December of 2021 was a terrible time in the cybersecurity world. A security vulnerability was discovered in a software component widely used by thousands of large companies and government departments. The media termed it “the nightmare before Christmas,” and security experts called it the most serious flaw they’ve ever seen.
How can you protect your organization from such a nightmare? In this guide, you’ll learn about security vulnerabilities, the vulnerability management lifecycle process to manage them systematically, and practical details for each stage in that process.
What Is a Security Vulnerability?
A vulnerability is a security weakness in one of your information technology (IT) assets that hackers can exploit. It may result in a denial of service or another kind of cyberattack, injection of malware into your assets, a data breach that steals your valuable business data, or a ransomware attack.
Vulnerability management is the process of systematically and continuously detecting these security weaknesses in your assets. A vulnerability management program is instituted to manage vulnerabilities systematically. We’ll explore how it works next.
The Vulnerability Management Lifecycle
New customers or new projects require the addition of assets, and new assets bring new vulnerabilities. Additionally, security researchers around the world are continually discovering security weaknesses in popular software and hardware.
So, by necessity, the vulnerability management process is a continuous cycle of detection, remediation, and verification. This continuous process is called the vulnerability management lifecycle. It consists of six stages that we explain in detail below.
Stage 1: Asset Discovery
You need to know all the IT assets that affect your business’ cybersecurity before you can scan them for vulnerabilities. An inventory of all your security-relevant assets is created in this stage. The goal is to understand the state of your IT security and your attack surface, i.e., all potential targets of cyberattacks.
Examples of Assets
Some assets are physical and some are virtual; some are managed individually, while others are managed in groups. Let’s explore some critical assets that should be part of your vulnerability management lifecycle plan.
1. Compute Infrastructure
Compute infrastructure refers to the physical and virtual assets that provide the resources to run any software. It includes web servers, hypervisors, virtual machines, containers, operating systems, and server software.
2. Network Infrastructure
Network infrastructure provides local and wide area networking for your business. It includes hardware — like network routers and wireless access points — and software like virtual private networks, firewalls, and proxy servers.
It also includes less visible but still vulnerable components like your accounts with domain registrars, domain name system entries, and website security certificates.
3. Web and Software-as-a-Service (SaaS) Applications
All of your web applications, SaaS subscriptions, and their data are assets. Public-facing and customer-facing applications get special attention, as they encounter more threats than internal applications. SaaS applications and cloud services often provide inspection application programming interfaces (APIs) to report your assets stored with them.
4. Databases and Data
Each database server and each database it hosts are assets. Sometimes, some of your most important assets can be found within one of these databases. For example, a particular database table containing customer details may be the most valuable data asset in your business. In a table holding data from multiple vendors (multi-tenant data), rows associated with a particularly valuable vendor can be treated as a separate asset.
5. Other Assets
Additional security-relevant assets include endpoint devices — like employee workstations, laptops, and smartphones — and hardware security keys.
Methods of Discovery
A major challenge in asset discovery is that your collection of assets is very dynamic. It grows and shrinks all the time. That’s one reason it’s called a vulnerability management lifecycle and not a one-time process.
How do you detect new, modified, or missing assets that are relevant to security? You do this by using your IT inventory as a baseline and detecting changes in it using the following tools and techniques:
- Agents: Agents are software components that are deployed on assets to report local assets like installed software packages, active network services, or running applications.
- Agentless: Agentless discovery involves detecting assets without deploying agents by using remote network access, remote database access, SaaS APIs, or simple network monitoring protocol.
- Network traffic monitoring: Network traffic is centrally monitored to detect network services and API endpoints, but it can only find those assets that use the network.
- Manual inventory: Each department within your company can manually refine the inventory list occasionally to include less tangible assets. For example, a process document may be the most valuable asset of a particular department. Ideally, all manually added assets are added to the next cycle’s automated discovery.
Security Challenges During Discovery
Asset discovery can run into the following challenges:
- Revoked or changed credentials: Most assets require some credentials (passwords or security keys) to allow access. Revoked credentials or changed access permissions can prevent asset discovery tools from running. Avoid this by using a common identity and access management service that’s used by all services.
- Risk of compromising assets during the discovery process: Given its high levels of access to all your assets, the asset discovery process itself can become a target of cyberattacks. The SolarWinds attack of 2020 compromised a widely used network management service to inject vulnerabilities into all its customers’ networks.
Stage 2: Asset Prioritization
Not all assets warrant high levels of protection. An internal application (an application that’s only used by your employees over a secure internal network) may not require as much attention as a customer-facing application. In this stage, you prioritize your assets, given your constraints on budget, time, and resources.
The goal is to identify assets that are critical to your business operations through these steps:
- Evaluate your business operations: Use business metrics like monthly recurring revenue and customer transaction volume to estimate the costs of reputation damage and legal liabilities in the event of a cyberattack. A cyber risk management framework can help guide you.
- Identify critical assets: Critical assets keep your critical business operations up and running.
- Assign a business value to each critical asset: Determine the metrics and costs of all of your assets to help you judge the criticality of each.
In this way, you can prioritize assets from a security perspective.
Stage 3: Vulnerability Assessment
Vulnerability assessment is the most important stage in the vulnerability management lifecycle. Vulnerability scanners are used to detect and build risk profiles for each asset.
Vulnerability Scanning Tools
A wide variety of vulnerability scanners exist, covering every asset class. The depth and precision of scanning vary based on an asset’s priority. High-criticality assets are subjected to multiple scanners to squeeze out every last vulnerability, however minor.
Examples of scanners include:
- Operating system scanners: They detect vulnerabilities that can stem from file system permissions, operating system settings, and system services.
- Database scanners: They focus on authentication, access, permissions, structured query language injection (an attack in which data that’s added to the database is actually a malicious database query), and other vulnerabilities known to exist in database software and services.
- Web application scanners: Web applications are prone to a large number of vulnerabilities like unvalidated request inputs, cross-site request forgery, cross-site scripting, and many more. Given a website and access credentials, these scanners visit every page of your web applications looking for such vulnerabilities.
- SaaS scanners: These scanners look for misconfigurations, inadequate access control, and feature-specific vulnerabilities in your SaaS and cloud subscriptions. Since every SaaS has unique features and concepts, each has its specialized scanner with specific rules.
- General scanners: Software like Metasploit Framework and Burp Suite provide a variety of predefined scanning modules and custom scripts for every asset class.
- Custom scanners: In addition to all the above, most security teams write custom scripts to scan their internal applications and networks.
New vulnerabilities, and new techniques to exploit them, are discovered all the time. How do these scanning tools keep up? That happens thanks to global vulnerability databases like the Common Vulnerabilities and Exposures (CVE) catalog. Security researchers use CVE to share new vulnerabilities, exploitation techniques, and cybersecurity threats they discover. Scanning tools are then updated quickly to cover the new finds.
Validation of detected vulnerabilities — especially in your highest-priority assets — is necessary to gauge the effectiveness of your process and see if some scanners are reporting useless false positives. Use penetration testing tools and teams for this validation. During a penetration test, a tool or a team of security experts tries to deliberately exploit vulnerabilities to test your defenses.
Stage 4: Reporting
The results of the assessment stage have to reach multiple stakeholders:
- Executives and management: They receive executive summaries of the overall security state of your assets to plan business, organizational, and legal solutions for any discovered security problems.
- Risk and compliance teams: They receive risk profiles of critical assets to help comply with standards like the Payment Card Industry Data Security Standard (PCI DSS) and guidelines like the National Institute of Standards and Technology (NIST) cybersecurity framework.
- Security teams: They receive the technical details of all vulnerabilities so they can design security plans for all assets.
- Operations and engineering teams: They, too, receive the technical details so they can implement software and configuration changes on assets.
Read our article on security assessments for details on assessment reports.
Stage 5: Remediation
In this stage of the vulnerability management lifecycle, security teams and other stakeholders manage any detected vulnerabilities and their risks based on security priorities. Three approaches are available for each vulnerability:
- Remediation: Remediation involves closing the vulnerability properly to ensure no attacker or insider can exploit it. It may involve patching software or even re-architecting entire systems. Since remediation requires more resources and time, it’s used for the highest-priority assets.
- Mitigation: Mitigation involves reducing the risks of a vulnerability without closing it completely, possibly due to high costs. For example, it may prevent exploitation by the riskiest threat but ignore less risky ones.
- Acceptance: Sometimes a vulnerability is too low-risk to address. These can be ignored for now and addressed in a later cycle if needed.
A remediation plan is prepared based on the reports from the previous stage. Security operations teams track and update its progress on dashboards so that all stakeholders can see the real-time status of the remediation.
Stage 6: Verification
The outcomes of the remediation stage are verified using follow-up audits. Scanners are rerun and validation through penetration tests is conducted. By the end of this last stage, you can be assured that all known vulnerabilities in all critical assets of your business are addressed and your overall cybersecurity is improved — until the start of your next vulnerability management lifecycle.
ThreatKey for SaaS Vulnerability Management
You’ve seen how the vulnerability management lifecycle helps you systematically discover weaknesses and reduce your risks from cyber threats.
ThreatKey uses a novel system-of-record technology, coupled with API-based agentless scanning and log ingestion, to ensure full discovery of your assets on popular SaaS applications like Google Workspace, Microsoft 365, Box, Slack, GitHub, and Okta.
Our service continuously monitors your assets’ configurations and logs for robust vulnerability management and to remedy detected vulnerabilities automatically. Try ThreatKey for free.
Skip the intro call and get started now.
No time for an introductory call? We get it. That's why we have a simple, no-pressure way to get started with ThreatKey.
Just sign up for a free account and you can start using our platform immediately. No credit card required.