The vulnerability management process refers to the never-ending and constant practice of identifying, assessing, reporting, managing, and remediating vulnerabilities across devices, workloads, and systems. It requires a vulnerability management tool that detects vulnerabilities and employs different processes to patch or remediate them.
Effective vulnerability management processes utilize threat intelligence and IT and business operation knowledge to prioritize risks and address vulnerabilities as fast as possible.
Read More about the Vulnerability Management Process
If you’ve heard the term “vulnerability assessment” before, you may wonder if it’s the same as vulnerability management.
What Is the Difference between Vulnerability Management and Vulnerability Assessment?
In a nutshell, vulnerability assessment is the process of systematically reviewing the security weaknesses of an information system. It requires evaluating if the system is vulnerable to known exploitation or cyber attack. Administrators assign severity levels to vulnerabilities and recommend remediation or mitigation steps if necessary.
So, how does it differ from vulnerability management? The most straightforward answer would be—vulnerability assessment is just one of the steps in the vulnerability management process. In general, organizations run multiple vulnerability assessments to obtain more information to come up with an effective vulnerability management action plan.
What Are the Stages in the Vulnerability Management Process?
The vulnerability management process has five stages, which we discussed in more detail below.
Stage 1: Identify Vulnerabilities
In this stage, organizations identify and classify vulnerabilities, ranking them based on the Common Vulnerability Scoring System (CVSS)—a qualitative measure of severity. It doesn’t measure risk. It calculates the severity of a vulnerability so teams can prioritize remediation activities. The CVSS scores of almost all known vulnerabilities can be found in the National Vulnerability Database (NVD).
To identify and classify vulnerabilities, pentesters perform vulnerability scanning as part of a penetration testing exercise. They use vulnerability scanners—automated tools that search for, identify, and report known vulnerabilities in the organization’s IT infrastructure.
This stage creates an inventory of all the organization’s IT assets, especially those that are network-connected, including firewalls, servers, operating systems (OSs), containers, virtual machines (VMs), routers, printers, laptops, desktops, and switches. It also checks open ports, Internet of Things (IoT) devices, system configurations, installed software, third-party apps, and file system structures.
Asset discovery allows the organization to quickly determine which devices are protected, which aren’t, and how attackers can potentially access systems. All these make up the attack surface. The information gathered at this stage is used to create reports and system metrics for the next step.
Stage 2: Evaluate Vulnerabilities
After vulnerability discovery, the organization must evaluate the vulnerabilities to determine their degree of risk. They can use CVSS for this as well.
The risk scores can guide organizations in prioritizing remediation. They must address the riskiest first and go down the line. Answering these questions helps with vulnerability evaluation:
- Is the vulnerability a true one or merely a false positive?
- Is it easy to exploit?
- Can it be exploited remotely?
- Does it have publicly published exploits?
- How many devices have it?
- Is it new (older vulnerabilities tend to pose more risks)? How long has it existed in your network?
- Do you have security policies, protocols, and controls to mitigate its impact if it’s exploited?
- How significant an impact does it have on the overall organization if it’s successfully exploited?
Stage 3: Remediate Vulnerabilities
In this stage, organizations must address and mitigate the vulnerabilities. Vulnerabilities with the highest risk scores must be prioritized. This step often uses strategies that include patching, limiting user permissions, and disconnecting affected devices from the network until they’re protected.
Stage 4: Verify Vulnerabilities
This stage requires ensuring that the threats have been eliminated through follow-up audits. Pentesting should also be done to verify the effectiveness of the measures taken.
Stage 5: Report Vulnerabilities
The last stage is documenting the vulnerabilities discovered and the measures taken to address them. These should be part of the existing security plan to enable teams to monitor for suspicious activity and respond to threats in the future. The reports should be shared with top management and compliance auditors. Demonstrating and recording remediated vulnerabilities and issues shows accountability that is required to ensure regulatory compliance.
The vulnerability management process is critical for organizations that want to keep their networks safe by minimizing exploitable weaknesses.
- The vulnerability management process is the never-ending and constant practice of identifying, assessing, reporting, managing, and remediating vulnerabilities across devices, workloads, and systems.
- Vulnerability assessment is just one step in the vulnerability management process.
- The vulnerability management process has five stages—vulnerability identification, vulnerability evaluation or assessment, vulnerability remediation, vulnerability verification, and vulnerability reporting.