A Primer on Vulnerability Management

What are Vulnerabilities?

Vulnerabilities are inescapable.  Anyone who works in cybersecurity acknowledges that vulnerabilities are flaws in a system’s security that a malicious actor can exploit to gain access to, alter, or harm the information or equipment secured by that system. Vulnerabilities generally fall into four categories: network, system, human, and process. 

• Network vulnerabilities occur in a network's hardware or software that could allow a malicious actor to infiltrate it. Examples include insecure Wi-Fi access points and poorly configured firewalls. 
• System vulnerabilities are flaws in an operating system (OS) that hackers can exploit. They exploit this type of vulnerability to gain access to or harm an asset where the operating system is installed. Examples include default superuser accounts seen in various operating systems and hidden backdoor programs. 
• Human vulnerabilities refer to team members, who are the weakest link in many cybersecurity architectures. While human error is understandable, these errors can easily expose sensitive data or create exploitable access points.  
• Process vulnerabilities can be created by specific process controls, or rather, a lack thereof. One example would be the use of weak passwords, which may also fall under human vulnerabilities.

Vulnerability Management Program

VM is an essential component of cybersecurity aimed at identifying, prioritizing, and mitigating security vulnerabilities in an organization's systems, applications, and network infrastructure. It involves a structured approach to discovering, evaluating, and addressing security weaknesses before they can be exploited by malicious actors. By understanding the challenges, best practices, and emerging trends in VM, organizations can enhance their security posture and mitigate the risks associated with cyber threats.

A successful VM program focuses on the following:

1. Compiling an accurate inventory.
2. Running Continuous Technical Scans on an established schedule.
3. Configuring vulnerability reporting and assigning remediation actions.

1 - Accurate Inventory

Essential to the VM process is an accurate inventory of what an organization owns and for what it is responsible. Traditional on-prem or data center environments need to know what they have before they can know what to protect. 

System owners typically manage their inventory with a configuration management database (CMDB). Cloud environments and cloud-native scanning tools help to simplify the task of keeping an accurate inventory because they are dynamically aware of the systems an organization owns.  The challenge is often not setting the ownership of the inventory, but maintaining it beyond 90 days where an entire infrastructure can change, especially with cloud computing.

2 - Continuous Technical Scans

Technical scanning provides insight into assets within the environment, which then can be attributed to different categories. This is an important step for a comprehensive VM program. The first step is identifying live addresses that are not being scanned, then sorting them into their respective scan category.

Scan categories include:

• Credentialed scans, such as scans on Windows or Linux servers/workstations. 
• Uncredentialed scans, such as appliances of any sort. 
• Compliance scans for validation against governance regulations.

Credentialed Scans

Whenever possible, you should conduct credentialed scans, which allow for the most accurate findings. Therefore, working with credential management—maintaining, monitoring, and resolving any failed access—is fundamental to VM success.

• To avoid potential account lockouts, organize asset groups in a logical manner in a CMDB that matches up with corresponding user credentials. 
• Credentialed vulnerability scans are only as accurate as the plugin set that is loaded into a platform like Tenable, so keep those plugins up to date. 
• Check the scans for accuracy by reviewing the scans for errors like credential failures and lack of permissions. This practice reduces the amount of time wasted due to incomplete results.

Uncredentialed vulnerability scans

Uncredentialed scans can serve a purpose when credentialed scans cannot be conducted on certain assets, or when you must enumerate device information on unknown IP addresses. Understanding which assets fall within the uncredentialed scan category is extremely important. 

Uncredentialed scans typically last longer than other scans due to their nature, so schedule them appropriately to prevent conflicts.

Scan Configuration and Frequency

Configuring proper asset groups and scanning policies helps ensure success. For scans to complete on schedule with a high success rate, plan their configuration accordingly and organize asset groups in a logical manner that matches up with corresponding credential set. A subject matter expert familiar with the scanning tool is vital.  

Just as important as configuring discovery scans is analyzing their output and evaluating the results against the asset inventory in the CMDB.  If scans are not properly configured, their findings can be unreliable and inaccurate. For a more proactive security posture, scanning should occur as frequently as every 24 hours, if possible. This frequency allows teams to quickly remediate vulnerabilities and validate their progress. This validation is especially crucial for federal agencies to remain in compliance with federal mandates. 

Exclusion can also be a very important part of the scan configuration, potentially there are assets within a scope that are more sensitive to scanning than others.  Some devices, such as Industrial Control Devices (ICS), can malfunction, go offline, or otherwise act erratically when subjected to abnormal or even excess traffic.  Therefore, it is important to know your purpose when configuring scans and ensure the receiving scope of assets are as intended.

3 - Vulnerability reporting and remediation assignment

For many cybersecurity professionals, correctly reporting vulnerabilities and assigning remediation to the proper system groups or stakeholders remains a challenge. If an organization improperly handles this stage of the cycle, vulnerabilities fall through the cracks and go unnoticed or unresolved, which results in significant security gaps within the environment. 

Integration with a security information and event management (SIEM) tool for data aggregation and normalization is important to accurately report and assigning vulnerable findings to the proper stakeholders. A SIEM tool can integrate CMDB information to an inventory list with responsible stakeholders, which is why an effective CMDB is paramount. This integration enriches machine data with an organization’s institutional data, providing more context for enhanced reporting. Correctly configured integration can result in the most effective assignment of remediation actions. 

SIEM tools can also assist in linking machine data with various sources to provide actionable context for every finding. For example, agencies within the US federal government are mandated to comply with CISA’s Known Exploitable Vulnerabilities Catalog. UltraViolet has developed dashboards that link vulnerability scans with this catalog, removing the need for human intervention in the process. This automation saves countless hours and allows an analyst to be more proactive when it comes to known exploits. 

A SIEM tool can also assist in accurately tracking false positives requests and approvals, plans of action and milestones (POAMs), and risk acceptance (RA) tracking. Tracking and monitoring an organization’s approved false positives is an important part of the VM process; many times, approved false positives drop from active reports. A false positive that is incorrectly approved can also increase an organization’s risk posture. True vulnerabilities that can’t be fixed must be tracked with POAMs; the SIEM can correlate which active findings line up to known POAM items.

UltraViolet VM services

UltraViolet offers a range of services to help organizations enhance their cybersecurity posture. UltraViolet’s Continuous Threat Exposure Management (CTEM) offering provides vulnerability management services for large and small commercial and federal customers.

Continuous Threat Exposure Management (CTEM)

Benefits and Outcomes

Our comprehensive security solution offers continuous scanning of 100% of the IT infrastructure, ensuring thorough monitoring and protection. Certified security experts meticulously review scan results to identify false positives and prioritize threats effectively. They provide executive reports tailored to specific needs, emphasizing prioritized remediation actions. Additionally, our service includes validation of scan definitions and completion, alongside ongoing verification to confirm that known vulnerabilities have been remediated. To further enhance security management, we provide both automated and custom reports, pinpointing critical findings and offering targeted recommendations for improvement.

CTEM helps your organization achieve compliance standards through periodic or continuous vulnerability assessment scanning. We conduct scans within containers, IoT devices, OT systems, web applications, and more. Utilizing the integrated UltraViolet Cyber platform, we offer asset prioritization to enhance security focus. This approach reduces false positives and provides more accurate vulnerability insights, tracked and trended over time for comprehensive security management.

Let's Collaborate! Interested in partnering with us?  Get in touch today to explore how we can work together.