This article is part of our Essential Guide: Essential guide to operation-centric security

How to build an effective vulnerability management programme

As cyber criminals increasingly look to exploit vulnerabilities in software and hardware, businesses must build and implement an effective vulnerability management programme to counter this growing threat

Businesses across all industries rely heavily on connected technology and software as part of their daily operations, whether it is customer-facing websites, cloud platforms, email services, network infrastructure, computers used by employees, and more. 

But while technology is transforming businesses in many different ways, it has also introduced myriad cyber security risks. Increasingly, hackers are exploiting flaws in software and hardware, and by doing so, they can hack into corporate systems and cause all sorts of damage. 

In fact, according to research from cyber security firm Tripwire, 27% of organisations (34% in Europe) experienced breaches due to vulnerabilities that had not been patched. And the Ponemon Institute found that 60% of data breaches in 2019 were caused by an “unpatched known vulnerability where the patch was not applied”. 

Consequently, businesses must develop a Vulnerability management programme to identify, verify, mitigate and patch various risks. Without this, they will find it much harder to address security vulnerabilities and will be left at the mercy of malicious actors. So how do firms build one of these programmes and ensure it is effective?

Vulnerability management is crucial 

For cyber criminals, vulnerabilities in software and hardware present a backdoor into targeted businesses – and they are constantly trying to find and leverage them. With this in mind, cyber security teams must be proactive in discovering and fixing vulnerabilities so they cannot be exploited. 

Jake Moore, a security specialist at cyber security company ESET, says: “Attackers will continually attempt to exploit vulnerabilities, so it is pivotal that security teams identify their weaknesses before threat actors locate them. These vulnerabilities must be identified, assessed and patched regularly to ensure ongoing security, and therefore constantly monitored, which is what makes a good management programme.”

Vulnerability management programmes form an essential part of corporate risk strategies. But for them to be successful, the speed at which patches are installed is paramount, says Moore. “Being made aware of vulnerabilities is usual practice in the industry and not a week goes by without a weakness being exposed which could be exploited,” he says. 

“It is therefore essential that a management system cannot just identify the problem, but quickly and efficiently release updates because if vulnerabilities are not identified or remediated, companies leave themselves open to attacks.”

Moore says penetration testing and red teams will also allow businesses to tackle different security vulnerabilities. “The next level of monitoring for weaknesses within an organisation can be by offering periodic penetration testing and red teaming, which act as an even more thorough way of identifying vulnerabilities in a system or network,” he says.

Sean Wright, SME application security lead at Bristol-based software firm Immersive Labs, agrees that vulnerability management plays an important role in organisations. “Security is effectively about managing risk,” he says. “Vulnerability management is about assessing the amount of risk which each vulnerability poses to an organisation.

“Vulnerability management also helps gain insight into where problem areas may lie – which areas may present the most risk to an organisation – and help the organisation to ensure it provides appropriate resources, such as funding, training, resources and tooling, to help reduce the current risk as well as prevent any future risk to the organisation.” 

Building a vulnerability management programme

To build an effective vulnerability management programme and discover potential vulnerabilities before cyber criminals do, there are several steps that businesses must take as part of this process. Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, says the first step is to create an inventory of all software used throughout the business. 

“It’s simply not possible to patch software you don’t know you’re running, so awareness and accuracy of asset inventories are key,” he says. “Inventory all software, regardless of origin or function. It’s easy to miss software used by engineering teams or firmware used by embedded systems such as IoT [internet of things] devices.”

Second, businesses must identify where the software originated, how patches are communicated to users and how patches should be applied, says Mackey. “Since each software team is free to define a patch update process that makes sense to them, knowing any unique attributes will be beneficial when the time comes to patch,” he explains. 

Third, says Mackey, businesses should record the role that the software plays within the business. “Often, end-of-life statements are embedded in patch notifications, so knowing there won’t be any more patches is just as important as knowing there is a new patch,” he says.

Finally, businesses should validate that the patch does not change any configuration behaviours, says Mackey. “It’s not unheard of for a patch to change a default setting, but if that default setting was how you wanted things configured, the patch might break in your environment,” he adds.

“The IT department should share all information and consult stakeholders regarding discovered vulnerabilities”
Alex Maklakov, Clario

Alex Maklakov, CIO of Clario, says an efficient vulnerability programme comprises an inventory of assets on a network, a vulnerability scanning process, reporting, key performance indicators (KPIs) and continual service improvement. 

But most importantly, these programmes should be underpinned by effective communication. Maklakov says: “The IT department should share all information and consult stakeholders regarding discovered vulnerabilities, as well as constantly analyse stakeholders’ feedback on communication improvement – simplified reports, proof of concept, etc.”

Immersive Labs’ Wright says businesses should implement a top-down approach and address security vulnerabilities that pose the most risk first of all. But he believes it is also key to involve a range of stakeholders in the vulnerability management process, particularly when rating and prioritising risks. “They may have insight into the vulnerability which may impact the risk given to the vulnerability,” he says.

Brian Kime, senior analyst at Forrester, says there are four things security and risk professionals need to do well for their vulnerability management programme to be effective – maintain an accurate inventory of assets; enumerate the vulnerabilities in these; prioritise which vulnerability to mitigate on which asset first; and apply a security control, modify a configuration or apply a security patch to reduce the risk of vulnerability exploitation.

What not to do 

Although there is a range of things businesses should do when building and implementing an effective vulnerability management programme, they must also be aware of behaviours that could have a negative impact and avoid these. 

John Stock, product manager at security firm Outpost24, says businesses should not believe they are secure just because industry standards and regulatory requirements are being followed. “As an example, PCI says you must run vulnerability scans quarterly or after any major change in your cardholder data environment ,” he says.

“But that should be seen as the absolute minimum. Standards such as PCI are the minimum which should be undertaken, but they don’t guarantee a secure network, so always see them as a minimum baseline and aim to exceed them considerably.”

Businesses must also ensure they do not take on too much when they first start managing vulnerabilities, because teams might become overstretched and programmes might not achieve their intended objectives, he says. “Many vulnerability management programmes fail because they start too big,” says Stock. “There may be hundreds of thousands or even millions of devices to be scanned, but no team can handle the output of that many scans.

“Instead, begin with the highest perceived business risk areas, focus on areas where it’s known you can make a difference or where it’s known there may be a risk, and then grow from there. It will take time to scan everything, but in that time it will have at least been possible to make a positive impact.”

Security teams are advised not to do everything on their own, either, says Stock. Vulnerability management will be more successful when all departments across a business work together. “A vulnerability management programme is all about teamwork, both with other security teams, other IT teams and with the business,” he says. “Ensure you can get the most value out of your time by working with those teams, get their buy-in, plan with them, and that upfront time will give massive rewards in the long term.”

Don’t sweat the small stuff

At the same time, Stock tells businesses not to sweat the small stuff. “A vulnerability management programme will give you a lot of data, often too much to handle without dividing it up,” he says. “Start with what puts you most at risk, be that high CVSS risks, a high likelihood of compromise, a high risk to the business, high-profile platform. The biggest revelation to many people starting their first vulnerability management programme is that fixing the biggest risks often fixes some of the lesser risks as well.”

He also warns against using vulnerability management programmes as a reason to stop normal penetration tests, because both serve different purposes and are important in their own way. “A vulnerability scan is not a pen test,” he says. “No one can afford to run a weekly pen test, nor should they need to. But at a minimum, conducting an annual pen test is still important. 

“But a vulnerability management programme can ensure you get more value from your pen tests. No longer will they be reporting back weak SSL ciphers or self-signed certificates, as they will have been flagged, and fixed, during the standard vulnerability scanning. Instead, they can focus on the more manual tasks and exploits.”

With the rapid growth of the connected ecosystem upon which the vast majority of businesses rely, they will continue to face existing and emerging security threats in years to come. But by designing and enforcing a vulnerability management programme, companies can identify and mitigate these accordingly. 

Read more on IT risk management