vulnerability management lifecycle

10 Stages Of The Vulnerability Management Lifecycle

ByAndrew Lugsden
Vulnerability Management Lifecycle

The vulnerability management lifecycle is a continuous process to identify, prioritize, report, resolve, and verify vulnerabilities within your information systems and continually monitor, refine, and improve this process.

Table of Contents

    There can be many challenges to overcome with the vulnerability management process. The escalating number of emerging security threats and threat actors combined with an often increasing attack surface poses its own set of challenges in addition to choosing the right type of cybersecurity solution for your environment or the best vulnerability scanning tools for your equipment.

    Additionally, there are often restrictions with time, resources, budgets, and the continuing struggle between functionality and ease of use, weighed against securing systems and restricting access.

    However, a vulnerability management program can provide organizations with a detailed understanding of their state of security and help to guide an informed decision-making process when addressing threats and budgeting for resources to help improve security.

    A well-established vulnerability management lifecycle can bring about many benefits for an organization including:

    • Gaining detailed insight into your business operations and assets to identify and improve potential weaknesses.
    • Make informed decisions based on documented information, saving time and resources.
    • Maintain a consistent and structured vulnerability management process, addressing threats and meeting compliance standards
    • Proactively address and resolve vulnerabilities before the risk of exploitation
    • Improve security knowledge and awareness within your organisation which can promote a culture of vigilance and threat reporting.

    1. Build A Catalog Of Your Assets

    Catalog Of Assets

    Building a detailed catalog of all of your business assets is an important first step in the vulnerability management lifecycle, as different assets can face different risks to their security.

    Without a complete asset inventory, it can be difficult to document and verify the state of your organization’s security.

    Your organization’s assets can include:

    • Physical Assets
    • Software and Services
    • People and Accounts
    • Proprietary Data and Critical Business Information

    Discovery Scans to Catalog Assets

    Asset discovery scanning can form part of your vulnerability management lifecycle to catalog each asset. For physical and software assets this can involve discovery scans that aim to map out a company’s attack surface and provide further insights and threat intelligence for your organization.

    The information gathered from these discovery scans can then populate your asset inventory and help guide further plans for prioritization, vulnerability identification, and vulnerability management.

    Document Your Management Teams

    As part of the categorization of assets, the departments or security teams that are involved in the maintenance and management of these assets should also be recorded, as this will be crucial when assigning tasks to address vulnerabilities and improve security within the management lifecycle.

    Define Your Security Standards

    Once each asset has been correctly identified and documented, minimum security standards should be outlined for each asset to meet and adhere to. These standards can include password requirements, encryption standards, and other security settings based on the category of the asset.

    The defined security standards can form part of a “build template”, which details how all new hardware or software should be configured before being used as part of the business. These configuration options can also be added to some security tests as a compliance requirement to be met.

    The types of security tests can also be outlined for each asset category which can be used to describe how each asset will be tested, how often it should be tested, and how security vulnerabilities will be monitored over time.

    2. Prioritizing Your Asset Inventory

    Prioritizing Your Asset

    Your assets will have their own level of criticality or prioritization which will depend upon their use within the business.

    For each asset, you should consider if the asset provides a critical business service that would impact business continuity if interrupted, or if sensitive business information is involved with its routine operations, which cannot be compromised.

    Additionally, consideration should be given to whether the asset can be accessed directly over the internet or whether access is more restricted. This will also help inform your decision-making process when identifying and prioritizing vulnerabilities.

    For assets such as people and accounts, you can consider the level of access they have to equipment, information, locations, and the criticality of their role within the business, also considering the impact of compromise or interruption to this role.

    Asset Priority Categories

    To prioritize assets they can be grouped into different levels which can then help to provide further context when evaluating and prioritizing vulnerabilities, for example, categories such as the following can be assigned to each asset:

    • Critical. Provides essential business functionality. Stores and processes sensitive business data. Disruption will have immediate detrimental impacts on the business as a whole.
    • High. Provides important business functions. Stores and processes some data of a sensitive nature. Disruption will have notable detrimental impacts on business departments.
    • Medium. Provides useful business functions. Processes business data which can be sensitive in nature. Disruption will have some functional impacts on certain users within the business.
    • Low. Provides non-essential business functions. Processes no sensitive data. Disruption will have minimal impacts on the business.

    3. Assess And Identify Vulnerabilities

    Identify Vulnerabilities

    There can be several methods and processes used to find vulnerabilities within your recorded assets as part of your vulnerability management lifecycle:

    • Where you have patch management solutions in place a detailed list of missing patches can be highlighted which can often address a series of vulnerabilities that impact your systems.
    • Automated tools such as vulnerability scanners can be used to carry out vulnerability assessments and report the security posture of your devices and software to identify known vulnerabilities and security weaknesses.
    • A security audit could highlight your risk exposure as well as potential security risks and critical vulnerabilities that face your people, systems, and information.
    • A penetration test can be useful for reviewing your organization’s security posture and identifying vulnerabilities within a specific asset category.
    • Phishing tests can also be useful for reviewing a potential risk against your staff, the security controls in place for your email system, and the potential threat of human error.

    A more detailed review on the different types of security testing and their uses is detailed here, Types of Test and Planning.

    Your various assets will require various types of security testing to be conducted to develop a more complete picture of the different threats that may impact your business, and produce more effective vulnerability management practices.

    It is also likely that the testing process will be completed in stages rather than completing all types of testing at the same time. Your asset prioritization stage can help guide your decision-making with the types of tests to conduct first, with a focus on critical business assets.

    4. Verify Your Vulnerability Results

    Verify Your Vulnerabilities

    An important step when identifying vulnerabilities is also to verify vulnerabilities. Particularly when using vulnerability scanning tools it can be a common occurrence that false positives occur. This is where the tools in use will incorrectly report a vulnerability that does not exist.

    Repeat vulnerability scans may sometimes be enough to resolve this issue, however, it may be required to conduct a manual review of the device with security professionals to check the patch level or the configuration settings that were initially reported.

    More critical than a false positive is also a false negative, where vulnerabilities exist but are not reported by security scanning tools. This can be for a combination of reasons and for some types of vulnerability, scanning tools are not designed to identify them.

    The potential for inaccurate or incomplete results highlights the importance of devising several types of security tests to be conducted against the same types of assets throughout the vulnerability management lifecycle.

    While more frequent and continuous testing can be conducted using vulnerability scanning tools, this should be backed up and verified using manual security testing and auditing methods.

    5. Prioritize Your Identified Vulnerabilities

    Prioritize Your Vulnerabilities

    Vulnerabilities can be prioritized using multiple factors. A detailed explanation of this process is described, here. Vulnerabilities are often categorized using the Common Vulnerability Scoring System (CVSS), which grades a vulnerability from 0 to 10, with:

    • 10-9 being a Critical Impact,
    • 8.9-7 being a High Impact,
    • 6.9-4.0 being a Medium Impact,
    • 3.9-0.1 being a Low Impact and,
    • 0.0 having No Impact

    Business Context and Environmental Metrics

    You can also use the asset priority information to add further metrics and context to your vulnerabilities with the CVSS environmental metrics. This will refine the CVSS scores to be more specific to your business and help in making more informed decisions.

    Attack Chains and Vulnerability Prioritization

    Consideration should also be given to potential attack chains when you prioritize vulnerabilities. With an attack chain, multiple vulnerabilities, sometimes of lower criticality, can often used in combination to create a more critical business impact.

    Although attack chains can be difficult to identify, some modern security scanning tools aim to simulate and visualize these chains, and a penetration test should also help to highlight these threats and provide greater context to your vulnerabilities.

    Once you have the vulnerability information for each of your assets you can combine the vulnerability priority with the asset priority to produce an ordered list of vulnerabilities tailored to your business.

    6. Reporting Your Vulnerabilities

    Reporting Your Vulnerabilities

    Once you have identified and categorized the results of a vulnerability assessment, reporting this information to the relevant teams within your organization is a key part of your management lifecycle.

    Different reports with varying levels of detail need to be prepared for different teams within your company.

    Executive Summary Reports

    Your key stakeholders and decision-makers will need to be provided with a summarised overview of the current state of security for the business, with information to highlight the impacts on the organization, including legal, compliance, and financial impacts.

    Additionally, plans to address and resolve these risks and impacts should be communicated, as these plans will inevitably require time, resources, and finances to complete.

    The benefits of addressing vulnerabilities and improving security should outweigh the risks of inaction and this should be clearly documented within your reports to justify the investment in security.

    Detailed Technical Reports

    For the different operational and security teams within the business which are assigned to managing assets and their associated vulnerabilities, more technical reports will need to be prepared.

    This information should detail the prioritized list of vulnerabilities that impact the assets under their control and include remediation steps or mitigation strategies that will be used to improve the security of the affected assets.

    7. Address Your Vulnerabilities

    Address Your Vulnerabilities

    With each of your identified vulnerabilities, the remediation actions you take can be categorized in the following manner, which will be influenced by the asset and vulnerability categorization process.

    • Resolve. A critical vulnerability may pose a risk that cannot be ignored, in which case resolution will be the only option, although the impacts this has on other areas of the business should be considered, as the time, resources, or cost to mitigate vulnerabilities may extend beyond one isolated issue.
    • Mitigate. Some vulnerabilities may be acknowledged as vital to address, but there may be extenuating circumstances. For example, it may not be possible to update or reconfigure older systems, or addressing an issue in one system may have knock-on impacts within other business-critical systems.Where this is the case, it may be possible to mitigate the risk of the vulnerability through restrictions in access to a device or improving security measures in other areas.
    • Accept. Where low-risk vulnerabilities are identified, trivial configuration issues are highlighted, devices are of low importance or are already protected by layers of additional security measures, it may be prudent to grade a vulnerability as an acceptable business risk, as the benefit of resolving the issue does not outweigh the time and resources required to resolve it.

    Document The Remediation Process

    As your teams are mitigating vulnerabilities the actions taken should be documented and reported. Those vulnerability items can be reported as “Resolved, Pending Review” and can then be subject to reassessment to confirm that the security issue is no longer present.

    The security teams or individuals managing the remediation process for each individual vulnerability can also be recorded, as it can provide further insight into the response times and patterns of your teams and help identify where improvements can be made.

    This process helps to track your organization’s progress with security improvements and can demonstrate trends over time for how different assets and departments can quickly and effectively resolve security threats.

    8. Verify The Remediation Process

    Verify The Remediation Process

    Where vulnerabilities are reported as “Resolved, Pending Review” there should then be a reassessment of the vulnerability to verify that the remediation actions have had the intended effect.

    The verification process can be carried out in a similar manner to the original vulnerability tests that were used to identify the issue, but conducted in a more targeted manner with the sole focus of verifying the resolved items rather than conducting a complete security assessment.

    Ideally, those resolving security vulnerabilities and those verifying the remediation should have a level of separation from each other to avoid any potential conflicts or misreporting.

    As vulnerabilities are confirmed to no longer be present in the affected asset the status of the vulnerability can be changed from “Resolved, Pending Review” to “Resolved, Verified”.

    This process can also detail the team, individual, or method used to confirm the vulnerability has been resolved. This information can be combined with the previous data on which teams maintain and manage an asset, who the vulnerability management was assigned to, and who resolved the vulnerability.

    This documentation process allows the status and progress of your vulnerability management lifecycle to be tracked over time as tasks and actions are transferred between different teams within your organization and helps to identify potential areas for improvement.

    9. Continue To Monitor Your Assets

    Continue To Monitor

    As the steps are followed for the vulnerability management lifecycle and issues are resolved, this should not conclude the process but start a new cycle.

    Vulnerability management is a continuous process of identification and resolution, although the type of tests may vary throughout the year and you may rotate your targeted assets, the vulnerability management lifecycle has no conclusion.

    Over 11 thousand new vulnerabilities have been reported so far this year, as of 18th April 2024, to the National Vulnerability Database, and so it is important to maintain a continuous and consistent vulnerability identification process, within an evolving threat landscape, to ensure that newly disclosed vulnerabilities do not impact your systems.

    Where vulnerabilities of a Critical rating are disclosed by vendors that are used by your company, this can also be used to justify a more responsive vulnerability assessment outside of your planned and scheduled vulnerability tests.

    Combining scheduled testing with immediate responses to critical threats can ensure that critical vulnerabilities are resolved within the shortest possible timeframe.

    10. Continue To Improve Your Process

    Continue To Improve

    As with any process, issues, inefficiencies, and opportunities for improvement will likely be identified over time.

    The aim of any process that is implemented should be for continuous improvement and optimization, making your organization’s operations as streamlined and painless as possible for your teams to work within.

    It should be encouraged for your teams to identify where areas for improvement are available. This helps to actively involve your teams in the development of the vulnerability management frameworks and promotes participation in the process of securing the company.

    To encourage this type of reporting to improve your processes, clearly defined communication methods should be established and made available to your teams. This could be through a ticketing system, messaging service, or dedicated email addresses.

    Where issues are reported, it should be clearly communicated that the information has been recorded and considered.

    If the reported issues lead to changes and improvements within the process, recognition can be given to the individual or team responsible to further encourage participation in the process and improvement of the vulnerability management solution.

    Additionally, where actions cannot be taken to address a suggestion for improvement it can be worthwhile to outline reasons as to why a change cannot be directly implemented and discuss possible ways to work around the suggested change to still provide an improved outcome.

    This can prevent the suggestion from appearing to be overlooked or ignored and still encourage participation in the improvement process.

    Conclusion

    Securing a company is an endless process of continuous vulnerability management. While over time a vulnerability management lifecycle can become more efficient and embedded within a company, building an initial management system can appear daunting and difficult.

    To simplify the initial process a range of vulnerability management tools have been developed as described here.

    Similar to the overall stages of managing vulnerabilities, setting up your organization’s own system can be tackled one step at a time, starting with simply documenting your assets.

    Once this step is complete prioritizing your assets can seem much more straightforward, and the following steps can each be managed one at a time.

    Securing your company is an ongoing process and although challenging, it is an achievable objective that becomes easier the sooner you begin.

    Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.

    Contact Us Today

    Similar Posts