How to Implement a Vulnerability Management Program — and Why You Need One

Between the shift to distributed work, the growth of the Internet of Things, and the troubling surge in digital crime, the global threat landscape has never been more complex. 

By 2025, the annual cost of cybercrime will climb to an estimated $10.5 trillion. In 2021, the average cost of a data breach increased to $4.24 million, the highest it’s been in 17 years. And all the while, cybercrime is growing perpetually more sophisticated.

Cybersecurity alone is no longer enough. If your business is to protect itself, it must develop cyber resilience. A risk management strategy is crucial to reducing threats— however, in order for it to be truly effective, it must incorporate a continuous vulnerability management program. 

What is Vulnerability Management?

Vulnerability management refers to the process of actively scanning, identifying, and addressing vulnerabilities across your ecosystem. Data collected through vulnerability scans is typically paired with threat intelligence and data on business operations. The end goal of any vulnerability management program is to eliminate critical vulnerabilities as quickly as possible.

The Role of Vulnerability Management in Cybersecurity

In the context of cybersecurity, vulnerability management is all about reducing a business’s threat surface. It does this by identifying vulnerabilities and determining which are most likely to be exploited by an attacker and eliminating them as a potential attack vector. The security community also maintains a library of known software vulnerabilities known as the National Vulnerability Database.

Each vulnerability in the NVD is typically assigned a score based on the Common Vulnerability Scoring System (CVSS) framework, ranging from none (no impact) to critical (severe, possibly catastrophic consequences for the business). 

This score is based on the following characteristics: 

• Exploitability: How easily can the vulnerability be exploited by an attacker? Does it require special privileges, direct access to a system, or user interaction? 
• Impact: What happens as a result of the exploit? Does it have the potential to compromise mission-critical systems or confidential data? 
• Scope: Does the vulnerability only allow an attacker to manipulate a single system, or does it provide broad access to an entire network? 
• Temporality: How long has the vulnerability been known? What tools exist in the wild that would allow criminals to exploit the vulnerability? Is there currently an official fix? 

Vulnerability Management vs. Risk Management

A risk management program looks at overall risks, and is usually applied on a more strategic level. Vulnerability management practices are typically part of this program. Vulnerabilities are prioritized and remediation is determined based on a risk management framework.

While critical vulnerabilities may pose a direct threat to an organization, the connection between these two processes is more to do with how risk management practices and policies are implemented than with the vulnerabilities alone. Management of vulnerabilities involves a technical IT strategy and risk management often uses a risk framework to align that IT strategy with business goals. 

COBIT, or Control Objectives for Information and Related Technology, is a framework that functionally acts as a bridge between risk management, governance, security, and business objectives based on five core principles: 

• Meeting stakeholders needs
• End-to-end coverage of the enterprise
• Applying a single, integrated framework
• Enabling a holistic approach to IT and business operations
• Separating governance and management

Because COBIT and its underlying principles apply to the entire business, it enables organizations to take an important step toward establishing a unified approach to cyber resilience. 

How do I Incorporate Risk-Based Vulnerability Management?

It’s important to understand that vulnerability management is an ongoing process, and the process never truly ‘ends.’ 

With that established, vulnerability assessments are a crucial component of every vulnerability management program. They encompass the initial stages of the vulnerability management process, identifying/classifying potential threats and determining what can be done about them. In order to ensure these assessments provide you with valuable data, you must first lay some groundwork. 

Step One: Planning

The first step in implementing any vulnerability management program is, as established by COBIT, taking a holistic approach, which involves the following: 

• Inventorying your business’s assets, and determining which are most critical. 
• Standardizing vulnerability/risk definitions and classifications .
• Establishing roles and responsibilities for threat and vulnerability management
• Defining processes and policies for identification, classification, remediation, and reporting. 

Step Two: Identification

With your assets mapped, it’s time to begin probing for vulnerabilities. This is generally achieved through a vulnerability scanner. Although some vulnerability management solutions are multi-functional, you may need to use a specialized tool for each. 

Vulnerability scanners typically work by gathering detailed information about each asset, then comparing collected data to a database to identify known vulnerabilities. More advanced solutions may also be able to leverage machine learning to detect issues not present in any known database. A vulnerability scan may consist of any or all of the following: 

• Troubleshooting and debugging code. 
• Scanning network-connected endpoints for open ports. 
• Remotely accessing systems to collect more detailed information.
• Monitoring for misconfigured security or remote access tools. 

The Center for Internet Security recommends performing an automated vulnerability scan at least once per week. However, in a modern ecosystem — particularly one with multiple supply chain partners and vendors — this may be infeasible. Lightweight endpoint agents offer an alternative to scheduled scans, continuously providing threat intelligence and vulnerability data without any impact on performance. 

Step Three: Quantification

Typically, when a vulnerability is detected, it will be assigned a CVSS score. Although said score can be helpful when it comes to assigning and prioritizing remediation tasks, it should be used as a guideline rather than taken as gospel. There are multiple real-world factors you must consider when quantifying risk. 

For each vulnerability, you must determine: 

• Whether or not the vulnerability is a false positive.
• How exploitable the vulnerability is in the context of your unique architecture. 
• Whether or not you have pre-existing security controls in place to mitigate the vulnerability. 
• The extent to which your business would be impacted if the vulnerability were to be exploited. 

The CVSS provides metrics to tweak a vulnerability’s score based on your business’s unique ecosystem, which should be applied here. Depending on available resources and the threat posed by each vulnerability, you have three options. 

• Take no action: The vulnerability poses little to no threat to your organization. Its potential impact is not high enough to justify the time, effort, and resources that would be required to fix it. 
• Mitigate the risk: If there is currently no known fix for an existing vulnerability, mitigation may be your best bet. This should only be used as a temporary solution, lessening the potential impact of the vulnerability until it can be permanently addressed.
• Remediation: Eliminating the vulnerability altogether. 

Step Four: Remediation

Provided you’ve decided to fix a vulnerability, your next step is to determine how. Your vulnerability management software will usually provide you with recommendations, though it’s up to you whether or not you follow them. From there, it’s simply a matter of assigning the remediation task to an individual or team. 

Remediation may be simple or complex, depending on the scope of a vulnerability. In some cases, you’ll only need to apply an update or patch. Other scenarios may require you to replace large segments of your infrastructure, or phase out a widely-used software platform. 

Step Five: Reporting

Regular reports on your vulnerability management program should be generated both for your risk management team and organizational leadership. For the former, this will provide a better understanding of your organization’s risks and aid in regulatory compliance. For the latter, it can be used to demonstrate return on investment and gain approval for more comprehensive remediation tasks. 

The Power of Integrated Risk Management

The greatest benefits of a vulnerability management program will come when deployed as part of an overall risk management program. Given the complexity of most modern ecosystems, it is no longer feasible to manually address vulnerability management and risk management. Automation is the key to protecting your business’s assets. The best way to enable this is through the integration of vulnerability management data into your governance, risk, and compliance platform. 

Centraleyes can help with that. As the world’s most advanced cloud-based integrated risk management solution, we streamline every step involved in managing risk and remediation. Our intuitive dashboard automatically collects real-time threat intelligence from across your entire ecosystem, including vendors. 

For each vulnerability or gap our platform identifies, our AI risk engine will create actionable, automated remediation tasks, complete with smart prioritization and management. All risks are automatically added to our risk register, which you can also manually update and configure. Better yet, this all happens in real-time. 

Cybersecurity alone can no longer protect an organization. Cyber resilience is the future, integrated with your GRC or IRM, and an ecosystem-wide continuous vulnerability management program.