Co-authored by: Saurabh Singh

In Part 1 of The Evolution of Vulnerability Assessments in our Cybersecurity blog series, we wrote about how approaches to managing vulnerabilities have evolved significantly over time and moved away from a tool-focused to a more process-driven approach. The subsequent sections of this blog post dig deeper into the fundamentals of vulnerability management and explain the ideal building blocks that an enterprise should focus on while defining a successful VM program.

Why do we need to take the Vulnerability Management route?

Nowadays, an enterprise has multiple options to identify vulnerabilities and assess the attack surface to enable point-in-time or continuous visibility. Fulfillment of such requirements depends on the scenario, which could involve various vulnerability assessment tools such as pure-play vulnerability assessment tools, automated or manual penetration testing, red teaming assessments, or even automated breach and attack simulations. But, at the end of the day, while the approaches could differ, the end goal remains the same; to detect open vulnerabilities, misconfigurations, or risky users, and eliminate such risks quickly.

The actual uphill battle begins after running such assessments as the approaches mentioned above provide a huge list of vulnerabilities/misconfigurations distributed across different track teams/asset owners. What happens after this remains a cause of concern from a security perspective, as it leaves some critical questions unanswered. For instance, did we remediate all vulnerabilities and take the exception management route? Was there anything left to be patched? Did our risk score improve over time?

Vulnerability management caters to such scenarios by identifying and distributing vulnerabilities and orchestrating the end-to-end vulnerability management life cycle. Although the reliance on technology seems pretty heavy to begin with, a successful VM program implementation depends on the people and its associated processes.

What does an ideal VM program look like?

We must understand a couple of things first. While any two VM programs could share certain characteristics, they can never be the same entirely. The one-size-fits-all approach does not scale. It is not a sprint but a combination of a marathon and a relay that has to be run together by multiple stakeholders across an enterprise. The success of it depends on the individual contributors.

Here is a conceptual model that depicts the individual building blocks of a successful VM program. Of course, there could be additions or reductions to this, depending on any particular scenario.

Figure 1: The Vulnerability Office

• The first and the most important aspect of this conceptual model is the Vulnerability Management Office that forms the foundation of the program. It engages with key stakeholders across IT and relevant business areas, delivers oversights of the entire program, and manages critical issues while providing a strategic level governance throughout the vulnerability management life cycle.  
• The vulnerability management offices help abolish a siloed approach and bridge the entire spectrum of vulnerability assessments across infrastructure, cloud, apps, etc. This should allow for a tightly interlocked and centralized service delivery mechanism with enhanced visibility and added context for end users.
• Adding a risk or threat context to the detected vulnerabilities enables effective vulnerability prioritization and allows focus on important matters.
• While strategic governance is important to define the overall program’s success, it is equally important to bake in continuous operational governance that enables proactive remediation tracking, patching guidance, and much more by security experts.
• While the actual patching and remediation process does not ideally fall under the purview of security BU, it is a critical component in maintaining continuity of the VM program. This should involve integrations with patch prioritization and patching automation technologies to reach closure quickly.
• The last layer involves critical program or project-specific activities that help streamline the entire program and avoid any roadblocks along the way.

What’s next?

The need of the hour for any enterprise is to move beyond the traditional approaches of vulnerability assessments to adopt and implement a sustainable vulnerability management program. This will enable them to achieve a more consistent, effective, and successful reduction of vulnerability throughout the environment.