A Primer on Vulnerability Management
Vulnerabilities are inescapable. Anyone who works in cybersecurity acknowledges that vulnerabilities are flaws in a system’s security that a malicious actor...
UltraViolet Cyber
Vulnerabilities are inescapable. Anyone who works in cybersecurity acknowledges that vulnerabilities are flaws in a system’s security that a malicious actor can exploit to gain access to, alter, or harm the information or equipment secured by that system. Vulnerabilities generally fall into four categories: network, system, human, and process.
More important than knowing the types of vulnerabilities is the ability to identify and remediate the most potentially exploitable vulnerability first. Cybersecurity professionals find vulnerabilities using various software testing tools, such as penetration testing and malware analysis, or using exploits to attack their own systems and test their defenses. This process is not one-and-done; rather, it is ongoing and requires constant vigilance through vulnerability management (VM).
VM is an essential component of cybersecurity aimed at identifying, prioritizing, and mitigating security vulnerabilities in an organization's systems, applications, and network infrastructure. It involves a structured approach to discovering, evaluating, and addressing security weaknesses before they can be exploited by malicious actors. By understanding the challenges, best practices, and emerging trends in VM, organizations can enhance their security posture and mitigate the risks associated with cyber threats.
A successful VM program focuses on the following:
1 - Accurate Inventory
Essential to the VM process is an accurate inventory of what an organization owns and for what it is responsible. Traditional on-prem or data center environments need to know what they have before they can know what to protect.
System owners typically manage their inventory with a configuration management database (CMDB). Cloud environments and cloud-native scanning tools help to simplify the task of keeping an accurate inventory because they are dynamically aware of the systems an organization owns. The challenge is often not setting the ownership of the inventory, but maintaining it beyond 90 days where an entire infrastructure can change, especially with cloud computing.
2 - Continuous Technical Scans
Technical scanning provides insight into assets within the environment, which then can be attributed to different categories. This is an important step for a comprehensive VM program. The first step is identifying live addresses that are not being scanned, then sorting them into their respective scan category.
Scan categories include:
Credentialed Scans
Whenever possible, you should conduct credentialed scans, which allow for the most accurate findings. Therefore, working with credential management—maintaining, monitoring, and resolving any failed access—is fundamental to VM success.
Uncredentialed vulnerability scans
Uncredentialed scans can serve a purpose when credentialed scans cannot be conducted on certain assets, or when you must enumerate device information on unknown IP addresses. Understanding which assets fall within the uncredentialed scan category is extremely important.
Uncredentialed scans typically last longer than other scans due to their nature, so schedule them appropriately to prevent conflicts.
Scan Configuration and Frequency
Configuring proper asset groups and scanning policies helps ensure success. For scans to complete on schedule with a high success rate, plan their configuration accordingly and organize asset groups in a logical manner that matches up with corresponding credential set. A subject matter expert familiar with the scanning tool is vital.
Just as important as configuring discovery scans is analyzing their output and evaluating the results against the asset inventory in the CMDB. If scans are not properly configured, their findings can be unreliable and inaccurate. For a more proactive security posture, scanning should occur as frequently as every 24 hours, if possible. This frequency allows teams to quickly remediate vulnerabilities and validate their progress. This validation is especially crucial for federal agencies to remain in compliance with federal mandates.
Exclusion can also be a very important part of the scan configuration, potentially there are assets within a scope that are more sensitive to scanning than others. Some devices, such as Industrial Control Devices (ICS), can malfunction, go offline, or otherwise act erratically when subjected to abnormal or even excess traffic. Therefore, it is important to know your purpose when configuring scans and ensure the receiving scope of assets are as intended.
3 - Vulnerability reporting and remediation assignment
For many cybersecurity professionals, correctly reporting vulnerabilities and assigning remediation to the proper system groups or stakeholders remains a challenge. If an organization improperly handles this stage of the cycle, vulnerabilities fall through the cracks and go unnoticed or unresolved, which results in significant security gaps within the environment.
Integration with a security information and event management (SIEM) tool for data aggregation and normalization is important to accurately report and assigning vulnerable findings to the proper stakeholders. A SIEM tool can integrate CMDB information to an inventory list with responsible stakeholders, which is why an effective CMDB is paramount. This integration enriches machine data with an organization’s institutional data, providing more context for enhanced reporting. Correctly configured integration can result in the most effective assignment of remediation actions.
SIEM tools can also assist in linking machine data with various sources to provide actionable context for every finding. For example, agencies within the US federal government are mandated to comply with CISA’s Known Exploitable Vulnerabilities Catalog. UltraViolet has developed dashboards that link vulnerability scans with this catalog, removing the need for human intervention in the process. This automation saves countless hours and allows an analyst to be more proactive when it comes to known exploits.
A SIEM tool can also assist in accurately tracking false positives requests and approvals, plans of action and milestones (POAMs), and risk acceptance (RA) tracking. Tracking and monitoring an organization’s approved false positives is an important part of the VM process; many times, approved false positives drop from active reports. A false positive that is incorrectly approved can also increase an organization’s risk posture. True vulnerabilities that can’t be fixed must be tracked with POAMs; the SIEM can correlate which active findings line up to known POAM items.
UltraViolet offers a range of services to help organizations enhance their cybersecurity posture. UltraViolet’s Continuous Threat Exposure Management (CTEM) offering provides vulnerability management services for large and small commercial and federal customers.
Benefits and Outcomes
Our comprehensive security solution offers continuous scanning of 100% of the IT infrastructure, ensuring thorough monitoring and protection. Certified security experts meticulously review scan results to identify false positives and prioritize threats effectively. They provide executive reports tailored to specific needs, emphasizing prioritized remediation actions. Additionally, our service includes validation of scan definitions and completion, alongside ongoing verification to confirm that known vulnerabilities have been remediated. To further enhance security management, we provide both automated and custom reports, pinpointing critical findings and offering targeted recommendations for improvement.
CTEM helps your organization achieve compliance standards through periodic or continuous vulnerability assessment scanning. We conduct scans within containers, IoT devices, OT systems, web applications, and more. Utilizing the integrated UltraViolet Cyber platform, we offer asset prioritization to enhance security focus. This approach reduces false positives and provides more accurate vulnerability insights, tracked and trended over time for comprehensive security management.
Let's Collaborate! Interested in partnering with us? Get in touch today to explore how we can work together.
We’re here to help. Get in touch for an initial conversation with one of our security experts and learn more about how UltraViolet Cyber can help you take cyber readiness and resilience to new levels.