What is vulnerability management?

Today, vulnerabilities and their exploitation are the root cause of most information security breaches. But finding and fixing vulnerabilities is no simple task: sophisticated attacks are occurring with increasing frequency, while skilled security professionals can be hard to come by. That’s why a strong vulnerability management strategy is critical for keeping organizations safe.

So what, exactly, is vulnerability management? And what should you look for in vulnerability management tools? Let’s start by defining some basic terms.

Vulnerability management defined

Vulnerability management, also known as risk-based vulnerability management, plays a key role in reducing an organization’s risk profile and maintaining a healthy security posture. A vulnerability is a hole or weakness in software that a bad actor can exploit to breach or compromise a cloud environment. Vulnerability management, then, is the process of identifying and removing security flaws in that software. When implemented correctly, vulnerability management tools allow organizations to mitigate potential attacks and address security weaknesses and software vulnerabilities before a breach occurs. 

Vulnerability management vs. vulnerability assessment 

The next important thing to understand is vulnerability assessment. While similar, the main difference between the two terms boils down to frequency. Risk-based vulnerability management is considered an ongoing process to manage and measure exposure to known vulnerabilities, whereas a vulnerability assessment is typically a point-in-time evaluation of a host, container, or network. 

While assessments are critical components of security in today’s dynamic cloud environments — particularly when it comes to things like proving security compliance — organizations must implement a continuous vulnerability management process to maintain a comprehensive security practice. Periodic scans aren’t enough on their own; continuous monitoring from build to runtime is important for providing context and actionable insights about a unique environment. It also helps teams watch for exploits, and keep up with new and emerging threats.

What is included in the vulnerability management process?

An effective vulnerability management system typically includes the following core components, each designed to build on the other. Although terminology may vary across companies and vendors, the goal of each stage is largely the same: to reduce overall risk exposure. 

The four steps of the vulnerability management process are:

1. Scan and identify vulnerabilities 
2. Evaluate and prioritize vulnerabilities 
3. Remediate and patch vulnerabilities 
4. Measure, reassess, and report on vulnerabilities 

Scan and identify vulnerabilities

The first step of a vulnerability management process is to identify which assets are considered high value and critical to assess for vulnerabilities throughout your cloud infrastructure. Next is to define each asset that you’d like to assess with your vulnerability management system, choose the right method of scanning for each asset type, and begin scanning your assets.

Evaluate and prioritize vulnerabilities 

Once you’ve identified your vulnerabilities, the next step of a vulnerability management process is to assess the level of impact, exploitability, and risk posture of each asset, so that you can prioritize which vulnerabilities to focus on.

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of software vulnerabilities, and their risk scores provide a good approximation of the relative importance of vulnerabilities. However, it’s important to understand the potential business impact that the affected system can have on your organization itself. One indicator you can use to assess the level of impact is to gauge how many images are affected by a vulnerability. For example, a high-severity vulnerability present on hundreds of running containers should likely be fixed before a critical vulnerability that only shows up in a couple of containers.

With so many vulnerabilities to patch, it’s critical to consider the exploitability of a vulnerability. The key factor for exploitability is to determine whether an asset is exposed to the internet. Your solution should be able to gauge if a workload configuration is exposed to the internet and then factor in internet exposure as part of the risk score. Ideally, this value is available as a filter for prioritization as well. 

Additionally, when thinking about prioritization for containers, you should target the images that are actually deployed in production. By correlating vulnerability risk data with runtime observations, you can better prioritize which vulnerabilities to fix first.

Remediate and patch vulnerabilities

The third step of a vulnerability management process is to take action on the identified vulnerabilities. This can be done via remediation, mitigation, patch management, or not taking action at all.

For high-risk vulnerabilities, remediation typically requires upgrading the vulnerable package in a code repository. Vulnerability mitigation reduces the potential impact of an exploit while the vulnerability remains in your environment. This means that the vulnerable parts of an asset receive security patches because a fix is not yet available or cannot be taken at that time. When the vulnerability poses a low risk or no risk, then it’s possible to take no action at all.

Measure, reassess, and report on vulnerabilities 

Conducting regular assessments is vital to understanding how well your vulnerability management process and patch management process are performing.

The assessment or report summarizes key findings regarding assets, security flaws, and overall risk to the organization. Common KPIs include the measurement of scan coverage and patch turnaround times. For example, scan coverage refers to the percentage of assets that have complete and accurate data available. Patch turnaround times can include the measurement of mean time to detect, mean time to remediate, the rate of issue recurrence, and a look at how these numbers change over time. It is also valuable to measure the weighted rate of risk, which summarizes the identified vulnerabilities and compares them to the criticality of the data connected to those vulnerabilities.

What does a vulnerability management system look like?

A vulnerability management system provides a way for organizations to launch and measure their vulnerability management programs. As the number of attacks continues to rise, so does the number of vendors offering vulnerability management systems. With so many options, what should you look for when choosing a solution for your business?

Here are a few tips to help you choose what works best for the size and complexity of your organization. 

#1: Start with a well-defined policy. It should cover vulnerability rating, strategies for addressing vulnerabilities without a published “fix” available, and the risk mitigation process. Your service-level agreements should be well-documented for all employees engaged in building, running, and fixing images — including developers, admins, and security personnel. 

#2: Collect and correlate data. Organizations need to embrace a solution that delivers continuous protection and real-time visibility without impacting performance. Many vendors offer agentless and agent-based scanning, which combine to provide comprehensive, efficient security from build through runtime. In March 2023, Gartner released a Market Guide on cloud-native application protection platforms (CNAPP) that actually recommends this single platform, agent plus agentless approach when securing cloud applications.

#3: Enforce policy at multiple points. Security and development teams should leverage tools that are continuously integrated and maintain a centralized policy, which they can consistently apply throughout build, registry publication, deployment, and runtime.  

#4: Find a developer-friendly tool. Rather than relying on an external team or process to validate images, look for a solution that enables developers to test their image locally, against company policy, so they know what vulnerabilities need to be fixed. With all the information they need at their fingertips, they will be able to remediate issues quickly. 

#5: Support continuous integration (CI). Select a tool that enables vulnerability scanning integration with CI tools and stages to ensure that you are continually building and testing new code — including container images — against policies, which prevents issues from making their way into a container registry.

Deploy the most up to date and comprehensive source of vulnerability intelligence and public exploits for better coverage against various threats.

Getting started with a vulnerability management system

A vulnerability management system allows security, platform, and development teams to consistently find and fix vulnerabilities that pose the greatest risk to them. Lacework offers risk-based vulnerability management capabilities to validate images at every point in their lifecycle, and to prevent progression if vulnerabilities are detected or if exceptions have not been approved. Also, unlike many other vendors, our CNAPP can tie vulnerabilities to running applications within a single platform, letting you focus on the fixes that really matter.

If you’re interested in learning more about how you can reduce your risk of a security breach while lowering the cost of remediating vulnerabilities, get started with Lacework. Our CNAPP offers data-driven protection from code to cloud, all in a single platform.