I recently listened to a podcast that highlighted the increasing confusion in our industry resulting from attaching new names to seemingly existing topics. One example I found particularly intriguing was the concept of vulnerability management vs. attack surface management.
The three guests all had differing opinions. The first argued that vulnerability management is a subset of attack surface management, as attack surface management is holistic, accounting for unknown vulnerabilities and unmonitored, unprotected assets.
The second said the two concepts are fundamentally the same but that marketers had introduced the term “attack surface management” because “vulnerability management” had been around for so long it was seen as a legacy technology, while third thought up-and-coming service providers coined the term “attack surface management” to help them break into the saturated vulnerability management market.
Whatever you choose to call it, vulnerability management is a proactive way to reduce the risk of compromise. But the concept goes much deeper than that. So, let's look at vulnerability management more in-depth, exploring its processes, use cases, and some relevant tools Fortra has available.
The Vulnerability Management Process
Vulnerability management has five key stages: discovery, prioritization, resolution, reporting, and re-evaluation. Let’s explore what each stage entails.
Discovery
First, security teams identify and classify all hardware and software assets in an organization's environment, including operating systems, applications, services, and configurations, to create a comprehensive inventory of all deployed assets, configurations, and status.
Prioritization
With the organization’s assets catalogued, security teams must determine which vulnerabilities pose the most risk to prioritize remediation efforts. This practice is also known as Risk Based Vulnerability Management (RBVM). Security teams add context to vulnerabilities by considering factors like severity, exploitability, and asset criticality; correlate these factors using machine learning; and produce a prioritized list of vulnerabilities.
Resolution
Security teams remediate or mitigate vulnerabilities in the resolution stage based on the prioritization efforts. They will:
Apply patches during scheduled patch windows or initiate out-of-cycle patches for critical issues
Make configuration changes such as disabling unnecessary ports or applying compensating controls (updating web application firewall rules, for example)
Decide what risks they can tolerate, especially for non-public-facing systems
Verify that remediation or mitigation efforts have been effective
Reporting
The reporting stage involves documenting and communicating vulnerability management activities and outcomes. Security teams will record the discovered vulnerabilities, the steps taken to address them, and the results of their actions; share their reports with relevant stakeholders; and use reports to track progress over time and identify areas for improvement. These efforts produce a documented history of vulnerability management efforts, shared insights, and a basis for process improvement.
Re-evaluating
Finally, the security team will repeat the process, continuously monitoring and improving it. They will monitor for new vulnerabilities and changes in existing vulnerability risk scores, reassess and reprioritize vulnerabilities as new information becomes available, and address new and evolving threats to create an adaptive and proactive approach to vulnerability management that ensures continuous protection against emerging threats.
Vulnerability Management Use Cases
Vulnerability management has several vital use cases for reducing the risk of cybercriminals compromising an organization. They are:
Patch Management
Patch management is a core tenet of effective vulnerability management. Contrary to what one might expect, cybercriminals are far more likely to exploit old vulnerabilities than new or undiscovered “zero-day” vulnerabilities. In fact, according to Fortra’s research, most ransomware attacks exploit vulnerabilities that are over three years old.
For effective patch management, vulnerability scanners like Fortra VM and Fortra’s Tripwire IP360 discover Common Vulnerabilities and Exposures (CVEs) and assign risk ratings, which security teams then assess for business impact. This added context helps inform and prioritize patching schedules, which is one of the best ways to reduce an organization’s attack surface.
Configuration Management
Cybercriminals commonly exploit insecure configurations. These include weak or default passwords; overly permissive access rights; unnecessarily open ports; and unauthorized network, system, and file changes. Security configuration management tools like Fortra’s Tripwire Enterprise can locate these vulnerabilities, so security teams can address them and harden their organization’s environment.
Software Development
Security teams must identify and address vulnerabilities throughout the software development lifecycle to deliver secure applications. Common vulnerabilities include authentication issues, missing authorization, and misconfiguration tools. Security teams often use tools like Fortra’s BeStorm's Dynamic Application Security Testing (DAST) and fuzzers to identify and address these vulnerabilities.
Offensive Security
Offensive security in the context of vulnerability management helps security teams better understand how vulnerable an organization is and how to protect it by simulating attack campaigns from threat actors. For example, penetration testing (pen testing) tools like Fortra’s Core Impact identify weaknesses in operation systems, services, application flaws, improper configurations, or risky end-user behavior.
Conclusion
Regardless of whether you call it vulnerability management, attack surface management, or something else, this function is critical to maintaining and improving an organization’s security posture as it helps reduce the chances of being compromised. However, as far as I’m concerned, it’s all vulnerability management.
Learn about the five stages of vulnerability management maturity.
Vulnerability management is an essential component of any cybersecurity program. Learn how you can take your vulnerability management to the next level with our paper, The Five Stages of Vulnerability Management Maturity.