What is Vulnerability Management?
Vulnerability management is the ongoing, regular process of identifying, assessing, reporting on, managing and remediating security risks to keep all systems and assets in a network protected. Those who are responsible for protecting an organization or network typically have a vulnerability management program in place to detect vulnerabilities and utilize different processes to patch or remediate them. A vulnerability, as defined by the International Organization for Standardization (ISO 27002), is “a weakness of an asset or group of assets that can be exploited by one or more threats.”
Vulnerability management is different from vulnerability assessment. While vulnerability management is an ongoing process, vulnerability assessment is a one-time evaluation of a host or network. Vulnerability assessment is part of the vulnerability management process, but not vice versa.
How to Understand Vulnerabilities
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate the severity and characteristics of software vulnerabilities. The CVSS Base Score ranges from 0.0 to 10.0, and The National Vulnerability Database (NVD) adds a severity rating for CVSS scores. The CVSS v3.0 scores and associated ratings are as follows:
NVD also provides a regularly updated library of common vulnerabilities and exposures (CVEs), providing the rankings and other associated information (such as vendor, product name, version, etc.). The list of CVEs originate from the MITRE Corporation. MITRE is a not-for-profit organization that began documenting CVEs in 1999. It provides basic information about each vulnerability and is automatically synced with NVD.
The Vulnerability Management Process
There are several stages in the vulnerability management process that vulnerability management programs should adhere to. While there are different ways to define each stage in the cycle, the process is still generally the same, even if the terminology varies.
Gartner’s Vulnerability Management Guidance Framework lays out five “pre-work” steps before the process begins.
Pre-work for a Vulnerability Management Program
This pre-work stage assesses and measures current resources, processes and tools in order to identify gaps.
During the pre-work phase, a security professional should ask questions that can help determine the scope of your program, including:
- Which assets will we measure for vulnerabilities?
- Which assets or hosts are most critical in protecting?
- Who will be managing this program? What roles and responsibilities do they have?
- When a vulnerability is detected, how long will we have to remediate? What policies or service level agreements (SLAs) do we need to define? How often should we assess our assets for vulnerabilities or weak points?
- What tools or software do we need to effectively manage or scan our hosts?
- What list of assets within our asset types do we plan to cover? Or more simply, what is the context of the assets that we wish to manage?
With this information, you can begin the implementing the vulnerability management process.
The Vulnerability Management Cycle
There are five main stages in the vulnerability management cycle.
1. Assess your Assets
Assessment is the first stage of the cycle. In this stage, security analysts should narrow down and define the assets to be assessed for vulnerabilities. The next step is to assess each asset for vulnerabilities, generating a report to determine which assets are at risk and need patching or further investigation and remediation.
There are two common approaches to conducting a vulnerability assessment: using a network-based solution or using an installed sensor, or “agent,”on each asset.
With a legacy, network-based solution, all endpoints are required to be on the network, and a vulnerability assessment tool queries the devices in the network and then conducts a scan. Challenges associated with network-based scans include access issues and limited visibility. If an asset is not connected to the network, the security analyst cannot see what’s at risk. And typically, with legacy, network-based solutions, credentials are required for full visibility. For many organizations, managing the level of credentialing needed to perform a successful vulnerability scan is layered and complex, which can lead to an incomplete picture of which assets are safe and which are not. Additionally, with a traditional vulnerability solution, plug-ins are often added to the tool (sometimes hundreds or thousands of components), and they don’t all “play nicely” with an organization’s existing software. This adds to the length of time it takes to scan a host, and it could even break a functioning environment.
An agent-based assessment requires the use of an installed sensor on individual assets. Today, most agent-based vulnerability scanners require the installation of bulky agents. These agents are typically so large that they weigh down an endpoint extensively, bogging down, reducing or crashing systems as it runs scans.
Due to the significant performance impact of legacy network and agent-based scanning tools, it is often necessary to scan only a portion of the environment at a time, which slows down the assessment process. By taking it slow, or segmenting systems, security teams can avoid connection hang-ups and system crashes. However, this inhibits the goal of checking for vulnerabilities on all relevant hosts in a timely manner and then resolving them.
After scanning, these legacy solutions provide a report — a massive, bulky document that analysts must sift through to determine the right areas to target for remediation. Another challenge with this type of scan and its reporting method is again timeliness. As soon as a report is generated, it’s outdated. New vulnerabilities can then go by undetected for months or longer.
Today, thanks to cloud technologies and a lightweight agent architecture, modern vulnerability management tools (such as Falcon Spotlight™, a vulnerability management solution that’s part of the CrowdStrike Falcon® platform) are able to run continuously. It serves as a scanless solution, allowinga vulnerability management team to see a variety of vulnerabilities immediately because data is housed in the cloud and therefore always available. Because the data is available in real time, scanning is an ongoing, continuous process rather than a single point in time.
Once an assessment has been completed for all assets, the next stage is prioritizing vulnerabilities. (For potential solutions, jump to “Vulnerability Management Solutions: What to Look For.”)
2. Prioritize Vulnerabilities
Once you have gathered data on which assets and systems are potentially weakened or exposed, the real work begins. In this stage of the cycle, the VM team takes three steps to determine the actions of the next stage.
1. Assign value. This is where your pre-work becomes valuable. Since you have already identified which assets are critical, it should be relatively easy to prioritize each asset for investigation.
2.With your prioritized list of assets, you need to gauge the threat exposure of each asset. This requires some investigation and research to determine the level of risk for each one.
3.Add threat context to your report. Communicating with your greater security operations team and using a powerful set of endpoint security tools are invaluable. A deep dive into threat intelligence (both internally gathered and from third-party sources) can dramatically change the level of risk assessed and prioritized in Steps 1 and 2.
The CrowdStrike Falcon platform offers a comprehensive solution to view and assess vulnerabilities via Falcon Spotlight. In addition to vulnerability assessment CrowdStrike Falcon X offers the industry’s only solution that integrates threat intelligence data within the platform. The data is constantly updated by CrowdStrike’s world-class threat hunters, researchers and intelligence experts, who provide highly actionable information about nation-state actors, e-criminal organizations, hacktivist groups and other adversaries, along with their malicious activity, targeted attacks and targeted industries. They connect this information to specific CVEs, providing organizations with immediate data on how to best protect themselves.
What do you do with the information gathered in the prioritization stage? There are three options:
- You can accept the risk of the vulnerable asset to your system. This is a likely option for non-critical assets or systems, and the threat of exposure is very low.
- You can mitigate the vulnerability, or you can develop a strategy or technique to make it difficult or impossible for an attacker to exploit the vulnerability. This doesn’t remove the vulnerability, but the policies or protections you put in place keep your systems safe.
- You can completely remediation the vulnerability. This is the preferred option if the vulnerability is known to be high risk and/or is part of a critical system or asset in your organization. Patch or upgrade the asset before it becomes an entry point for an attack.
Once you have prioritized your vulnerability list and assigned actions based on the level of exposure, it’s time to reassess and check your work. A reassessment will tell you whether the actions you’ve decided on have been successful and if there are new issues around the same assets, allowing you to validate your work, cross those issues off your list and add new ones, if needed. The reassessment stage is also useful for reporting metrics of your team’s ongoing efforts to upper management.
This is the final stage of the vulnerability management cycle. The best vulnerability management programs aim for consistent improvement, shoring up weak defenses, actively working to eliminate underlying issues, reevaluating the pre-work phase and revisiting those first pre-work questions. By regularly examining the entire vulnerability lifecycle and looking for ways to evolve and improve, you can proactively defend against any kind of vulnerability an attacker could use to threaten your organization.
Vulnerability Management Solutions: What to Look For
Managing exposure to known vulnerabilities is the primary responsibility of a vulnerability manager. Although vulnerability management involves more than simply running a scanning tool, a high-quality vulnerability tool or toolset can dramatically improve the implementation and ongoing success of a vulnerability management program.
The market is filled with options and solutions, each claiming leading qualities. When evaluating a vulnerability management solution, keep these things in mind:
Timeliness is important. If a vulnerability management tool fails to detect vulnerabilities in a timely manner, then the tool isn’t very useful and doesn’t contribute to overall protection. This is where network-based scanners often fail. It can take a long time to complete a scan and consume a large portion of your organization’s valuable bandwidth only to produce immediately outdated information. It’s better to choose a solution that relies on a lightweight agent rather than on a network.
Performance impact on an endpoint is key. Increasingly, vulnerability scanning vendors claim to offer agent-based solutions. Unfortunately, most of these agents are so bulky that they dramatically impact an endpoint’s performance. Therefore, when searching for an agent-based tool, look for one with a lightweight agent — one that consumes very little space on an endpoint to minimize any effect on productivity.
Real-time, comprehensive visibility is critical. You should be able to see what’s vulnerable in an instant. Legacy vulnerability tools can hinder visibility — network scans take a long time and provide outdated results, bloated agents slow business productivity, and bulky reports do little to help address vulnerabilities in a timely manner. Scan-less technology such as Falcon Spotlight allows your team to see and interact with data in real time. A single interactive dashboard with search and filter features allow you to act immediately to close potentially dangerous gaps in your organization’s security. Because it is a scan-less solution, it is always running, constantly looking for weaknesses and identifying vulnerabilities.
Less is more. Organizations no longer need a complicated set of security tools and solutions that require personnel with specialized skills. Instead, many now rely on an integrated platform that includes vulnerability management tools along with other security tools for cyber hygiene, endpoint detection and response, device control and more — ultimately protecting your organization from attack due to unprotected systems.
Want to learn more about how CrowdStrike helps effectively view and asses vulnerabilities? Download the Falcon Spotlight data sheet below: