A Vulnerability Management Primer – Part 1 : Incentive & Scope


Vulnerability Management (VM) is consistently ranked among the top priorities for most information security organizations today. It is no longer an optional initiative for infoSec departments, with security compliance reviews and audits explicitly calling for vulnerability management as a necessary component of enterprise security. SANS lists ‘Vulnerability Assessment and Remediation’ as #4 in its list of Top 20 Critical Security Controls with the NSA assigning it a criticality ranking of ‘Very High’. While these are great reasons to get buy-in from executives, the true goals of a vulnerability management program must be more strategic to have any real impact on enterprise security. Vulnerability management programs must go beyond an audit checkbox and become a real weapon in your InfoSec toolkit for combating intruders and attackers.

In a series of Vulnerability Management Primer posts we are going to attempt to first outline and then detail the crucial aspects that enterprises MUST address to achieve this. Before we get into details about components and functions, let’s first attempt the impossible task of defining the scope for vulnerability management programs. When talking about vulnerability management it’s not uncommon to hear some wide-ranging questions.

Are you not just talking about a network vulnerability scanner?
Shouldn’t it include everything that is on my network?
When it comes to Vulnerability Management is there a difference between a workstation, a laptop, a phone, a printer and a wifi-enabled coffee machine?
What about my Web Application Scanners or DAST tools?
What about my SAST tools?
What about my Penetration Test program?
Where does configuration or firewall management fit in all of this?

In reality, the answers to these questions vary based on factors like program maturity, scale, organization etc. Unfortunately, organizations often take a tool-centric (rather than goal-centric) view to structuring InfoSec, resulting in several distinct programs, disconnected or barely-connected, working towards the same goal but not working together. It is fairly common that vulnerability management refers only to the detection and management of weaknesses that can be exploited by threats to your network assets. This is especially true for smaller organizations or programs that are in early stages of maturity. In its most regressive state, this devolves to just a network scanning tool and manual processes built around it.

Increasingly though, organizations are incorporating additional sources of information and building processes that successfully factor these in. These could be threat intel feeds, vendor bulletins, CMDB systems, HR systems, network traffic/segmentation, or anything else that provides ‘better context to / additional information about’ the data being analyzed. Some mature organizations are also combining their n/w and application security initiatives with the knowledge that, in a lot of cases, the effort to build context and collect intelligence can be successfully applied to security data coming from both of these distinct sets of tools. And then there are organizations that take this one step further and implement security orchestration to build automated response and remediation capabilities into their programs.

For the most part, we are going to stay away from discussions that are only relevant to a particular segment of the wide range of scope discussed above. Successful programs are built around goals and strategies (as opposed to around specific tools) and that is the discussion we want to have here. Whether you are analyzing network or application vulnerabilities, there is tremendous benefit to be had from incorporating other relevant sources of information. Whether you are doing remediation manually or through automatic orchestration you need to be able to define and implement strategies to be successful. In the next blog in the series we will discuss the key challenges vulnerability management programs must pay attention to. No matter where you land on the scope questions above you need a strategy for addressing these.

Read more about the Brinqa Threat & Vulnerability Management here.

Related resources