Vulnerability management is the process of proactively identifying, tracking, prioritizing, and remediating security weaknesses and flaws in IT systems and software in order to prevent malware outbreaks, data theft, and other impacts of a cyber breach such as reputation or brand damage.
Why Is Vulnerability Management So Important?
At an enterprise IT level, vulnerability management is a complex practice with responsibility over thousands of laptops, servers, and internet-connected devices like printers and routers.
A vulnerability management program is core to preventative security hygiene and is a central component of any cybersecurity strategy.
How It Works
Organizations identify vulnerabilities using commercially available scanners that examine applications and software for known flaws in code, as well as misconfigurations that cause security weaknesses. Most of the vulnerabilities are categorized through the National Vulnerability Database (NVD), and given unique identifiers through the Common Vulnerabilities & Exposures (CVE) list. Some scanners may also identify vulnerabilities not found in the NVD.
Vulnerability scans at large organizations can cumulatively identify thousands of security risks on each machine, and millions of vulnerabilities across the entire organization. There are typically more vulnerabilities than an organization has capacity to fix. Our research shows that, on average, companies can only remediate about one in 10 vulnerabilities on their systems. This capacity deficit puts enormous pressure on cybersecurity professionals to prioritize vulnerabilities based on which they perceive to pose the most danger to their organization.
When remediating vulnerabilities, IT teams may have multiple patches from which to choose. IT teams must use their best judgement to select patches that do not result in new misconfigurations and or interoperability conflicts.
Its Success Depends on You
While vulnerability management is a central component to any cybersecurity strategy, organizations vary widely in their success. For example, many organizations rely on outdated models to prioritize vulnerabilities. Outdated models might prioritize vulnerabilities that, if exploited, could result in significant damage to the organization, even when there is little actual risk that a threat actor would target that specific vulnerability for technical reasons.
That’s why here at Kenna Security we recommend a risk-based approach to vulnerability management over other models. I will tell you more about risk-based vulnerability management in a future post.