5 steps to gain control of vulnerability management for your enterprise

Over the last decade, organizations have significantly scaled up their business processes. They’ve increased the amount of technology they use, the size of their teams spinning up new systems, and the number of assets they have created. However, as businesses themselves have accelerated, their vulnerability management systems have been left in the dust.

Businesses must recognize that vulnerability management is no longer just a problem of “getting your hands around it all.” The sheer number of new vulnerabilities coming into your system each day will always be greater than the number you are able to fix with a hands-on approach.

So, how do you bring better precision to vulnerability management so you can start focusing on the vulnerabilities that matter most? Here are five steps to get you started.

Centralize assets and vulnerabilities in a single inventory

Before your organization can do vulnerability management well, you need a clearer understanding of your assets. The Center for Internet Security lists “inventory and control of enterprise assets” as the very first critical security control in its recommended set of actions for cyber-defense. This is because an organization needs a clear understanding of its assets before it can begin to do vulnerability management well.

To get a complete picture, you need to consolidate your existing asset and vulnerability data, which comes from asset management tools, CMDBs, network scanners, application scanners and cloud tools. And to keep from chasing your tail, don’t forget to de-duplicate and correlate this data so only a single instance of each asset exists. This effort is key to understanding vulnerability risk across an organization.

Identify “crown jewel” or business-critical assets

Not all computer systems in your environment are equally important. A critical vulnerability on a test system sitting under someone’s desk with no production data is far less important than that same vulnerability on your payroll system. So, if you don’t have a list of crown jewels, now would be a great time to start compiling one.

Your incident response team is also incredibly interested in your organization’s crown jewel assets. If you don’t have the list, they might. Plus, if your efforts result in fewer vulnerabilities to exploit on those crown jewel assets, that translates into fewer and lower impact incidents on those business-critical assets.

Enrich vulnerability data with threat intelligence

Every month in 2022, an average of 2,800 new vulnerabilities were disclosed. That means that in order to just hold your ground and ensure your vulnerability backlog didn’t increase, you had to fix 2,800 vulnerabilities every month. If you wanted to make progress, you needed to fix more than that.

The conventional advice is to just fix critical and high-severity vulnerabilities. However, according to Qualys, 51% of vulnerabilities meet those criteria. That means you need to fix 1,428 vulnerabilities every month to hold your ground.

That’s the bad news. The good news is that exploit code exists for approximately 12,000 vulnerabilities, and approximately 9,400 of those are reliable enough that evidence exists someone is using them. You can use a vulnerability intelligence feed to learn which exploit codes are being used and how effective they are. Correlating your vulnerability scans against a quality intelligence feed is key to finding which of those vulnerabilities deserves your long-term attention and which are just flashes in the pan and can wait for another day.

Automate repetitive vulnerability management tasks for scale

Gathering KPIs or other metrics, assigning tickets and tracking evidence of false positives are all examples of repetitive, uninteresting work that a security analyst nevertheless spends 50 to 75% of their workday performing. Thankfully, these are tasks that algorithms can assist with or even completely automate.

What you can’t automate is collaboration. Therefore, split your vulnerability management tasks into two categories to make better use of everyone’s time. Automate repetitive and monotonous tasks, and your analysts can tackle the complex and intricate work that only a human being can do. This will improve not only productivity, but job satisfaction and effectiveness.

Vulnerability management is one of the most difficult practices in information security. Every other security practice has some control over its own outcomes; they perform an action, the action produces a result, and they are evaluated on the results of their own actions.

However, vulnerability management must first influence another team to perform an action. From there, the action produces a result, and the vulnerability management team member is evaluated on the results of someone else’s actions. At its worst, it devolves into handing a spreadsheet to a system administrator with the words, “fix this.” The result is a few vulnerabilities fixed at random.

Effective vulnerability management needs more precision than that. If you can provide asset owners with a short, specific list of vulnerabilities that need to be resolved on specific assets in order of priority, and are also willing to help determine the best fix action for each vulnerability, you will be much more likely to get results you will be happy with.

Nearly all risk exists in just 5% of known vulnerabilities. If you can collaborate on getting that specific 5% fixed, you can change vulnerability management from an impossible dream into an achievement you can be proud of.

David Farquhar is a solutions architect for Nucleus Security.