The Difference Between Vulnerability Assessments and Vulnerability Management
Posted on Monday, February 19th, 2018 by Katharina Gerberding
In today’s increasingly complex IT landscape, we are exposed to a sheer infinite number of cybersecurity buzzwords and strategies when it comes to protecting your organization’s critical data assets. The terms vulnerability scans, vulnerability assessments and vulnerability management are often mixed up and still cause confusion on many accounts. To make sure that your organization can focus on the most effective tactics when it becomes to dealing with vulnerabilities, we’ve explained the main differences between vulnerability assessments and vulnerability management once and for all.
What is a Vulnerability Assessment?
A vulnerability assessment is not a scan, it is a one-time project with a defined start and end date. Usually, an external Information Security Consultant will review your corporate environment and identify a variety of potentially exploitable vulnerabilities that you are exposed to in a detailed report. The report will not only list the identified vulnerabilities, but also provide actionable recommendations for remediation. Once a final report is prepared, the vulnerability assessment ends.
Related post: “The Benefits of a Vulnerability Assessment”.
Vulnerability Assessments vs. Vulnerability Management
Related post: The Difference Between Vulnerability Assessments and Vulnerability Management
As opposed to the usually one-time vulnerability assessment project, a vulnerability management strategy refers to an ongoing, comprehensive process or program that aims at managing an organization’s vulnerabilities in a holistic and continuous manner. We’re gathered a few key characteristics and elements of a standard vulnerability management approach.
Vulnerability Management is an ongoing process
Unlike a vulnerability assessment, a comprehensive vulnerability management program doesn’t have a defined start and end date but is a continuous process that ideally helps organizations better manage their vulnerabilities in the long run.
Vulnerability Management is a recommended best practice to protect your organization and data
According to the 20 Critical Security Controls issued by the Center for Internet Security, one of the five most critical controls to eliminate the vast majority of an organization’s vulnerabilities is “continuous vulnerability assessment and remediation”. Although control #4 contains the term “vulnerability assessment”, the recommendation for continuous assessments and remediation supports the case for a repeatable, comprehensive vulnerability management process that goes beyond simple vulnerability assessments. In that sense, implementing a comprehensive vulnerability management process represents the baseline of an effective security program to strengthen your organization’s defenses.
Vulnerability Management can contain many different projects – including a Vulnerability Assessment (see step 4 below)
According to vulnerability management best practices, a vulnerability assessment represents an essential part of a comprehensive VM strategy but it doesn’t end there. According to the SANS Institute, an effective vulnerability management program contains at least six different stages, which are to be repeated on a continuous basis:
One of the first steps to undertake in a vulnerability management program is an asset inventory exercise. Especially at the enterprise level, organizations tend to go through a myriad of mergers, acquisitions, and new technologies and therefore need to combine natively incompatible systems or change their staff. Unfortunately, these circumstances often leave companies confused about their proper inventory and many are incapable of identifying all their assets that require a level of protection. Too often, companies possess a multitude of unknown assets in their environments that could compromise their security over the long run.
According to asset inventory best practices, asset management should be in the hands of a single authority that consults valid network maps, runs relevant discovery scans in all Local Area Networks (LANs), validates the asset inventory on a regular basis and handles change management in case of new or retiring assets. A centralized asset inventory function can help gain clarity about an organization’s asset inventory and strengthen its security posture.
Once an organization has identified all its assets and continues to manage them regularly, the second important step of vulnerability management is managing information. All we all know too well, security-relevant information is constantly changing and many organizations struggle with keeping their employees up to speed about relevant security concepts such as networking, programming, forensics or monitoring. More often than not, complex technical security concepts are not communicated (or not communicated enough) to the entire organization, leaving employees confused and uninformed about how to comply with security best practices.
An effective vulnerability management methodology includes a dedicated Computer Security Incident Response Team (CSIRT). The CSIRT is responsible for publishing security advisories, lead regular conference calls to discuss malicious activity and the latest zero-day attacks, simplify and distribute security alerts and develop understandable and effective incident response guidelines for all employees. This way, employees will be able to response to potential indicators of compromise according to the best practices recommended by the CSIRT team.
Related post: Key Roles and Responsibilities for your Incident Response Team
Another crucial area of an effective vulnerability management strategy is proper risk assessments or management. Unfortunately, most organizations lack proper documentation when it comes to managing their risk and individual departments do not interchange information about their respective critical assets and associated value. Change management is not practiced or only occurs on a very limited scale.
A risk assessment is critical for understanding the various threats to your IT systems, determining the level of risk these systems are exposed to, and recommending the appropriate level of protection. A thorough risk assessment will help organizations conduct a formal risk review, have asset owners sign off on acceptable risk levels if no remediation activities are undertaken, assign approval of high-level risks to director or VP levels and schedule risk reviews for subsequent years to regular risk reviews. If the organization does not have a dedicated risk management software in place, checklists or Excel spreadsheets will help simplify risk analysis as well solid documentation practices for security policies and processes.
As mentioned before, a vulnerability assessment in itself represents a crucial element of a vulnerability management framework and are considered the first step towards improving your IT security. Many organizations still struggle with a vast pool of unknown assets, poorly configured network devices, heavily segmented environments, incompatible tools or simply too much information to analyze and process. A vulnerability assessment has multiple benefits and will identify the key information assets of your organization, determine the vulnerabilities that threaten the security of those assets, provide recommendations to strengthen your security posture and help mitigate risk, thereby allowing you to focus your IT resources more effectively.
Authenticated vulnerability scanning will permit a full inventory of all software and its precise versions as well as the ability to check baseline security configurations and detect vulnerabilities. Such vulnerability scans should be announced to enable flagging of unauthorized scans and facilitate network and asset change visibility. Scanning processes should be documented and reviewed to drive process maturity.
Reporting & Remediation
Once the vulnerability assessments have been conducted, it is critical to produce clear and easily understandable reports with prioritized remediation tasks. Regardless of which vulnerability scanning tool is used, it should help produce reports, mark vulnerabilities as remediated or not found, track the age of the vulnerabilities etc. Before reported are issued, the organization should agree on the format of report to make sure that relevant elements are included/highlighted and irrelevant elements are discarded. As with many other critical security processes, it is highly recommended that executive management is fully on board with the vulnerability reporting and remediation process.
Related post: Best Practices for Building an Incident Response Plan
On a weekly basis, organizations receive the latest security advisories and needs to dedicate a team who will make sense of all this information. In many cases, organizations are lacking the necessary resources to implement critical changes immediately, don’t have well-defined processes to make these changes or simply don’t know what assets they have that could potentially be vulnerable and represent a risk to the organization as a whole.
As part of an effective response planning process, having an accurate and up-to-date asset inventory is the baseline for the CSIRT team to respond to vulnerabilities efficiently and effectively. In case of a new vulnerability or threat, the CSIRT team is responsible for briefing the entire organization immediately and operate with good patch management software. For maximum results, this software will integrate with both the vulnerability database and the asset inventory system.
Once these critical six steps are implemented, organizations are best advised to continue repeating them on a regular basis. Unlike vulnerability scanning or assessments, the efficacy of vulnerability management lies in the fact that it’s a continuous process – a loop – that aims at managing vulnerabilities consistently. For example, vulnerability assessments are conducted at regular time intervals, and in some cases, the time interval is “continuous” in that as soon as an assessment is completed, it is immediately repeated.