Vulnerability management programs and the vulnerability management tools that support these processes are becoming more and more important to organizations. As the cybersecurity threat landscape shifts more quickly than ever, organizations have to try to stay caught up with new vulnerabilities that could be affecting them to avoid being caught in waves of cyber attacks. Similar to how Equifax was caught up in the Apache Struts vulnerability discovered in 2018, unpatched software or misconfigured systems could have devastating consequences. Vulnerability management tools exist to aid organizations in shortening the discovery/remediation time required for these issues and reducing the risks associated with cyber attacks leveraging these security holes.
What is Vulnerability Management?
Vulnerability management is the process of identifying and managing vulnerabilities associated with an organization or environment. The key part of the term is “management”, however, as the identification can be pretty easy with scanners that are available today. A true vulnerability management program shouldn’t just consist of the raw output of a single scanning tool, though.
The process of vulnerability management is more complex and must be customized. Mature organizations identify vulnerabilities in a number of ways, including through public news sources, threat intel, output from vulnerability management tools, penetration testing reports, software testing, etc. They then aggregate those vulnerabilities and rank them, based on their criticality and potential impact to the organization. Finally, with a well-curated list, the vulnerabilities can be tracked as they are remediated and validated as closed.
Vulnerability Management Software Options
While vulnerability management isn’t reliant upon any particular technical solution, there will very likely be software that helps feed the process. Vulnerability management software is available that can aggregate multiple sources of vulnerability data or provide you with a dashboard of sorts. But in many cases, identified vulnerabilities can be better tracked and managed by leveraging solutions that your organization is already using, such as ticketing software like Jira or a simple Excel spreadsheet. A fancier or more automated solution may be necessary as you grow, but really shouldn’t be a primary focus when first establishing a vulnerability management program.
Besides aggregators, vulnerability scanning solutions should be the primary target for vulnerability management software that aids you in identifying vulnerabilities. There are a number of different software solutions to aid in this process. The most popular and our general recommendation is the Nessus product line from Tenable. They provide a number of different scanning solutions based on need and licensing requirements, but we won’t dive into those differences here. Besides Nessus, some other scanning options for consideration include:
- OpenVAS – Open source and free vulnerability scanning solution
- Nexpose – Vulnerability scanning solution offered by Rapid7
- Qualys – Vulnerability management offering
These are just a few network-based vulnerability scanning solutions, as there are many other options in this space. Of note, there is also another entire class of vulnerability management software that is not network-based but host-based. These solutions have an agent that sits on each of your organization’s computer systems, usually integrated as part of an antivirus product or asset management product, which scans for vulnerabilities from within the host. While there are certainly pros and cons between the two choices, network-based scanners are usually the more popular option and much easier to implement.
Using Vulnerability Management Tools to Support Your Program
While your vulnerability management program certainly transcends the software you are using, your vulnerability management tools should be configured in such a way to help support your programs goals. Here are a couple things to consider when setting up your vulnerability scanning tools:
- Scanning Schedule – You should create a scanning schedule that looks for vulnerabilities regularly. While this should definitely be more frequent than annually, your schedule should be set based on your organizational needs and ability to deal with the vulnerabilities discovered. For example, maybe you want to start off with quarterly scanning if your network doesn’t change very often or you have a large number of vulnerabilities to work through already. Then, you can increase the frequency to monthly so you know about new vulnerabilities sooner and can easily identify changes on your network.
- Authenticated Scanning – Almost all vulnerability scanning tools have the ability to scan using credentials so they can authenticate to target systems and identify additional vulnerabilities or confirm potential vulnerabilities. This is critical for getting accurate and holistic results from your vulnerability management tools, but can also produce an insane number of results, orders of magnitude larger than unauthenticated scans. Consider starting with unauthenticated scans and then moving to authenticated scans when you’re comfortable.
- Full Coverage – Make sure you are configuring your scans such that you are achieving full coverage on your network. This can be done using custom configurations where you start out with a discovery scan which then feeds a vulnerability scan, or you can simply plug in ranges of IP addresses that are in use, as opposed to individual hostnames/addresses. Whichever approach you take, you don’t want to load a list of each individual host because it would be extremely time consuming, and you are very likely to miss hosts that are added to your network over time.
Overall, every organization should have a vulnerability management program that leverages some vulnerability management tools that inform the process. These programs will look very different for each unique organization, as custom approaches that take into account business processes and goals are what makes these programs powerful. By leveraging a combination of tools and software that are already used in the organization for reporting and additional vulnerability scanning software to feed the process, companies can better track problems in their network and ensure those vulnerabilities are being fixed in a timely manner. While we don’t sell any vulnerability management software ourselves, please contact us if you’d like to discuss getting help standing up your vulnerability management program.