Vulnerability Management Program Framework

Helping you identify, classify, remediate, and mitigate vulns—before attackers do

At a Glance

Massive breaches have caused many companies to pursue stronger, more proactive measures for managing vulnerabilities in their environments. Yet, as corporate infrastructures have become more complex—encompassing the cloud and spanning vast attack surfaces—businesses have found it more difficult to achieve complete visibility into the rapidly proliferating vulnerabilities across their ecosystems. Capitalizing on the opportunity, cybercriminals have learned how to exploit chains of weaknesses in systems, applications, and people.

Vulnerability management programs address today’s modern cybersecurity challenges by instituting a comprehensive and continuous process for identifying, classifying, remediating, and mitigating vulnerabilities before attackers can take advantage of them. At the heart of these vulnerability management programs is often a vulnerability scanner that automatically assesses and understands risk across an entire infrastructure, generating easy-to-understand reports that help businesses properly and rapidly prioritize the vulnerabilities they must remediate or mitigate.

The four steps of a vulnerability management program

A vulnerability scanner automates the vulnerability process, typically breaking it down into the following four steps. It’s important to note that a good vulnerability management process should continually scan for vulnerabilities as they are introduced into the environment, as circumstances can quickly change.

1. Identifying vulnerabilities 

The first and most essential step in any vulnerability management process, of course, is to bring to light all of the vulnerabilities that may exist across your environment. A vulnerability scanner goes about this by scanning the full range of accessible systems that exist—from laptops, desktops, and servers on to databases, firewalls, switches, printers, and beyond.

From there, the vulnerability scanner identifies any open ports and services that are running on those systems, logging in to those systems and gathering detailed information where possible before correlating the information it obtains with known vulnerabilities. This insight can be used to create reports, metrics, and dashboards for a variety of audiences.

2. Evaluating vulnerabilities

Once you’ve identified all the vulnerabilities across your environment, you’ll need to evaluate them in order to appropriately deal with the risks they pose according to your organization’s risk management strategy. Different vulnerability management solutions use different risk ratings and scores for vulnerabilities, but one commonly referenced framework for new programs is the Common Vulnerability Scoring System (CVSS).

Vulnerability scores can help organizations determine how to prioritize the vulnerabilities they’ve discovered, it’s important to also consider other factors to form a complete understanding of the true risk posed by any given vulnerability. It’s also worth noting that vulnerability scanners can generate false positives in rare instances, thus underscoring the necessity of including other considerations in addition to risk scores at this stage of the process.

3. Treating vulnerabilities 

After you’ve prioritized the vulnerabilities that you’ve found, it’s important to promptly treat them in collaboration with your original business or network stakeholders. Depending on the vulnerability in question, treatment usually proceeds according to one of the following three paths:

  1. Remediation: Fully fixing or patching a vulnerability so that it cannot be exploited, which is usually the most preferable option whenever possible.
  2. Mitigation. When remediation can’t be accomplished, an organization may choose the next best option of reducing the likelihood that a vulnerability will be exploited by implementing compensating controls. This solution should be temporary, buying time for an organization to eventually remediate the vulnerability.
  3. Acceptance. If a vulnerability is deemed low-risk or the cost of remediating it is much greater than it would be if it were exploited, an organization may choose simply to take no action to fix the vulnerability.

When determining specific treatment strategies, it is best for an organization’s security team, system owners, and system administrators to come together and determine the right remediation approach—whether that’s issuing a software patch or refreshing a fleet of physical servers. Once remediation is considered complete, it’s wise to run another vulnerability scan to make sure that the vulnerability has, in fact, been effectively remediated or mitigated.

4. Reporting vulnerabilities 

Improving the speed and accuracy with which you detect and treat vulnerabilities is essential to managing the risk that they represent, which is why many organizations continually assess the efficacy of their vulnerability management program. They can take advantage of the visual reporting capabilities found in vulnerability management solutions for this purpose. Armed with the insights needed, IT teams can identify which remediation techniques will help them fix the most vulnerabilities with the least amount of effort. Security teams, for their part, can use this reporting to monitor vulnerability trends over time and communicate their risk reduction progress to leadership. Ideal solutions will include integrations with IT ticketing systems and patching tools to accelerate the process of sharing information between teams. This helps customers make meaningful progress toward reducing their risk. Businesses can also use these assessments to fulfill their compliance and regulatory requirements.

Four tips for a better vulnerability management program

  1. Conduct comprehensive scans. While many businesses once found it sufficient to scan servers and desktop computers on the enterprise network, today’s complex and rapidly evolving IT environment requires a comprehensive approach. Your vulnerability management program should provide visibility into your entire attack surface, including the cloud, and automatically detect devices as they connect to your network for the first time.
  2. Continually assess your vulnerabilities. Infrastructures and applications can change on a daily and even hourly basis. For this reason, you must continually scan your environment to make sure that you identify new vulnerabilities as early as possible. Many vulnerability management solutions include endpoint agents and other integrations that can provide you with a real-time view of vulnerabilities across your environment.
  3. Accelerate your processes. Introducing automation into the vulnerability management process is essential to properly managing the modern risks your business faces at scale.  Human decisions play a critical role in every vulnerability management program, but automation can help streamline the repetitive work that is done before and following these key decision points.
  4. Address weaknesses in people, too. Vulnerabilities are not limited to technology; they exist in the human element within an organization as well. Security teams must collaborate with IT operations and application development groups to more quickly identify and remediate vulnerabilities of all kinds. Meanwhile, user education and simulations can increase your organization’s resilience to phishing and other social-engineering attacks.

Businesses face growing risks as the attack surface continues to expand, increasing the number of vulnerabilities for hackers to exploit. Vulnerability management programs give companies a framework for managing these risks at scale, detecting vulnerabilities across the entire environment with greater speed. Meanwhile, analytics help organizations continually optimize the techniques they use for remediation. With a strong vulnerability management program in place, businesses can better address the risks they face not only today but well into the future.