A vulnerability
management
program in
cyber security:
How to build one

As businesses grow, so does their attack surface: more network-connected devices drive innovation and efficiency, but with more devices comes more cyber risk.  Protecting the ever-expanding attack surface is more important than ever, with high-profile vulnerabilities being exploited more frequently—and with more impact. One of the most effective ways to mitigate cyber risk is by creating and maintaining a robust vulnerability management program.

Vulnerability management is the cyclical process of systematically identifying and remediating vulnerabilities. In other words, it's a way to find out in advance where attackers could attack, and stop breaches before they even begin.

A vulnerability in cyber security isn't just a bug in software. It's anything that can enable a malicious actor to gain access to data, software, an endpoint or any organizational resource.

Vulnerability management enables organizations to address the riskiest vulnerabilities and prevent the financial and reputational costs of data breaches. It can also help provide the groundwork for compliance with whatever regulations apply to your organization's industry.

Shutting down opportunities for malicious actors to attack is far better than picking up the pieces after an attack has occurred.

In principle, a vulnerability management program is a no-brainer. Find what's broken and fix it before cyber criminals find what's broken.

In practice, however, it's not that simple. One of the biggest challenges is the sheer number of vulnerabilities—far too many to manage manually. That's why many parts of the process have to be automated, and why third-party sources of data about vulnerabilities are necessary to help prioritize vulnerabilities based on their actual risk to the organization.

Solutions that specialize in vulnerability management help enormously. A vulnerability scanner examines ports, software configurations and other factors that could point to malware infections. They can also find vulnerabilities with public sources or fuzz testing.

Another challenge is prioritizing vulnerabilities to be addressed first. In fact, the majority of vulnerabilities don't represent an urgent risk. It's important to identify the most threatening issues and fix them fast before they get exploited by malicious actors. A bonus to prioritized vulnerability management is that it affords fewer network disruptions.

When high-risk vulnerabilities are found, they can be fixed with patching, reconfiguration or even changes in security policy.

Here's one approach to a mature vulnerability management program:

User computers, virtual and physical servers, printers, firewalls, databases, and other assets are all potential sources of vulnerability. Because these scans can disrupt the systems they're scanning, it's a good idea to avoid scheduling them during peak business hours. You can also deploy endpoint agents continuously between scans.

Thousands of new vulnerabilities are discovered each year, so it's vital to leverage public sources for this information. Use your vulnerability management tools to rate vulnerabilities. These ratings, typically using the Common Vulnerability Scoring System (CVSS), should be based on a combination of factors, such as whether vulnerabilities can be exploited remotely over the internet, whether malicious actors are currently exploiting them elsewhere, whether they represent a risk to business or reputation, how hard it is to exploit and other factors.

To round out your vulnerability management program, create a report that details found vulnerabilities, how they are prioritized and comprehensive recommendations on what to do about them.

Once you've identified and rated vulnerabilities, address the biggest risks through patching or mitigating through some other means, such as changes in policy.

Evaluate all prior steps in the process to both make sure mitigations were successful and establish accountability and transparency in managing vulnerability in cyber security.