Are you tasked to manage asset inventory and remediate vulnerabilities? You may be researching vulnerability management tools and need a push in the right direction.
Regardless of your position, we explain the fundamental concepts of vulnerability management that are easy to digest for both cybersecurity professionals and newcomers.
In this guide, we explain key concepts and features of vulnerability management, including vulnerability management best practices. We hope you find value and training from the content featured in this guide.
Contents
What is Vulnerability Scanning and Management?
You are likely familiar with stopping and preventing cyber-attacks with reactive tools like endpoint detection and response (EDR) agents. Vulnerability management tools, however, take a proactive approach. They scan for existing vulnerabilities in your network and provide remediation steps to prevent hackers from exploiting them. Often, these vulnerabilities can be exposed on assets that can’t run a built-in agent, like websites.
Every company has servers and workstations. They can be physical and on-site or hosted in the cloud like Azure or AWS. Regardless of their location, the software installed on the servers must regularly be patched for vulnerabilities.
Vulnerability Defined
Quick answer: What is a vulnerability?
A vulnerability is an exploitable weakness in an operating system, software, or any other information system.
Cyber security researchers and hackers discover vulnerabilities with various penetration testing tools. After the software publisher discovers the vulnerability, they will update the code to patch it, and a typical vulnerability scanning tool will update its repositories to search for it. Then, anyone using the same software can update it with the patch to prevent the same exploit.
This process continues indefinitely, thus requiring constant scanning for new vulnerabilities.
Today, cyber security vulnerability scanning and management are combined into a single solution. Addressing new exploits in the wild is a constant battle requiring a mature vulnerability management program.
Vulnerability Scanning
How do I know about new vulnerabilities? Or how do I keep up to date on new exploits?
This is where the scanning component helps. Typically, you install and configure a tool on-premises that scans all internal assets on a scheduled basis. Other times, the platform is hosted in the cloud. The platform maintains an extensive repository of vulnerabilities belonging to software like Windows 10 or specific Linux distributions.
Vulnerability scanning is broken up into two parts: asset and vulnerability discovery.
Asset Discovery
If you have worked in a large company, you have dealt with the frustration of hunting down internal assets and building an inventory. In fact, this is the biggest challenge when it comes to vulnerability management.
Think about all the server names…
Or how do you patch assets that you don’t know exist?
Many vulnerability tools first scan for assets but must do a better job. Many devices like security cameras or phone systems do not provide information besides an IP address and some ports that might be open. This challenge can require additional asset inventory tools and much manual work. But for modern smaller companies, the asset scanning built into the vulnerability tool will suffice.
Often, network engineers segment multiple zones. Each zone owns a set number of servers or workstations. A vulnerability scanner scans each zone, and the assets and returns recommended patches. Then, the tool assists in triaging and prioritizing the critical vulnerabilities. This is where the management component of a vulnerability scanning tool helps.
Vulnerability Discovery
Any vulnerability scanning tool will include policies and templates. These make it easy to configure each scan against standard benchmarks like the CIS benchmark. Network and asset scans apply these policies and use the systems referenced below to identify vulnerabilities.
CVSS vs. CVE vs. NVD
Leading vulnerability vendors generate benchmark scores based on the Common Vulnerability Scoring System (CVSS). In short, CVSS provides a way to categorize vulnerabilities. The CVE includes a score reflecting the vulnerability’s severity.
The Common Vulnerabilities and Exposures (CVE) database is maintained by MITRE. This is a method to reference publicly known information-security vulnerabilities. Think of a CVE as the vulnerability identifier. Whereas CVSS is the identifier risk score.
Then there is NIST. NIST maintains the National Vulnerability Database (NVD). The CVE list and the NVD are synchronized. The CVE database feeds into it, but the NVD also enhances information such as patch availability and severity scores.
Vulnerability Management
As previously mentioned, a vulnerability management tool will assist in prioritizing and triaging vulnerabilities.
If you already run a vulnerability program on your security team, you are likely struggling to patch every vulnerability. In fact, it can be impossible when there are thousands of outstanding patches on hundreds of servers. There is no way to remediate every vulnerability. You must triage and prioritize the most important ones.
How to Triage and Prioritize Important Vulnerabilities?
Often, security teams integrate external threat intelligence like Recorded Future into the vulnerability management process. External threat intelligence can inform you about actively exploited vulnerabilities in the wild.
Many security teams export and import the scan results into a security information and event management tool (SIEM). After that, the security teams correlate the scan results with threat intelligence. Finally, the scan results are displayed alongside its concomitant risk scores.
Here’s an example:
A threat intelligence provider monitors exploited ‘in the wild’ CVE’s. Now, there might be a threat actor focusing on the healthcare industry. The threat actor is also targeting a specific vulnerability on Windows 2016 servers. As a result, the risk score assigned to that vulnerability will be extremely high. This makes sense since the threat actor exploits a widely used operating system. Knowing this, it makes sense to prioritize this threat immediately, especially if your company is in the healthcare industry.
But, starting out, most vulnerability tools will include features that allow you to prioritize and triage without external threat intelligence. We recommend you familiarize yourself with what’s included. Then, integrate with threat intelligence for more value.
It’s okay not to correlate your scan results with your SIEM. But we recommend it.
Do you need a Vulnerability Scanning Tool?
A mature vulnerability management program can save you headaches and lost sleep. You can save incredible amounts of time and resources having patched assets. As a result, those resources can focus their efforts on threat hunting and responding to security alerts.
Additionally, governments worldwide require private companies to adopt a vulnerability and patch management program. Often fining those who don’t have one.
In today’s age, hackers and cyber security researchers have discovered hundreds of thousands of vulnerabilities. It is incredibly careless not to patch for published old vulnerabilities.
Moreover, A study by Tripwire showed more than one in four organizations have been breached due to an unpatched vulnerability. Knowing this, it’s common sense to have a vulnerability management program in any team.