Vulnerability Management: key challenges and practical advice, Part 1

In the article we describe vulnerability management and challenges companies can face when setting this process, as well as share tips on how to overcome them.

At first, we would like to brief you with the main definitions:

Vulnerability is a flaw in information system or software which a hacker can use to penetrate the infrastructure, disrupt systems or access them. Vulnerabilities have several severity levels. One of the most widespread and serious risks is existence of an exploit for a vulnerability, especially if it`s already actively used by hackers. Exploit is a malware with data or executable code which uses vulnerabilities to conduct attacks.

Vulnerability management (VM) helps to lower the risks caused by infrastructure vulnerabilities. VM is a multi-step cyclical process of identifying, prioritizing and remediating vulnerabilities, followed by further monitoring. VM offers a choice of response way on issues connected to company’s assets: detected software vulnerabilities, configuration vulnerabilities, insecurely configured ports and other vulnerabilities that can be used by attackers. The main purpose of the process is risk minimization and systems protection from potential attacks, exploits and other forms of hacking or security breaches.

Vulnerability Management includes following steps:

  1. Inventory;
  2. Detection;
  3. Prioritization;
  4. Remediation;
  5. Control.
Fig. 1. Vulnerability Management process.
Fig. 1. Vulnerability Management process.

At each step a company may face several difficulties. In this article we’re going to take a detailed look at each step and, based on the Defensys team’s experience and expertise in Vulnerability Management, we will provide recommendations that can help mitigate challenges of building VM processes.

Vulnerability Management challenges

Stage 1. Inventory

Asset management (AM) is a basis for building VM processes in the organization. AM represents planning, accounting and tracking assets’ statuses – elements of IT infrastructure such as equipment, information systems, servers, etc. At the inventory stage, it’s important to obtain comprehensive information about all of the company’s assets and understand which of them are the most critical and involved in important business processes, which are well protected or, vice versa, the most vulnerable. Having received information about all network assets users can perform comprehensive scanning and find maximum number of breaches in the network.

Challenges and recommendations:

One of the main challenges at this stage is lack of complete understanding of vulnerabilities in the company due to infrastructure changes, where operating systems and software are constantly being updated and network topology is undergoing changes. Thus, the systems being protected become unsecured as there may be a large number of unknown vulnerabilities.

Besides, another challenge may be changes in the network, of which CS specialists are not informed, for example:

  • some assets have been relocated in the infrastructure and/or their configuration have been changed, critical services have been added or removed, software or operating system have been upgraded;
  • new unrecorded assets have been added, that could potentially contain vulnerabilities. These assets should be scanned, preferably with multiple scanning modes;
  • some assets have been decommissioned and their scanning is no longer necessary.

Infrastructure change control is necessary to ensure that everything is accounted. We recommend starting asset management process by initially filling the asset base, then enriching it and keeping it up to date. You can then automate the process and expand asset information by integrating with different systems. A well-running asset management process will form the basis for Vulnerability Management.

Stage 2. Detection

Detection is the process of detection and analysis of potential system’s vulnerabilities. Vulnerability Scanners are mostly used for detection as they search for vulnerabilities in the infrastructure and analyze them. Vulnerability scanner monitors networks, operating systems, connected devices and ports, analyzes all active processes and running applications, and generates reports with vulnerabilities description and their location. Detection includes not only scanning, but also infrastructure monitoring for particular CVE vulnerabilities.

Challenges and recommendations:

Some scanners detect vulnerabilities on the host itself. For this vulnerability database is copied to each host, that sharply increases scanning time. The problem is aggravated, if the network is large and complex. The secondary factor may be low data transfer speed or connection issues.  In addition, vulnerability scanners can sometimes disrupt networks and systems they scan. While searching for vulnerabilities, scanner may send specially created requests or packs to target systems. This has a negative impact on system or network operation.

At the same time, scanners can’t always correctly identify vulnerabilities and often create reports with multiple vulnerabilities that are unexploited, but formally their severity level is high. As a result, CS specialists receive a report that is difficult to interpret, and it’s not clear which vulnerabilities need to be fixed first. Additionally, scanners do not provide enough information about vulnerabilities remediation, as their knowledge database often contains only general information about vulnerabilities. In reality, the knowledge is insufficient, and software users conduct research on how to patch a particular vulnerability.

Vulnerability detection is a dynamic process that requires constant updating and adapting to new threats and attack methods. For this reason, it’s mandatory to configure the periodicity of scanning tasks. Only in this case you can be sure that infrastructure data is up to date. To fully see all vulnerabilities, multiple data sources can be used, but you should take into account that there may be duplicates of the same vulnerabilities detected by different scanners.

Stage 3. Prioritization

Information received from scanner report should be prioritized to define which vulnerabilities have to be remediated in the first place and which can be handled according to the regular plan. Vulnerabilities can be grouped depending on their criticality level and potential impact on the system: in accordance with the CVSS (the most popular prioritization method), the presence of an exploit, with vulnerabilities on critical assets, vulnerability rating, and criticality level.

Challenges and recommendations:

The number of identified vulnerabilities can reach hundreds of thousands and sometimes millions, which leads to a problem of vulnerabilities prioritization. Some vulnerabilities are critical and need to be addressed immediately, while others may be less important and their remediation can be postponed. The lack of a clear prioritization system leads to an incorrect focus for addressing vulnerabilities and consequently incorrect allocation of resources to remediate them. In order to avoid such difficulties, ways to automatically rank vulnerabilities based on particular criteria are needed. Thus, a significant part of the analytics will be performed by the VM system, and CS specialists will be able to use data which have been prepared for analysis.

In addition, not all VM solutions have flexible configurations of vulnerability status model, and traditional statuses don’t always reflect the entire business process of vulnerability management. Therefore, cyber security professionals can’t take into account compensating measures and exclude vulnerabilities as irrelevant.  Statuses reflecting the current state of specific vulnerabilities handling can significantly reduce routine work of specialists. The statuses could help to develop policies for mass processing of vulnerabilities according to approved scenarios. At the same time, excluding vulnerabilities from processing makes it possible to focus only on relevant vulnerabilities that are important for current network.

When a company has asset inventory, identified and prioritized vulnerabilities, next step would be their remediation.