Vulnerability Management Process: Tutorial & Best Practices

January 12, 2024
10
‎‎‏‏‎‎min

Managing vulnerabilities effectively is a cornerstone activity for security teams.. This article examines sustainable practices in vulnerability management, focusing on defining each step in the management cycle, selecting appropriate tools, maintaining historical data, acknowledging risks, and updating systems regularly.

Before we begin, some clarification is in order - this article is about vulnerability management as a process, not as a program. The sidebar explains more about the difference, but in short:

  • A vulnerability management process is a tactical approach that should have a defined start and finish. The process activities focus on the immediate identification and resolution of vulnerabilities.
  • A vulnerability management program encompasses a broader, strategic framework. It not only includes the process of managing vulnerabilities but also integrates this process into the organization’s overall security strategy.

The process begins with establishing clear objectives for each stage in the vulnerability management cycle. This involves setting specific criteria for starting and completing each phase and identifying necessary inputs and outputs. Detailed planning enables efficient, purposeful action and alignment with the organization’s security goals. This approach helps reduce confusion, align all involved parties, and thoroughly manage vulnerabilities from identification through resolution.

Selecting practical tools for identifying, assessing, tracking, and managing vulnerabilities is another important aspect. Spreadsheets—while they seem a suitable solution in the absence of alternatives —do not scale for programs that incorporate ongoing scans and status updates. Likewise, basic communication methods like email are not fit for purpose in maintaining the management lifecycle. Organizations must invest in specialized tools that offer consistent tracking and a unified system of records throughout the entire lifecycle. These tools should be managed by a dedicated team, providing a centralized and accurate source of information regarding vulnerabilities.

Additionally, it is important to maintain historical data alongside current updates. While focusing on the present security status is the groundwork, overlooking data from past vulnerabilities and incidents can lead to repeating errors and missing significant patterns. Tools employed for vulnerability management should enable the tracking of current data and the preservation of historical data, offering a holistic view of the organization’s performance in tracking and remediation vulnerabilities over time.. Email chains, dedicated notebooks, and spreadsheets quickly grow unwieldy, stuffed full of information generated by each scan and patching cycle. Creating statistics, point-in-time views, and month-over-month overviews of progress from these sources requires investing significant time in data manipulation.

Unaddressable vulnerabilities (or risk acceptance requests by business stakeholders) are a fact of the technology landscape, as are the risks that they introduce into an environment. Security teams are rarely comfortable with the act of accepting an opening that may lead to an incident. For these scenarios, documentation and appropriate justification for the risk - and ideally a proposal for a mitigating control - must be in place.

{{banner1="/banners"}}

The acceptance and documentation of both unaddressable and unpatched vulnerabilities must take place before moving into production environments. This process involves identifying risks, assigning responsibility, and setting timelines for remediation or review in line with the changing threat landscape.

The vulnerability management process (source)

Summary of best practices for implementing a sustainable vulnerability management process

The table below provides a summary of the best practices covered in this article.

Best Practices Description
Establish the intent of each step in the vulnerability management cycle Every step of the vulnerability management cycle should have known entry criteria, inputs, outputs, and exit criteria.
Choose tools that allow consistent tracking and visibility throughout the lifecycle Email and spreadsheets are not sufficient for vulnerability management tracking. The tools used must be owned by one team, although the contents should be made accessible to affected parties as needed.
Ensure that historical data is archived when information is updated The VM team needs to have a view of current information that is easily readable and translated into metrics. Historical data tracking should ensure an accurate picture of the current security posture.

That said, when data on risks and vulnerabilities is updated, it cannot be at the expense of historical understanding. Tools used should track the trends and progress of conversations, vulnerability status, risk ownership, and other changeable information as the cycle progresses. This allows the auditing of remediated vulnerabilities and metrics tracking for program improvement.
Formalize risk acceptance for vulnerabilities that remain in the environment Mandate risk acceptance processes and reporting for any residual risks before production deployment. Distinguish between risks that will be mitigated later for technical or business reasons and risks that cannot be remediated, and document mitigating controls.
Ensure that vulnerabilities, once accepted, are recorded and tracked Routinely revisit risks that are accepted for changes to the threat level, such as when an exploit is discovered for a previously theoretical vulnerability. Ensure that a timeframe is set for risk remediation.

Exploration of best practices for implementing a sustainable vulnerability management process

Now we’ll take a look at the best practices for establishing a vulnerability management process in more detail.

Establish the intent of each step in the vulnerability management cycle

Each organization’s vulnerability management cycle is distinct, mirroring its specific security needs and operational framework. Customizing each step to meet organizational goals turns the process from a routine to a deliberate action. This customization requires understanding the threats unique to the organization, the inventorying and profiling of assets needing protection, and required compliance with regulatory standards. In this way, the vulnerability management process evolves beyond meeting specific compliance requirements, becoming an active, adaptable component that markedly improves the organization’s security stance.

Every step of the vulnerability management cycle should have known entry criteria, inputs, outputs, and exit criteria. As you implement, it’s important to understand what your enterprise wants to achieve at each stage. Document movement into the process, between steps, and out of the vulnerability management lifecycle, or many items will linger between steps and never be completed. This helps prevent confusion and ensures that everyone is on the same page about what needs to be done at each stage. It also helps ensure that nothing falls through the cracks and that all vulnerabilities are effectively managed, from discovery to resolution.

{{banner2="/banners"}}

Choose tools that allow consistent tracking and visibility throughout the lifecycle

Email is not sufficient for vulnerability management tracking. The tool or tools used must be owned by one team, although the contents should be accessible to the affected parties as needed. The vulnerability management team should choose, own, and manage the content of the vulnerability management tool; other groups can track vulnerability management in their own ways, but this tool is the one source of truth.

This approach ensures a single, reliable source of information about all vulnerabilities. It helps prevent confusion and ensures that everyone has access to the same information. It also helps make sure that all vulnerabilities are adequately tracked and managed and that no data is lost or overlooked.

Beyond choosing tools, it’s important to focus on integrating these tools within the wider security framework. The selected tools should aid in tracking and management and also support data exchange with other security systems, as well as ITSM and asset management tools like CMDBs.. This integration leads to a more unified response to vulnerabilities and improves the efficacy of security operations. Additionally, the tools should be flexible and capable of adjusting to changing security needs, remaining effective as the organization develops.

Ensure that historical data is archived when information is updated

Preserving historical data is essential for analysis and forecasting. Analyzing past vulnerabilities and their resolution helps organizations prepare for potential future threats, thereby enabling a more proactive risk posture risk exposure. This data is also key in training and awareness programs, offering practical case studies for staff education on cybersecurity importance.

The VM team needs to have a view of current information that is easily readable and translated into metrics. Historical data tracking should inform an accurate picture of the current security posture. However, when data on risks and vulnerabilities is updated, it cannot be at the expense of historical understanding.

Tools used should track the progress of conversations, vulnerability status, risk ownership, and other changeable information as the cycle progresses. This allows the audit of remediated vulnerabilities and metrics tracking for program improvement.

The reason for this methodology is to ensure that there is a complete record of all vulnerabilities and how they have been managed. This helps provide a clear picture of the organization’s security posture over time and allows for identifying trends and patterns. It also helps ensure that all actions taken to manage vulnerabilities are appropriately documented and can be audited if necessary.

Formalize risk acceptance for vulnerabilities that remain in the environment

Risk acceptance is an integral part of a comprehensive risk management approach. It involves more than just accepting a risk—it includes understanding the risk’s business impact and considering all mitigation options. This process should be continuous, with frequent reassessments of risks against the changing security environment and organizational shifts. Clear and cooperative communication across departments is crucial, ensuring that risk acceptance decisions are informed and in line with the organization’s risk management and business strategies.

Mandating risk acceptance for residual risks before production deployment is essential for vulnerability management. This process involves evaluating and distinguishing risks that will be mitigated later from those that cannot be remediated. It’s important to document any interim mitigating controls. These controls might include additional monitoring or adjustments in operational procedures to manage the risk from these vulnerabilities.

{{banner3="/banners"}}

Ensure that vulnerabilities, once accepted, are recorded and tracked

Regular reviews of accepted risks should be conducted in response to changes in threat environment, updated threat intelligence and shifts in the organization's level of risk tolerance. This might involve re-evaluating the risk’s impact and likelihood and adjusting mitigation strategies as necessary.

Maintaining a log of accepted risks allows the security team to react more effectively to any changes to the relative risk associated with older vulnerabilities. There is no need to check and recheck each vulnerability for change constantly; it is more efficient to maintain an accurate log of accepted vulnerabilities. The log will enable faster response when a new exploit elevates the risk associated with an older vulnerability..

Assigning clear ownership and responsibility for each accepted risk aids in the effective management needed to manage the vulnerabilities already accepted. Setting a specific timeframe for risk remediation - and tracking the timeline for updates - is also important, based on the severity of the risk and the evolving threat landscape. Reviews should take place periodically, not just to keep them in mind but also to ensure awareness when environments and systems transfer between risk owners. The security team should brief the executive team on related risk and gain acceptance—or implement remediation planning—as part of the turnover for any deployment.

This systematic approach aims to maintain a thorough and adaptable risk management process. Organizations can clearly understand their security posture by ensuring all risks are appropriately identified, assessed, and managed. Continuously monitoring and managing risks, aligned with the organization’s evolving security needs and objectives, are baseline measures for effective cybersecurity.

Sidebar: The difference between a vulnerability management process and a vulnerability management program

The vulnerability management process consists of evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This process is continuous and involves various stages, including the identification of vulnerabilities and their classification, remediation, and mitigation. It is a tactical approach, focusing on the immediate identification and resolution of vulnerabilities.

In contrast, a vulnerability management program encompasses a broader strategic framework. It not only includes the process of managing vulnerabilities but also integrates this process into the organization’s overall security strategy. A vulnerability management program involves policy development, setting objectives, allocating resources, and defining roles and responsibilities. It is designed to be an ongoing effort, aligning with the organization’s risk management strategy and adapting to the evolving threat landscape.

The key differences are scope and focus. A vulnerability management process is a component of a vulnerability management program. A process is more technical and operational in nature, dealing with the day-to-day activities of identifying and mitigating vulnerabilities. In contrast, the program is more strategic, focusing on long-term goals, policies, and the integration of vulnerability management into the broader security posture of the organization.

A vulnerability management program also involves stakeholder engagement, training, and awareness activities, ensuring that all parts of the organization understand their role in maintaining security. It requires a commitment to continuous improvement, learning from past incidents, and adapting to new threats.

In summary, while a vulnerability management process is about the tactical handling of vulnerabilities, a vulnerability management program is about strategically embedding these practices into the organization’s culture and operations. Both are essential for a robust cybersecurity defense, but they operate at different levels and serve different purposes within an organization’s security framework.

{{banner4="/banners"}}

Summary of key concepts

Establishing clear objectives for each segment of the vulnerability management cycle guarantees that every phase is focused and effective. Opting for specialized tools for consistent tracking and knowledge management throughout the lifecycle reflects the seriousness of this aspect of cybersecurity. These tools act as a central repository of information, providing consistent and accurate data for all involved parties.

Maintaining historical data while updating current information is an essential practice. It allows organizations to learn from past experiences while staying aware of current challenges. This dual perspective aids in identifying trends, understanding the evolution of threats, and refining strategies for future challenges.

Furthermore, the practice of risk acceptance for any remaining vulnerabilities highlights the need for a strategic approach to risk management. Documenting and regularly reviewing accepted risks helps organizations maintain an informed understanding of their security postures and adapt their strategies to meet the demands of a changing threat environment.

The practices outlined in this article are integral parts of a comprehensive strategy. They come together to form a complete framework for vulnerability management. This framework can aid your organization, so it can navigate the complexities of cybersecurity confidently and effectively.

Like this article?

Subscribe to our LinkedIn Newsletter to receive more educational content

Subscribe Now
Chapter
1

Vulnerability Management Lifecycle

Learn how to prioritize and mitigate weaknesses within an organization's IT landscape through a holistic vulnerability management program.

Read this chapter
Chapter
2

SSVC: In-Depth Tutorial

Learn how the Stakeholder-Specific Vulnerability Categorization (SSVC) is becoming the industry standard replacing the Common Vulnerability Scoring System (CVSS).

Read this chapter
Chapter
3

EPSS

Learn how to utilize the Exploit Prediction Scoring System to prioritize remedial steps and prevent vulnerability-based incidents.

Read this chapter
Chapter
4

CTEM

Learn best practices for operationalizing CTEM and incorporating asset value for enhanced threat management.

Read this chapter
Chapter
5

Threat and Vulnerability Management

Learn how to reduce your organization's attack surface with threat and vulnerability management best practices.

Read this chapter
Chapter
6

Vulnerability Management Process

Learn the best practices for implementing a sustainable vulnerability management process, including establishing clear objectives, selecting appropriate tools, maintaining historical data, and acknowledging risks.

Read this chapter
Chapter
7

Vulnerability Prioritization

Learn about the best practices, challenges, and modern models for prioritizing vulnerabilities in order to reduce risk exposure and improve overall security.

Read this chapter