How to Create an Agile Vulnerability Management Process: Best Practices
Vulnerability management is a baseline cybersecurity practice (and process) that companies must have in place to avoid accidental data leaks and protect themselves against targeted direct attacks.
This guide explains how to establish a continuous process for vulnerability identification, investigation, and patching.
Vulnerability management is the process of identifying, evaluating, prioritizing, and mitigating security exploits within your IT estate. The goal of vulnerability management is to reduce the risk of a breach by addressing the systems’ shortcomings before they can be leveraged to breach your systems.
A security vulnerability is any type of weakness within a network or IT system architecture, implementation, or functionality that attackers can exploit to launch a cyber offense.
Common vulnerabilities include:
- System misconfigurations
- Unsecured Application Programming Interfaces (APIs)
- Unpatched and/or out-of-date software
- Missing or weak authorization credentials
- Suboptimal access control policies
- Missing or weak data inscription
- Zero-day vulnerabilities.
The majority of new applications (80%) typically do not take on any flaws during the first 1.5 years in production as long as they were developed with security-by-design principles. However, degradation happens over time. After five years in production, 70% of applications contain at least one security flaw.
The flaws emerge often due to security and/or technical debt. Additionally, new product development can introduce flaws to existing systems in the form of unsecured APIs, subpar identity and access management (AIM) configurations, or inefficient patch management.
Such vulnerabilities can (and should!) be uncovered during a vulnerability assessment — a systematic evaluation of your IT infrastructure components and individual applications for weaknesses and exploits.
Vulnerability assessments are a cornerstone IT asset management practice and one of the pillars of a centralized IT security program. Data resurfaced by vulnerability assessment tools allows your IT security teams to proactively mitigate risks before they impact your core business.
Types of Vulnerability Assessments
- Network-based scans are designed to identify weaknesses in the network infrastructure, such as open ports, outdated software, or misconfigured devices.
- Host and virtual machine (VM) assessments are meant to locate missing patches, misconfigured settings, or weak access policies within your infrastructure to prevent unauthorized access.
- Database scans help detect security issues within critical data storage infrastructure to reduce the likelihood of a data breach or compromise.
- Application scans reveal possible exploitation paths within specific applications, which can be used for SQL injections, cross-site scripting (XSS) attacks, or insecure direct object references (IDOR).
How to Conduct a Vulnerability Assessment
A vulnerability assessment is a methodological evaluation of your IT security posture. Using a suitable toolkit, a cybersecurity team scans the selected assets, analyzes the reported findings, and develops remediation strategies.
A standard vulnerability assessment happens in three stages.
The identification process begins with rounding up an inventory of all IT infrastructure components due for an assessment. These can include individual corporate devices, local and cloud-based business applications, active virtual machines, and cloud data platforms (such as data warehouses or data lakes) among others. With the help of purpose-built tools for vulnerability assessment, the team collects security data points such as:
- Hostname, IP address, operating system
- Versions of software or firmware in use
- Number of open ports per each system
- Number of APIs in use and their security status
An advanced vulnerability assessment tool can scan through a large technical estate in a matter of minutes and report back on the critical issues resurfaced. Vulnerability scans can be programmed to run on schedule or on demand in response to a new event (e.g., new server deployment) to ensure the correct security control implementations from the get-go.
The British National Cyber Security Centre also names “cost-effectiveness”, “scalability”, “accuracy”, and “increased compliance” among the main advantages of using vulnerability scanners.
Vulnerability assessment tools provide ample data for analysis. However, they may also produce false-positive results (i.e., point towards non-existing threats). Therefore, most of the reported findings have to be reviewed by a competent security analyst.
Specifically, they must determine the severity and potential impact of each reported vulnerability. As part of our vulnerability assessment services, Infopulse team always takes the extra step to verify that the vulnerability is indeed present across all assets (not just several outliers) and possesses a certain degree of risk for the organization.
Once all the vulnerabilities are properly cataloged, we assign each a priority level and suggest follow-up steps for remediation. Priority ratings usually come on a 10 to 0 scale, where critical (8-10) issues must be resolved within several hours at max, whereas lower-level vulnerabilities (1-3) can be duly addressed within several weeks.
During the resolution stage, proactive measures are applied such as patching, software updates, configuration changes, access policies updates, and so on. Most of these can be issued automatically using patch management software.
Some vulnerability issues may require more in-depth interventions though. For example, an oversight in initial web application design can make it more susceptible to server-side request forgery (SSRF), which allows hackers to reroute requests to your server to an external location in bypass of VPNs and firewalls. Such vulnerabilities can be only closed by developing a new product release with better security controls.
Likewise, most software for patch management does not protect companies against zero-day exploits — attacks staged against previously unknown vulnerabilities in underlying software code. "Zero-day" refers to the fact that the exploit occurs on the first day that the vulnerability is discovered before the software developer has had a chance to create and release a patch or fix. In 2022, 18 zero-day vulnerabilities were detected and disclosed in several Windows and Chrome products, as well as Atlassian Confluence.
The best way to mitigate risks from zero-day exploits is to install vendor-issued updates in a timely manner, while relying on behavioral antiviruses to detect them. If such risk is detected within a proprietary system during a scan — rapidly remedy the issue yourself.
Benefits of Vulnerability Assessments
- Improved security posture. Reduce the likelihood of an exploit and the possible attack surface through continuous monitoring.
- Proactive risk management. Fix security flaws before they cause an incident and impact your operations and/or end-users.
- Lower IT costs. The average cost of containing a data breach stands at 4.35 million in direct and indirect costs. Prevention is always more cost-effective than remediation.
- Better compliance. Robust security is a key requirement for obtaining industry certifications including ISO 27001, BSI IT-Grundschutz, or PCI-DSS among others.
How Often Should Companies Perform Vulnerability Assessments?
Similar to other cybersecurity best practices, vulnerability assessments should be carried out on a regular schedule. For most companies, it is a route, automated process. For instance, Azure VM runs automatic scans every 24 hours. For Azure-hosted web servers, a routing scan happens every 8 hours (to verify for version changes).
Overall, a vulnerability scan should be initiated whenever a company releases a new product version or issues a patch. Doing so helps you to ensure that the new release does not meddle with any other security configurations in place.
When we talk about infrastructure-wide sweeps, covering all IT assets at your disposal, these should be scheduled every 1-3 months, depending on your industry, compliance requirements, and infrastructure type.
Vulnerability management is a continuous process, usually shared between DevOps specialists and system administrators. All the findings from the assessment and testing stages must be shared with the right people for further resolution. Typically, that is the system owner (e.g., division manager) and the task executor (e.g., a system administrator or a DevOps engineer).
To ensure that all things are fixed within the timeframe they should, we suggest implementing a four-step process.
A detailed asset inventory organizes all elements of your IT infrastructure by function, owner, critical levels, and other criteria. In other words, it provides you with a birds-eye view of all assets you own and the role they play in various business processes.
This inventory helps you determine how important each element of your infrastructure is and strategize the optimal assessment scan regularity and patching schedule. Since every element cannot be a priority, you need to establish a queue, based on priority levels (Critical, High, Medium, Low).
Our advice is to always prioritize external assets (e.g., public web applications, cloud-based workplace tools, payment processing applications, public APIs, etc) as these tend to be among the prime targets. Internal resources such as a locally hosted web server, only accessible to select IP addresses, can be assigned with a lower priority (but not fully neglected).
Once you have a line-up of assets, you have to select a fit-for-purpose software for vulnerability assessments.
Popular vulnerability assessment tools include:
- Nmap (with scripts)
- Microsoft Defender for Cloud (works for hybrid cloud environments)
- AWS Inspector
Some offer a helicopter view of your infrastructure. Others are more purpose-built to conduct targeted scans of specific assets. Infopulse cybersecurity experts can help you select and configure the optimal toolkit.
The next step is to design a scanning schedule, based on asset usage dynamics. For instance, you might want to delay most of the scans to non-peak hours to avoid IT infrastructure performance issues.
A reporting dashboard provides consolidated data from the scans, for example — the number of detected vulnerabilities, resolution status, and ongoing dynamics of issue re-occurrence. The latter is particularly important since a dynamic chart helps you understand how well the team identifies and addresses potential threats. After all, you may operate an effective SOC team, capable of near-instant threat detection. Yet, if you lack IT staff for handling maintenance jobs, your security posture will remain weak.
Reporting dashboards also help prioritize and group problems, based on the remediation scenario. Oftentimes, multiple vulnerability alerts can be resolved with one patch updated. Likewise, some vulnerabilities require a near-immediate response. A dashboard allows concentrating the efforts on the right targets.
Each identified vulnerability must be recorded as a task and scheduled for timely execution. Within a large IT estate, such tasks can pile up and/or fall through the cracks amidst conflicting priorities.
To avoid such scenarios, you must have a lean process for communicating the requirements to executors, collecting necessary approvals, and monitoring timely execution. Typically, this process can be organized using one of the three scenarios below:
- Blue/green deployment strategy assumes creating two identical environments. The blue one continues to run the current system version. The green one runs a new system version. User traffic is progressively transferred to the green environment, which is closely monitored for performance. The blue environment remains in standby in case a rollback is required. This option works best for patching business-critical applications and new product releases.
- Patch window strategy assumes allocating specific time slots (windows) for releasing one or more patch groups. They run on a predefined schedule and have a configurable duration intended to avoid any service disruptions. This is one of the patch management best practices for maintaining infrastructure components and individual apps.
- Continuous patching assumes having a (semi)automated process for initiating system updates and patches across various infrastructure components. It is best suited for maintaining public cloud infrastructure in top security shape. For instance, AWS Systems Patch Manager allows you to set up patch policies for each asset, which automatically trigger update scenarios.
The above strategies cover the majority of vulnerability mitigation jobs, apart from zero-day threats, which may require a more proactive intervention.
Any type of estate — physical or digital — requires regular maintenance. New vulnerabilities may arise over time as your IT infrastructure expands, evolves, and ages. Therefore, cybersecurity teams must approach vulnerability management as a continuous process rather than a one-off event. To maximize the efficiency of vulnerability detection and management, organizations require both the right toolkit and a lean, automated operational workflow for issue-tracking resolution.