Are you tasked to manage asset inventory and remediate vulnerabilities? Or maybe you are researching vulnerability management tools and need a push in the right direction.
Regardless of what your position might be, we explain the key concepts of vulnerability management that is easy to digest for both cybersecurity professionals and newcomers.
In this guide, we explain key concepts and features on vulnerability management including vulnerability management best practices. We hope you find value and training from the content featured in this guide.
- 1 What is Vulnerability Scanning and Management?
- 2 Do you need a Vulnerability Scanning Tool?
What is Vulnerability Scanning and Management?
You are likely familiar stopping and preventing cyber-attacks with reactive tools like endpoint detection and response (EDR) agents. Vulnerability management tools, however, take a proactive approach. They scan for existing vulnerabilities in your network and provide remediation steps to prevent hackers from exploiting them. Often times, these vulnerabilities can be exposed on assets that don’t have the ability to run an EDR agent like websites.
Every company has servers and workstations. They can be physical and on-site or hosted in the cloud like Azure or AWS. Regardless of their location, the software installed on the servers need to be patched for vulnerabilities on a regular basis.
Quick answer: what is a vulnerability?
A vulnerability is an exploitable weakness in an operating system, software, or any other information system. Cyber security researchers and hackers discover vulnerabilities with various penetration testing tools. After the software publisher discovers the vulnerability exists, they will update the code to patch it and a typical vulnerability scanning tool will update it’s repositories to search for it. Then, anyone using the same software will be able to update it with the patch to prevent the same exploit. This process continues indefinitely thus requiring constant scanning for new vulnerabilities.
Today, cyber security vulnerability scanning, and management are combined into a single solution. Addressing new exploits in the wild is a constant battle that will require a mature vulnerability management program in place.
You might be wondering: How do I know about new vulnerabilities? Or how do I keep up to date on new exploits?
This is where the scanning component helps. Typically, you install and configure a tool on-premises that scans all internal assets on a scheduled basis. Other times, the tool is hosted in the cloud. The tool maintains an extensive repository of vulnerabilities belonging to software like Windows 10 or specific Linux distributions.
Vulnerability scanning is broken up into two parts: asset and vulnerability discovery.
If you have worked in a large company, you have dealt with the frustration of hunting down internal assets and building an inventory. In fact, this is the biggest challenge when it comes to vulnerability management.
Think about all the server names…
Or how do you patch assets that you don’t know exists?
Many vulnerability tools first scan for assets but don’t do the best job. Many devices like security cameras or phone systems do not provide information besides an IP address and some ports that might be open. This challenge can require additional asset inventory tools and a lot of manual work. But for modern smaller companies, the asset scanning built into the vulnerability tool will suffice.
Often, network engineers segment multiple zones. Each zone owns a set number of servers or workstations. A vulnerability scanner scans each zone and the assets and returns recommended patches. Then, the tool assists to triage and prioritize the important vulnerabilities. This is where the management component of a vulnerability scanning tool assists.
Any vulnerability scanning tool will include policies and templates. These make it easy to configure each scan against common benchmarks like the CIS benchmark. Network and asset scans apply these policies and use the systems referenced below to identify vulnerabilities.
CVSS vs CVE vs NVD
Leading vulnerability vendors generate benchmark scores based on the Common Vulnerability Scoring System (CVSS). In short, CVSS provides a way to categorize vulnerabilities. The CVE includes a score reflecting the vulnerabilities severity.
There is also the Common Vulnerabilities and Exposures (CVE) database maintained by MITRE. This is a method to reference publicly known information-security vulnerabilities. Think of a CVE as the vulnerability identifier. Whereas CVSS is the identifier risk score.
Then there is NIST. NIST maintains the national vulnerability database (NVD). The CVE list and the NVD are synchronized. Essentially, the CVE databased feeds into it but the NVD also enhances information such as patch availability and severity scores.
Previously mentioned, a vulnerability management tool will assist in prioritizing and triaging vulnerabilities.
If you already run a vulnerability program on your security team you are likely struggling to patch every vulnerability. In fact, it can be impossible when there are thousands of outstanding patches on hundreds of servers. There is no way to remediate every vulnerability. You must triage and prioritize the most important ones.
How to Triage and Prioritize Important Vulnerabilities?
Often, security teams integrate external threat intelligence like Recorded Future into the vulnerability management process. The external threat intelligence can inform you on actively exploited vulnerabilities in the wild.
Many security teams export the scan results and import them into a security information and event management tool (SIEM). After that, the security teams correlate the scan results. Finally, a risk score is provided.
Here’s an example:
A threat intelligence provider monitors exploited ‘in the wild’ CVE’s. Now, there might be a threat actor focusing on the health care industry. The threat actor is also targeting a specific vulnerability on Windows 2016 servers. As a result, the risk score assigned to that vulnerability will be be extremely high. This makes sense since the threat actor is exploiting a widely used operating system. Knowing this, it makes sense to prioritize this threat immediately, especially if your company is in the healthcare industry.
But, starting out, most vulnerability tools will include features that allow you to prioritize and triage without external threat intelligence. We recommend you familiarize yourself with what’s included. Then, integrate with threat intelligence for more value.
It’s ok to not correlate your scan results in your SIEM. But, we recommend it.
Do you need a Vulnerability Scanning Tool?
Having a mature vulnerability management program in place can save you headaches and lost sleep. You can save incredible amounts of time and resources having patched assets. As a result, those resources can focus their efforts on threat hunting and responding to security alerts.
Additionally, governments around the world are requiring private companies to adopt a vulnerability and patch management program. Oftentimes, fining those who don’t have one.
In today’s age, hackers and cyber security researched have discovered hundreds of thousands of vulnerabilities. It is incredibly careless not to patch for published old vulnerabilities.
Moreover, A study by Tripwire showed more than one in four organizations have been breached due to an unpatched vulnerability. Knowing this, it’s common sense to have a vulnerability management program in any team.