the host last communicated its state will help to weed out stale endpoints
detection_status What is the current state of the vulnerability

Metrics

Now that we've talked about what vulnerability management is, let's talk about how we measure it. Having a number of metrics to track will give you a sense of you're succeeding with your process.

In the context of a metric, the word system can be interchanged with a server, workstation, website, application, domain, solution or any other descriptor that you'd like to measure.

Type Title Detail
Coverage % of systems with an up-to-date agent deployed Comparing your server inventory with your vulnerability management system will provide visibility of where your blind spots are, so all systems can be scanned for vulnerabilities.
Exposure % of systems with exploitable vulnerabilities Knowing what percentage of your systems have an exploitable vulnerability will help prioritise patching activities, or prioritise mitigation actions, like locking down firewall rules.
Exposure # number of vulnerabilities Total number of vulnerabilities are influenced by the size of the environment, and may not be a good metric to determine if vulnerabilities are being addressed. It is still a good indicator to demonstrate an increase or decrease of vulnerabilities.
Exposure % of systems with critical vulnerabilities Display the exposure of vulnerabilities across all systems
Exposure % of systems with critical vulnerabilities published more than 30 days ago Display the exposure of vulnerabilities across all systems after a period of time being published. This allows the data to be more reflective of patching cycles.
Performance % of systems with critical vulnerabilities remediated within SLO By measuring the age of a vulnerability, you will be able to determine if operational teams are patching the systems in an acceptable amount of time.

Some compliance frameworks require exploitable vulnerabilities to be patched at a shorter frequency. Adjust the metric to meet your specific compliance obligations.

Next steps

Measuring the number of vulnerabilities is one thing. Adding a level of detail, like if the system is internet-facing or not, if it is in production or pre-production will also help to prioritise patching activities.

Tools