How to Build a Mature Vulnerability Management Program

The terms “patch management” and “vulnerability management“ are not the same. And that difference is a big difference.

They may be confused because applying patches is one of the many ways to mitigate cyber risks. However, it is one piece of the entire vulnerability management puzzle and organizations that do not realize this are burdened with a false sense of security. A patch management program is a wonderful start, but it does not have the reach or resources of a fully mature vulnerability management program.

An effective vulnerability management program does more than update outdated programs. It gives you the intelligence to know which out-of-date programs are most important to patch and which will just needlessly expend energy. It lets you see which vulnerabilities are most attractive to attackers and make wise decisions with your resources instead of blindly fixing anything amiss without the bigger picture. It lets you preserve business operations while strategizing the most important remediations.

Furthermore, it continues this virtuous cycle until your posture is far more advanced, intelligent, and autonomous than one using patch management alone.

What Vulnerability Management Is – And Isn’t

Vulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. Vulnerability management is about making informed decisions and properly prioritizing what vulnerabilities to mitigate and how. This is achieved by embedding internal hooks for telemetry into all systems of interest as well as external hooks for threat intelligence from all sources.

To be effective, a vulnerability management program has to be backed up by good threat intelligence that provides a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Intelligence on vulnerability exploitability prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations.

A risk-based approach to vulnerability management makes it much easier to communicate the danger of a vulnerability to your security and operations teams, senior managers, and even the board. This level of visibility into the rationale behind decisions made around vulnerabilities will increase confidence in the security team across your entire organization and will help prevent data breaches, such as the one Equifax suffered, from happening to you.

Stages of a Mature Vulnerability Management Program

There are four main stages of any effective vulnerability management program:

1. Scanning | The process that determines the criticality of the asset, the owners of the assets, and the frequency of scanning, as well as establish the timelines for remediation.

2. Discovery | The discovery and inventory of assets on the network.

3. Vulnerabilities Detection | The discovery of vulnerabilities on the discovered assets.

4. Reporting and Remediation | The reporting and remediation of discovered vulnerabilities.

The first stage focuses on building a process that is measurable and repeatable. Stages two through four focus on executing the process with an emphasis on continuous improvement. Let us examine briefly each stage and see how solution can help you.

Stage 1: Scanning

The first stage can be divided into four steps.

1. Identify the criticality of the assets in the organization. Assets should be classified and ranked based on their true and inherent risk to the organization. Many aspects need to be considered in developing an asset’s inherent risk, such as physical or logical connection to higher classified assets, user access, and system availability. Assets with higher criticality will be prioritized higher than assets with lower criticality.

2. Identify the owners for each system. System owners are responsible for the asset, its associated risk, and the liability if that asset becomes compromised. Accountability is a driving factor for the ultimate success of the vulnerability management program. Orphaned assets and vulnerabilities will be left forgotten and will become an unidentified risk to the organization.

3. Establish the frequency of scanning. The Center for Internet Security in their CIS Control 3 “Continuous Vulnerability Management” recommends that an organization should scan once per week (or more). As an outer limit, vulnerability scanning should occur at least monthly. Frequent scanning allows the owners of the assets to track the progress of remediation, identify new risks, and re-prioritize the remediation of vulnerabilities based on updated intelligence.

4. Create timelines for remediation. Remediation timelines should take into account the severity of the vulnerability, remediating high-impact flaws first. The program should also leave room for flexibility in case a vulnerability cannot be remediated within the approved time frame. Remediation exception processes will document the accepted risk together with an action plan to remediate the vulnerability by a certain date.

Stage 2: Discovery

Asset discovery and inventory are the foundations for any security program and incidentally makeup CIS Controls One and Two.

You can’t protect what you don’t know about.

1. Track hardware | The purpose of CIS Control 1 is to “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”

2. Track software | Furthermore, CIS Control 2 highlights the need to “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”

These two controls go hand in hand, as attackers are always trying to identify systems that are easily exploitable so they can get into an organization’s network using such things as shadow IT.

Without the appropriate asset discovery and network access control, these types of devices can provide an easy gateway for an attacker into the corporate network. Once they’re in, they can leverage the control they’ve gained to attack other systems and further infiltrate the network. Ensuring that the information security team is aware of what’s on the network allows them to better protect those systems and provide guidance to the system owners to reduce the risk those assets pose.

Stage 3: Detection

Once all the assets on the network are identified, the next step is to identify the vulnerability risk posture of each asset. The recommended method for vulnerability scanning is to scan with credentials, just like a real-world attacker would.

This allows for increased accuracy in determining the organization’s vulnerability risk. You can then run vulnerability signatures specific to the operating system and installed applications that were detected in the discovery and inventory stage to identify which vulnerabilities are present.

Stage 4: Remediation

The remediation stage contains three primary phases:

1. Scoring vulnerabilities | Once the vulnerability scan is complete, a score is attached based on the following:

• The skills required to exploit the vulnerability.
• The privileges gained upon successful exploitation.
• The age of the vulnerability.

The first metric that should be taken is an overall baseline average risk score for the organization. Based on this metric, organizations should aim for a risk reduction rate of 20-25% on a yearly basis.

Then, the owner's average risk score is calculated. Like the target for the overall organization, each owner should target reducing their average risk score by 10% to 25% year over year until they’re below the accepted threshold. To incentivize this process, the C-Suite can choose to award the asset owners with the lowest scores.

2. Patching with priorities | Empirical vulnerability data to outline which vulnerabilities should be remediated along with instructions on how to conduct the remediation allow the system owners to prioritize their efforts with a focus on the vulnerabilities that will reduce the overall organizational risk.

3. Tracking progress | As new vulnerability scans are run, metrics, such as the ones offered by CIS, can be used to show trending analysis of the risk and remediation progress. The key is to show progress month by month, quarter by quarter, and year by year. The vulnerability risk scores and time to remediation should decrease as teams become more familiar with the process and become more educated on the risks that the attackers pose.

How Fortra VM Helps

For those with only vulnerability scans in place, getting to the next level can seem like a daunting task. There are multiple steps, guidelines, and policies involved, and to an overwhelmed SOC, that can look like time, cycles, and staff they don’t have. Those resources are needed somewhere else (like vetting for alerts), so the prospect of a mature vulnerability management program falls by the wayside. It is categorized in the “nice but not necessary” security wish list.

The Value of a Mature Vulnerability Management Program

It is important to keep in mind that a mature vulnerability management program pays for itself – both in time and money. It vets alerts for you, giving your practitioners back a huge portion of their day. It helps discover threats you may otherwise have to find on your own. And it puts the whole process on autopilot so that you don’t have to reinvent the wheel every few months. Vulnerability management programs help organizations get ahead, stay ahead, and not waste time patching things of small importance while things of large importance go unnoticed.

Fortra’s Vulnerability Management Capabilities

Fortra facilitates a smart, mature vulnerability management program in the following ways:

1. Scanning | Combining proprietary technology, authenticated scanning techniques (logging in with credentials), and both internal and external threat intelligence, Fortra probes the following looking for vulnerabilities:

• Software versions
• System configurations
• Missing patches

For a more in-depth approach, Fortra’s vulnerability management solution can also deploy agents to dive deeper into the security posture of specific systems. Check out this video on Fortra VM’s scanning tool.

2. Asset Discovery | With Network Map, teams get a full visual of their network and its security posture. Create custom reports and scan, label, and group assets to determine their overall risk. Plus, classification tools like Fotra’s Data Classification Suite (DCS) can help assets not only be recognized but prioritized by severity.

3. Detection | Fortra leverages CVE scores and real-world exploitation vectors to determine the criticality of a found vulnerability. Additionally, it can integrate with penetration testing tools like Core Impact to bring an extra layer of attack power when vetting for exploitability.

4. Remediation | After determining priority with the above tools, Fortra can leverage theAPI to integrate processed vulnerabilities into existing workflows so nothing gets missed. Using Peer Insight, Fortra lets teams know how their risks compare with other companies their size, and Security GPA can help track remediation efforts over time.

5. Dashboard and Reporting | Building on these remediation capabilities, Fortra VM’s intuitive Active View dashboard provides a clear, real-time view of vulnerabilities and their remediation status. Customizable reports help teams generate asset-specific insights, measure progress effectively, and track the key metrics that matter most to the business.

To learn more about how to build a mature vulnerability management program with Fortra, check out this white paper.