Virima V6.0 will soon be available with an all-new look, enhanced discovery, mapping and vulnerability features and more. Stay tuned!

What is Vulnerability Management?

code red vulnerabilities can lead to long shutdowns and loss in customer trust

In any kind of system, a vulnerability points to a “state of being exposed to the possibility of attack or harm.” In the age of information, we have – by the very nature of the way we share, store and secure information – opened ourselves up to a tall stack of incidents that come up because of open communication ports, insecure application configurations, and exploitable weaknesses in the system and its environment.

As one might aptly think, vulnerabilities are not as easy to eliminate as viruses. They are systemic issues that arise due to outdated lines of code, human error, malicious actors (intruders), and other factors that can’t readily be “fixed”. 

So IT professionals usually document, consolidate, and report their findings. The severity of the report usually depends on the extent of the vulnerability discovery scan and the number of discovered vulnerabilities. A meeting is usually held soon after, with the cybersecurity professionals and key stakeholders who convey their responses, to discuss the findings and how to move forward with eliminating, mitigating or accepting the risk.

In this atmosphere of uncertainty and discovering vulnerabilities that require different levels of urgency, what does managing them look like? Vulnerability management is a cyclical process of discovering IT assets to identify threats, misconfigurations, and vulnerabilities and adding them to a vulnerability database categorized based on type of vulnerability. After which, each vulnerability is assessed to determine the urgency and impact each of them might have, based on various risk factors.

Since vulnerabilities can affect all types of assets, they are classified according to the asset class they are related to. Here are the various types of vulnerabilities and their causes: 


Hardware

Vulnerabilities in this category arise due to environmental factors such as susceptibility to humidity or dust, unprotected physical storage, age-based wear that causes system failure, and oftentimes, overheating.


Software

Software vulnerabilities due to erroneous lines of code. Intruders are always on the lookout for buggy software that they can exploit and attack the system via these flaws.

They commonly perpetuate through human inattention to insufficient testing, insecure coding, lack of an audit trail or an inherent design flaw.


Network

Network vulnerabilities usually boil down to being caused by unprotected communication lines due to lack of cryptography and insecure network architecture

These vulnerabilities can be found on various layers of a network. Unsecure wireless access points can be a major vulnerability as they provide the attacker with unmonitored access to the company’s network.


Personnel

IT professionals and the cybersecurity could be introducing errors or point-of-failure into the system through inadequate authentication and authorization mechanisms. These personnel shortcomings need to be met with alerts when any irregularities are detected in the network and determining whether action or investigation should follow.

An inadequate checklist or training could be responsible for misconfigured settings, such as weak-access controls or passwords, lack of security awareness and a potential insider threat.


Physical Site

Physical factors such as the area’s exposure to natural disasters, the most critical and costly of which are floods and earthquakes. Interruptions to the power source are important as well because the battery backup function may only operate for a few minutes. 


Organizational

Lack of awareness regarding vulnerability management is the most serious vulnerability risk to the organization. Failure to achieve some degree of cyber-resilience by performing regular audits, setting up continuity plans, prioritizing actions, and fortifying the organization’s security posture is fuel for fire from all the other vulnerability classes.


What is the difference between a Vulnerability and a Threat?

The term vulnerability refers to a soft spot in infrastructure and an outside malicious actor looking to leverage that weakness for attack is the threat, but there’s a lot more to it.

VulnerabilityThreat
A vulnerability is a known weakness of an asset (resource) that can be exploited by one or more attackers. In other words, it is a known issue that allows an attack to succeed.A threat is usually a new or newly discovered incident that has the potential to harm a system or your company overall.
A vulnerability is basically an unprotected / unmonitored point in a system that is weak and can be exploited. A threat is usually the perpetrator that exploits and attacks a system through one or more of its vulnerabilities.
Vulnerabilities can be known or unknown. An effective vulnerability management program is designed to encompass all possible vulnerabilities and their impact to the business.These threats may be uncontrollable and often difficult or impossible to identify in advance.
Example: When a team member resigns and their access to external accounts is not cut off, logins are not updated, or their names still exist on company credit cards, this leaves your business open.Example: Viruses and other malware are considered threats because they have the ability to cause harm to your organization through exposure to an automated attack, as opposed to one perpetrated by humans.

Vulnerability Assessment

Before we even get started with implementing Vulnerability Management, a series of vulnerability assessments take place where early and reliable identification of IT weaknesses are used to gather knowledge about how to adopt effective measures in treating the risk and impact.

This process will include tracking and documentation of:

  • Business Operations & Personnel 
  • Technologies & Updates 
  • Policies & Compliances
  • The efforts involved in mitigating new vulnerability risks


Vulnerability management relies heavily on advanced technology to identify vulnerabilities and communicate optimal and timely actions for IT personnel to follow.

According to a recent Forrester Global Security Survey, “49 percent of organizations have suffered one or more breaches in the past year, and software vulnerabilities were the largest factor in those breaches.”

With a prioritized checklist, your IT team can assess the amount of effort they need to put in, as well as monitor those vulnerabilities that have a high probability for attack and apply the required patches.


Vulnerability Management Lifecycle

A vulnerability management program consists of several stages that are built into a management process helping to ensure a tight fit to the system environment. This approach helps ensure that the discovered vulnerabilities are given attention and addressed appropriately.

1. Discover:
All assets across the network must be inventoried and host details including operating system and open services must be gathered to identify vulnerabilities. Develop a baseline for the network and then proceed to making discovery an automated routine. 

2. Prioritize Assets:
Categorize assets into groups of riskiness or by operations, and assign a business value to assets based on how vital they are to your business operation.

3. Assess:
A baseline risk profile can help eliminate risks based on asset criticality, vulnerability threat, and their asset classification.

4. Report:
It’s crucial that we measure the level of business risk associated with the assets found above according to the organization’s security policies. We must establish an official document detailing a security plan – plans of monitoring suspicious activity and describing those known vulnerabilities.

5. Remediate:
Prioritize and attend to vulnerabilities in order of the business risk they pose to the organization and its data.

6. Verify:
Perform follow-up audits to verify that the vulnerabilities have been removed. 


Risk Mitigation

Risk mitigation is defined as the process of reducing exposure to risky operations and minimizing the likelihood of an incident. It requires IT personnel to constantly address the organization’s top risks and concerns to ensure your business is fully protected and alert. 

An organization under a risky footing requires controls and an important objective of IT personnel is to prevent certain risks from materializing. This leads to developing preventive policies and procedures and this is what IT professionals refer to as “risk mitigation”.


Who is responsible for vulnerabilities?


IT Security

The ITSec team deals with cyber intelligence, incident response, incident handling, and threat management operations apart from vulnerability management itself. They help the organization make better and more informed security decisions that protect and defend them from external threats, cyber risks, and gather the information required to adopt adequate measures.

IT Security teams perform vulnerability assessments and penetration testing to identify and resolve security issues in an organization’s IT networks, infrastructure, applications, and other areas. They also address the issue through patch management or take up preventive measures such as a mitigation plan.

IT Security personnel define the number of participating teams and assign the required team members to conduct vulnerability assessments.


IT Ops 

After a thorough vulnerability analysis and risk assessment has been completed, the IT Ops team goes on ahead and applies most of the mitigation solutions. 

An important point to note: IT Ops is responsible for maintaining an accurate and up-to-date inventory of the configurations of all components and applications in the organization’s IT estate. Usually this information is stored in a Configuration Management Database (CMBD)

That is why it is crucial for there to be an accessible line of communication established between IT Security and Operations for faster response times, efficient security investigations, and improved visibility through improved data integration. 

The main challenge for SecOps and IT Ops is to make the right information about ongoing vulnerability assessment available, followed up with a fast and effective remediation process. This gap is closed only when the right insights are promptly available to appropriate decision-makers.


Conclusion


Why is having a Vulnerability Management program important?

Let’s face it the digital age means every organization has vulnerabilities. It’s a cost of doing business. These vulnerabilities represent exploitable flaws that could lead to cyberattacks by damaging various assets, trigger a denial of service (commonly referred to as DDoS attack), and/or extract sensitive financial or personal information. Attackers are always on the lookout for such weaknesses and many vulnerabilities don’t require a sophisticated bad-actor to be exploited.

According to data cited in an Infosecurity Magazine survey, among organizations that “suffered a breach, almost 60% were due to an unpatched vulnerability.” In other words, 60% of the breaches could’ve been prevented by having a vulnerability management plan.


How can IT Sec and Ops work together

The objective of the Security team is to secure and maintain a safeguard over the organization while the Operations team is always hard at work establishing a firm ground for the growth of the business and making it highly available to always provide a stable quality output.

This situation creates a gap between Security and Operations known as the SecOps Gap: Two groups on opposite ends motivated by competing priorities which end up in long lag times to close security vulnerabilities, business-system downtime, excessive labor costs and challenges in meeting regulatory requirements.

Effective vulnerability management includes finding the right mix of technology to help perform vulnerability assessments and produce risk mitigation strategies. Managers and operators from both IT Security and Operations need a clear dashboard that highlights what’s likely to be exploited and what represents the biggest risk so the most urgent flaws can be attended to first.

Vulnerability Management has just gotten out of the shop here at Virima. Our unrivaled Discovery, CMDB and ViVID service mapping provides the foundation to help you quickly identify, prioritize, assign and monitor for vulnerabilities that exist in your vast IT estate. We also generate comprehensive reports that are found to be helpful to the IT Sec and IT Ops team that can thwart further attacks. 

Virima is here to help. Contact us today to discuss your vulnerability management concerns and explore the possibilities with Virima!

Subscribe to Our Newsletter

More to Explore

Table of contentsWhy does your business need automated asset discovery?Benefits of automated IT asset discovery1. Complete visibility into assets and better management3. Reduces time and cost of asset maintenance4. Improves overall performance5. Provides up-to-date information of assets in your networkGet…

Table of contentsSimplified inventory management of IT assetsRobust handling of support ticketsReliable data on cost structure and asset utilizationUnderstand your network architecture and stay compliantComprehensive reporting on IT assetsReduced time to project completionManage your projects with Virima The role of…

In today's competitive business world, anything less than optimal efficiency can create a big problem for the continuity of your operations. That's why businesses are increasingly adopting IT asset management (ITAM) tools as part of their tech stack. When companies…

Table of contentsHow does a service map work and why do you need it?ViVID™ Service Mapping: What is it and how does it work?1. Helps your organization reduce risks associated with change 2. Equips you to deal effectively with incidents and…

Table of contentsKey service mapping challenges 1. Inability to establish the correlation between infrastructure, applications, and configuration items (CIs)2. Use of outdated workflows for maintaining configuration management databases (CMDBs)3. Use of manual and error-prone processes4. Difficulty in mapping peripheral dependencies5.…

Table of contentsWhy do companies need a CMDB?Change management and controlDisaster recoveryIT governanceVisibility into the business5 common CMDB challenges and how to get past them1. Inaccurate discovery of virtual and cloud assets2. The maintenance of CI data is a challenge3.…

Table of contentsWhat is network asset discovery?Challenges of managing software assetsLack of visibility into the entire IT infrastructureRegular asset failure leads to a longer downtime durationUnnecessary disruptions to IT servicesApplications and programs freeze oftenIncreasing costs of using and managing IT…

The cloud is a new frontier. An accurate, well-maintained Configuration Management Database (CMDB) can help to reduce the risks of the cloud transition and support day-to-day operations and maintenance processes. This article analyzes whether you need a cloud CMDB. As you…

Table of contentsWhat is service delivery?Challenges of IT service deliveryData is scattered across multiple systems, and teamDifficult to identify bottlenecks in the process lifecycleLack of technical support for internal teamsInability to meet service level agreements consistentlyThe ITIL 4 service value…

Table of contentsWhat is service mapping?InfrastructureApplicationsDependent servicesPeopleSettingsHow does service mapping work?Pattern-based discoveryTraffic-based discoveryHow service mapping helps your businessVisibilityAccuracyEfficiency Flexibility Benefits of service mappingEnsures quality incident, change, and management processesHelps track outages and their impactImproves resolution time of infrastructure issuesMaps services with minimum…

Before you delve headlong into service mapping implementation, it is imperative that you properly prepare the necessary elements for the same. Business service mapping is a robust process that can help you efficiently manage your IT infrastructure. It allows you…

Table of contentsManual vs. automated IT discovery8 reasons why you need an automated IT discovery toolConsolidate data from multiple sources within your IT networkImplement process optimization and tighten up internal asset managementAvoid errors due to manual IT asset auditsEliminate unknowns…

Table of contentsWhat is CMDB?The criticality of CMDB for organizationsChallenges of CMDB dataData from multiple sourcesNoisy dataLack of tracking usageCloud adoption challengesLack of license trackingLack of automated CMDBs Determining your CMDB’s accuracyNo impact on network or device performanceAutomatic application dependency and…

Table of contentsWhy do you need ServiceNow Discovery?IT asset discovery fundamentalsDeployment and support ease of IT Service ManagementServiceNow ITSM integrationDiscovered attributes of IT change management:Choose the right discovery toolEvaluate your requirements Virima: A constant in IT discovery services ServiceNow Discovery may…

Table of contentsServiceNow competitors may be right for you!ServiceNow pros and consThe ProsThe ConsWhat are ServiceNow competitors offering? Having a Configuration Management DatabaseWhy do CMDB initiatives fail often?Application and service dependency mappingWhat if investment in ServiceNow ITSM has already been made?What…

Table of contentsIT Problem Management: What it is and is not IncidentProblemThe phases in ITIL 4 incident managementProactive problem management: An elusive goalVirima: Your partner for comprehensive IT management The ITIL 4 Incident and Problem Management process is made up of…

Table of contentsFunctions of a CI in configuration managementWhy configuration items matter in CMDBVirima: Your partner for unmatched  IT management An ITIL configuration item (CI) is a basic building block for your Configuration Management Database (CMDB). And your ITIL CMDB…

What is service mapping? To understand the business value of IT service mapping, it's important to shift to a service delivery mindset, rather than thinking about delivering infrastructure, equipment, software, and applications. Defining services is relatively simple if it is…

The Configuration Management Database (CMDB) contains information about the enterprise's logical and physical assets. Modern service management platforms provide core functionality referenced by all service management practices, including business-facing rules. As a result of its core functionality, the role of…

A previous post discussed “The problems with your problem management” and some of the obstacles standing between your organization and true, proactive problem management. This post delves deeper into some of those obstacles and offers recommendations to help you address…

Table of contentsWhat is CMDB, and why is it important for your cloud initiatives?CMDBs and change managementCMDBs and incident managementCMDBs and problem managementCompliance reporting made easy with CMDBsImpact analysis with CMDBs and cloud assetsMake better, fact-based decisions with Virima for…

Table of contentsHow does asset discovery work?What types of IT assets can you discover?NetworksServersPCs, laptops, and mobile devicesBenefits of IT asset discoveryLess time spent on cataloging IT assetsBetter and detailed IT reportsStreamlined IT asset acquisitionEnsuring compliance with security policies A single…

Table of contentsWhy stakeholder communications are importantHow to prepare for incident communicationIncident management best practicesCommunication plan High-quality major incident management communication plan Using visualizations in stakeholder communicationsIncident mitigation with visualizations Virima can help you with incident management Incidents are a part of business,…

Table of contentsAsset managementTracking and labeling assets’ locations and states through an asset register Tracking and managing software licenses Managing end-user devicesKeeping tabs and handling decommissioned assetsConfiguration managementIdentifying configuration items in the CMS Controlling  and managing all changes made to assets Understanding impact on…

Some people think that an IT service desk is the same thing as an IT help desk. It isn’t and we’re  going to explain the difference between service desk and help desk. Sure, there are some similarities, but there are…

Table of contentsA CMDB tool can maintain all other tools What is CMDB in ServiceNow?What are ServiceNow CMDB best practices?A few ServiceNow CMDB best practices include:Defining your goalsForming a configuration management teamEstablishing a governance structureUnderstanding configuration item designIntegrating with key business…

IT asset management (ITAM) and inventory management are both useful practices that can benefit any organization using IT. Inventory management can exist without IT asset management, and in fact, it does in many organizations as it has been in existence…

Table of contentsStep 1. Determine business objectivesStep 2. CMDB discovery toolsStep 3. ITSM system integrationStep 4. Equip data owners/data stewards with the right toolsStep 5. Data management and retention planStep 6. CMDB: data visualizationLearn more about these steps by watching…

Incident management is crucial while dealing with major incidents. They are the crises that have widespread impacts on your employees, disrupt your operations, and impact your ability to deliver on customer expectations.  While you may assume your company is prepared…

Table of contentsUnderstanding business service mappingA modern approach to business service dependency mappingDiscovery planning processUse casesVirima simplifies service mapping and IT discovery Business service mapping is the area of configuration management that perplexes so many IT professionals. Yet, it provides…

Understanding the Configuration Management Database (CMDB) and its core functions is a critical aspect of service management. The CMDB forms the hub of numerous service management practices and provides a means of correlation needed to deliver business services successfully.   The…