Vulnerability Management Fundamentals: What You Need to Know

Vikas Phonsa

In part one of our five-part series on Vulnerability Management fundamentals, we explore the four stages of the Cyber Exposure lifecycle. 

Truth is ever to be found in simplicity, and not in the multiplicity and confusion of things.

—Sir Isaac Newton

At Tenable, we are pioneering the discipline of Cyber Exposure to help cybersecurity teams measure and manage their cyber risk. Cyber Exposure is essential for communicating cyber risks to business stakeholders and ensuring cybersecurity is factored into strategic business decisions as a key input variable. 

Core to enabling Cyber Exposure is a robust vulnerability management (VM) program. In fact, Cyber Exposure cannot be effective without the basics of VM already in place. In today’s overcrowded world of security threats, shiny new tools and expanding regulations, it is easy to lose sight of the fundamentals of security: reducing cyber risk by identifying and remediating vulnerabilities in your most important assets. VM is a process of identifying and classifying all assets across your attack surface, assessing those assets for security weaknesses, prioritizing security issues for mitigation and applying the appropriate remediation measures. 

In fact, a closer look at the Cyber Exposure lifecycle reveals just how important VM is to Cyber Exposure. VM helps organizations discover, assess, analyze and fix exposures across the attack surface. In this five-part blog series we’ll look at the individual steps of this lifecycle to show how VM fundamentals can help you reduce cyber risk. Let’s start with an overview. 

Vulnerability Management Fundamentals: What You Need to Know

1. Discover - asset discovery and classification 

As the age-old security adage goes, “you can’t protect what you can’t see.” Maintaining a comprehensive and continuously updated asset inventory is a fundamental and critical component of VM. With today’s complex IT environments spanning on-premises and cloud infrastructure, mobile devices, ephemeral and transitory assets, web applications, IoT devices, etc., maintaining a comprehensive asset inventory is anything but simple. It starts with comprehensive asset discovery and classification based on business impact and risk. Keep in mind, your infrastructure is ever-changing. So asset discovery and classification needs to be done on an ongoing basis.

Learn more: Attend our upcoming webinar, “How to Master the Fundamentals of Vulnerability Management Part 1: Asset Discovery and Classification,” 2pm ET, July 31, 2019, for practical advice on this topic.

2. Assess - comprehensive and continuous vulnerability assessment 

Once you have a comprehensive asset inventory, it is time to assess vulnerabilities on the assets, so you get a clear picture of your attack surface and risk. It is important to balance depth, breadth and frequency of vulnerability assessment, because it will be challenging to achieve all three on a consistent basis. Deep assessment, involving credentialed scans and agents, provides rich vulnerability data, but can take a lot of time and consume resources on the assets. Broad and frequent assessment can be also be limited by business operations. As with other security activities, you have to balance security and business needs and leverage process changes as well as tools to achieve your assessment goals. 

3. Analyze - vulnerability analysis and prioritization 

At this stage you will run into the classic challenge of all vulnerability management and security programs: data overload. Vulnerability assessment is likely to show you more critical and high severity vulnerabilities than you can act upon in a reasonable time frame. So how do you prioritize vulnerabilities for remediation? By focusing on the vulnerabilities and assets most likely to be exploited. Note: this does not mean you should ignore the rest of the vulnerabilities and assets, rather, you should prioritize based on business impact and risk.

4. Fix - vulnerability remediation and validation

Remediation of vulnerabilities and verification of results is the final step in the VM lifecycle. A lot of data breaches are caused by well-known vulnerabilities left unpatched for a long time. But as with other steps, patching comes with its own challenges. Getting accurate information on which patches to apply to achieve the maximum risk reduction is difficult. .As is identifying asset owners and nudging them to prioritize patching over other business activities. Patching is also time consuming and can result in downtime for some assets. You may have to leverage other security systems to protect assets while patching is in progress. Finally, you need to validate patching is successful and business risk has actually been reduced.

Remember, VM is an ongoing process. The vulnerability management lifecycle steps discussed in this blog must be continuously repeated for your Cyber Exposure practices to be effective.In subsequent blog posts, we will dig deeper into each step of VM lifecycle. Stay tuned. 

Read more >

Published on Jul 18, 2019

People also viewed

Software Engineer - Web Scraping (Python)

Baltimore Maryland United States Baltimore, Maryland, United States Research Engineering
Your Role:Tenable is looking for a Software Engineer to join our Automation research team.  This position will involve building and maintaining our framework for automated content creation, validation, and deliveryYour Opportunity: Impact: You wi...

Sales Development Representative - UK Region

Staines upon Thames Surrey United Kingdom Staines upon Thames, Surrey, United Kingdom Lead Generation Sales
Your Role:The Sales Development Representative supports remote sales teams in and is responsible for generating new business via inbound and outbound phone opportunity qualification.Your Opportunity: Perform outbound calling to generate new sales ...

Senior UI Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Engineering Engineering
Your Role:Are you excited about the opportunity to build user interfaces used by some of the biggest corporations in the world? Do you like knowing that the changes that you deploy to production will improve the customer experience of many users w...

Research Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Research Research
Your Role:Tenable is looking for a Research Manager to head our Web Scraping research team. You will manage a highly focused team of engineers building and maintaining web scrapers for automated ingestion of vulnerability intelligence as well as t...

Research Manager

Denver Colorado United States Denver, Colorado, United States Research Research
Your Role:Tenable is looking for a Research Manager to head our Web Scraping research team. You will manage a highly focused team of engineers building and maintaining web scrapers for automated ingestion of vulnerability intelligence as well as t...

Research Manager

Detroit Michigan United States Detroit, Michigan, United States Research Research
Your Role:Tenable is looking for a Research Manager to head our Web Scraping research team. You will manage a highly focused team of engineers building and maintaining web scrapers for automated ingestion of vulnerability intelligence as well as t...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.