Some people still believe their IT infrastructure is unflawed simply because they’ve never experienced a cybersecurity incident – until something goes wrong and the company becomes the victim of a malware attack or a data leak. This is why proactively finding security flaws and minimizing loopholes is an utter necessity for organizations large and small, which is where vulnerability management comes into play.

Vulnerability management aims to simplify your overall cybersecurity. However, for some security specialists, it still turns out to be an exercise in frustration. But worry no more, as you’ve come to the place where you will find guidance on the management of technical vulnerabilities and on how to implement a successful vulnerability management process.

But first, for context, we will take a look at some basic concepts related to Vulnerability Management.

Vulnerability Management Definition

The International Organization for Standardization defines vulnerabilities as follows:

“In the contexts of information technology and cybersecurity, a vulnerability is a behavior or set of conditions present in a system, product, component, or service that violates an implicit or explicit security policy. A vulnerability can be thought of as a weakness or exposure that allows a security impact or consequence.”

Exploited vulnerabilities may lead to the disturbance of IT systems, potentially resulting in expensive data breaches and service disruptions.

This brings us to the definition of vulnerability management:

Vulnerability Management refers to the security practices that proactively identify, prevent, mitigate, and classify vulnerabilities within an IT system, being an important part of any cybersecurity strategy.

Vulnerability Management 2019-2020 Statistics

In recent years, the number of documented vulnerabilities has skyrocketed. With businesses utilizing more and more devices and tools and due to the accelerated growth of the Internet of Things, it’s no surprise that security vulnerabilities have also followed in their footsteps.

Below I’ve comprised some eye-opening vulnerability management stats, that will hopefully paint a quick picture of today’s security landscape.

As per the Stack Watch 2020 Security Vulnerability Report:

  • There have been 10363 security vulnerabilities (CVEs) published so far in 2020. In 2019 there were 16033.
  • The average severity is 7.1 out of 10.

SkyBox Security stated that:

  • The number of new vulnerabilities found in Windows increased by 66% between 2018 and 2019, which made Microsoft’s operating system the most vulnerable in the industry.
  • The top ten vulnerabilities by the number of associated malware programs are each used by around 50 types of malware. The most used one, CVE-2018-8174 (dubbed DoubleKill), is currently being leveraged by 62 such malicious programs.

The ServiceNow 2019 Security study found that:

  • 60% of breaches were related to unpatched vulnerabilities.
  • There was a 34% increase in weekly costs spent on patching compared to 2018.
  • There was 30% more downtime in 2019 due to delays in patching vulnerabilities.

On a more positive note, it’s reassuring to see that companies are starting to recognize the importance of having a network vulnerability management process in place. Based on the 2019 SANS Vulnerability Management Survey:

  • 84% of respondents have created a vulnerability management program.
  • 25% perform weekly or more frequent vulnerability scanning.
  • 82% of those who patch do it on a monthly or more frequent basis.

Why Vulnerability Management is crucial

As you can probably already tell by now, a vulnerability management system should not be missing from any organization, as it enables them to efficiently manage the dangers posed by unaddressed flaws found in IT environments.

Exploits – what they are and what you can do about them

In cybersecurity, exploits represent a serious aspect that should not be ignored.

In short, exploits are malicious programs that capitalize on vulnerabilities in applications or operating systems. These vulnerabilities threaten both enterprises and consumers, which is why vendors frequently release updates to address them.

What’s more, exploits often open the way for malware (such as Trojans, spyware that can steal sensitive information, ransomware that will lock up your systems, etc.) allowing it to further spread on vulnerable endpoints. In the cybercriminal world, exploit kits are commonly sold in underground marketplaces, which makes it easy for malicious actors to conduct attacks. Exploits generally target software such as Microsoft Office, Adobe Flash, Java, etc., which are oftentimes left unpatched.

Cyber-crime development and related threats are pushing companies to spend more on cybersecurity. As part of an organization’s attempt to monitor threats, a vulnerability detection mechanism must be included, which would allow an enterprise to have access to an ongoing analysis of its IT systems’ weaknesses.

How do you protect your organization from exploits?

Apart from instilling basic security hygiene measures in your company (such as training your employees to be vigilant when downloading and opening email attachments from unknown senders), reducing the dangers of exploit-based attacks always starts with regular patching.

For regulatory and compliance reasons, most companies do periodically upgrade their software/operating systems. However, all those who fail to apply their patches in a timely manner not only become uncompliant and are likely to face high fines, but also subject themselves to serious cybersecurity risks.

Along with all newly-released security updates, vendors also typically issue details on how each addressed vulnerability could be leveraged in the real-world. Using this knowledge, cybercriminals may create subsequent exploits and initiate attacks on vulnerable devices that have not been updated yet.

The new patches will protect machines against threats based on documented vulnerabilities. However, there is also the risk of zero-day vulnerabilities – which are flaws only known by the attackers who abuse them and yet unknown and unpatched by the vendor.

As I’ve already mentioned above, patching is the first recommended step that prevents exploits. The second one is traffic filtering and scanning that prevents communication with command & control servers.

For instance, our Thor Foresight Enterprise solves issues related to exploits by scanning traffic at the DNS, HTTP, and HTTPS levels, and enables you to automate your patching process and efficiently manage vulnerabilities.

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

How are vulnerabilities discovered?

In all organizations, vulnerabilities can be both known and unknown. A good remediation vulnerability management process should cover all potential vulnerabilities and their impact on a company.

Vendors and 3rd parties (independent security researches/pentesters/users/etc.) must always disclose vulnerabilities in a proper manner to avoid the risk of cyber attackers taking advantage of them.

Developers do their utmost to develop stable software, but might not always be able to detect all vulnerabilities in a product before the go-to-market date. Postponing the release is not always an option, so businesses will oftentimes launch the software and then push the security updates (also known as patches) later on, as bugs are discovered.

For instance, Microsoft releases a batch of security updates on a monthly basis (commonly referred to as Patch Tuesday, as the security fixes are published on the second Tuesday of each month). We cover the topic in this section of our blog – make sure to check it out if you are a Microsoft user!

In any case, it’s crucial that those who discover vulnerabilities cooperate, come up with solutions, and release the patches – and if applicable, also publish a temporary workaround for companies unable to install the updates as soon as possible (even though this practice is highly not recommended).

According to the International Organization for Standardization (ISO/IEC 29147:2018), the main objectives of vulnerability disclosure should include the following:

  • Reducing risk by solving vulnerabilities and communicating the potential impact on users.
  • Minimizing disclosure-related risks and costs.
  • Offering the appropriate information to users so they can evaluate risks caused by vulnerabilities.
  • Defining standards to promote collaboration and communication between stakeholders.

Nevertheless, please keep in mind that the procedures described above are aimed at reducing threats, expenses, and impact on everyone involved and that they should not be treated as a fixed process. Each vendor should adapt them on a case by case basis, in accordance with their needs.

What should Vulnerability Management include?

Vulnerability Management is an ongoing, proactive prevention mechanism that should include steps like:

  • Vulnerability scanning – network scanning, firewall logging, penetration testing, or using an automated tool like a vulnerability scanner.
  • Finding vulnerabilities – analyzing the results of your vulnerability scans and firewall logs and searching for anomalies that may prove an attack has taken place in your environment.
  • Checking vulnerabilities – determining how the bugs found may potentially be abused on computers, software, networks, etc. It often requires the assessment of a vulnerability’s magnitude and the danger it poses to the company.
  • Mitigating vulnerabilities – deciding how to prevent the vulnerabilities’ exploitation prior to patches being released.
  • Patching vulnerabilities – the most important part of a vulnerability management process is actually remediating vulnerabilities through patching.

With our X-Ploit Resilience module, embedded in the Thor Foresight Enterprise suite, patching can be fully automated, allowing you to schedule the process according to your own needs.

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

How to implement a vulnerability management process in your organization

Now that you’ve grasped the importance of managing your organization’s vulnerabilities, here are some steps that you will hopefully benefit from when setting up your vulnerability management process.

#1. Define your objectives

The main objective of any vulnerability management exercise will be finding and mitigating vulnerabilities as quickly as possible.

Then, you should establish secondary objectives, such as determining the frequency of your vulnerability scanning. One of the mistakes encountered in vulnerability scanning is not conducting this process regularly, which leaves your company exposed if any vulnerabilities linger too long without being detected. Thus, if scanning is performed in a timely fashion, the risks will be highly reduced.

#2. Define the roles within your organization

Another important aspect you should take care of is assigning roles and responsibilities and clearly defining all stakeholders’ roles in the vulnerability management process. Everyone involved must comprehend the need for such a process.

For an effective vulnerability management process, CISA proposes the following types of roles to be assigned in an organization:

  • Monitoring roles – the people responsible should analyze the severity of vulnerabilities, log the vulnerability information into a repository, and alert the remediation team.
  • Remediation roles – employees in charge should perform actions such as analyzing the impact of patches on the organization and developing in-house workarounds to the vulnerability (if none are available).
  • Authorization roles – they are part of the change management process personnel and should undertake corrective actions to determine if there may be any adverse effects.

#3. Choose a reliable Vulnerability Management tool

The vulnerability management procedure, from vulnerability discovery to remediation, should become as automated as possible. This way, operations will be more effective and repetitive tasks and processes will be reduced, allowing staff to focus on other essential tasks. Thanks to an automated approach, businesses will be able to efficiently mitigate vulnerabilities that pose threats, while avoiding unnecessary damage to business operations.

Automated vulnerability management tools allow you to monitor your infrastructure continuously and assess the status of your environment in real-time.

X-Ploit Resilience, our Automated Vulnerability Management solution (both embedded in Thor Foresight Enterprise and Thor Premium Enterprise and available as a stand-alone module), enables you to mitigate exploits, achieve compliance, solve vulnerabilities, and install software anywhere in the world, according to your schedule.

You also gain a powerful vulnerability intelligence on what has already been patched and the current liabilities in your environment, allowing you to respond quickly and intervene on certain endpoints if risks persist for too long. What’s more, an extensive lifetime history reporting is available as well, which helps you become fully compliant with the latest regulations.

In a nutshell, with X-Ploit Resilience, you are provided with an easy-to-use, intuitive, and comprehensive vulnerability management Dashboard and reporting tool, which are the key elements of a complete Vulnerability management solution that will increase your overall security and efficiency.

My colleague has also proposed a list of Vulnerability management tools (open-source and paid) that I encourage you to take a look at.

#4. Assess the effectiveness of your vulnerability management program

Maintaining and supporting a continuous vulnerability management program allows an organization to assess the effectiveness of its vulnerability discovery, analysis, and mitigation, and provides guidance in future decision-making.

You should always make the necessary adjustments in your processes along the way, ensuring that your company maintains an exhaustive understanding of its critical assets and keeps its infrastructure secured.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Conclusion

One legacy of implementing a vulnerability management process will be less stress for IT teams and enhanced security for your organization. Join us in the race to patch all newly-discovered vulnerabilities and avoid unnecessary interruptions caused by cyber-attacks, which never seem to be slowing down, not even during the current global crisis.

We’re offering a free 90-day trial of X-Ploit Resilience, our cloud-delivered patch management and vulnerability management solution, as we try to help companies navigate towards certainty. Regardless if you’re operating as a remote-first company or conducting your activity in the office, our solution will fit your needs.

Register here for a demo or give us a call today at +1 339 209 1673.

It’s up to you whether your vulnerability management journey will be a tale of failure or success –  it only depends on how you approach it.

How do you currently manage vulnerabilities in your organization? We’re looking forward to reading your comments!

Comments
Charlotte Santiago on August 27, 2020 at 9:43 pm

Thanks for sharing such a great article Bianca. From definition and statistics to importance and implementation, you have beautifully described each and every point of vulnerability management. I totally agree that managing vulnerabilities in an organization are extremely important and this blog will definitely help security specialists efficiently manage vulnerabilities and implement a successful vulnerability management process.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP