Vulnerability Management Framework

What is a vulnerability management framework?

A vulnerability management framework provides a set of guidelines and best practices to help you quickly identify and patch security flaws and improve your cybersecurity posture. It facilitates the process of discovering, assessing, prioritizing and remediating software vulnerabilities.

To understand the need for a vulnerability management framework, let’s start with the basics. What really is a framework?

In general, a framework is defined as, “an essential supporting structure of a building, vehicle, or object”. Take buildings for instance. Before a building is constructed, the architects first design the structure. Having an architectural design makes the process of constructing the building efficient. Tasks such as laying the foundation, putting up the walls, and installing wiring and plumbing are easier to do.

Similarly, a vulnerability management framework makes it easier for you to run a repeatable and efficient vulnerability management program.

Why is it important to have a vulnerability management framework?

Having a vulnerability management framework has become increasingly important due to the rapid growth of newly detected vulnerabilities. For example, the National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data, reveals some startling statistics. The NVD currently includes more than 195,000 Common Vulnerabilities and Exposures (CVEs). In 2022 alone, a staggering 21,000-plus new CVEs were identified by NVD.

What does this mean in the context of your organization? Hypothetically, say your environment includes 10,000 assets, and on an average each asset has 50 unaddressed vulnerabilities. This translates to 5,00,000 vulnerabilities that potentially need to be patched. A framework gives your team a structure to manage this large task.

Getting vulnerability management right has more than just operational implications. As CSO Online states,

“Security-smart organizations have gone well beyond thinking just in terms of assessing and addressing vulnerability—now vulnerability management is a cornerstone of their corporate security, risk, and compliance programs.”

While vulnerability management isn’t a new concept for many companies, it’s become clear that legacy vulnerability tools configured to perform periodic scans are no longer enough to defend against their expanding attack surface. Instead of periodic scans, you should discover and remediate your security gaps in near real time. With a vulnerability management framework, you can establish a system that continuously prioritizes vulnerabilities and ensures that those vulnerabilities are mitigated swiftly and efficiently.

What are the components of a vulnerability management framework?

The NIST Cybersecurity Framework, provides a good structure for mapping out a vulnerability management framework.

The NIST Cybersecurity Framework consists of standards, guidelines and best practices to manage cybersecurity risk. This framework has become quite popular in recent years, and has been downloaded more than a million times. A myriad of enterprises now leverage it to manage their cybersecurity posture.

The framework categorizes all cybersecurity capabilities, projects, processes, daily activities into five core phases: identify, protect, detect, respond and recover. And while the NIST framework has broader applicability, let’s look at how you can leverage the core elements of the NIST framework for vulnerability management.

1. Identify

The goal of the Identify phase is to build the foundation for a strong cybersecurity program. In terms of vulnerability management, it answers the question, ‘What assets need protection?’.

With respect to vulnerability management, the Identify phase could entail the following actions:

• Establish asset discovery mechanisms: You can’t protect what you don’t know. Deploy the necessary tooling and processes to gain comprehensive visibility into your organization’s assets, including on-prem assets, cloud assets and the software bill of materials for software running on both.
• Discover assets in real-time: Ideally, asset discovery should be automated so you have a near-real time picture of your assets.
• Determine asset criticality: Adding business and security context to your assets should help you to prioritize their criticality to your business. It is important to use as much data as possible to inform your analysis. Unfortunately, most organizations determine the business criticality of their assets using a subjective approach. They end up making cybersecurity decisions based on intuition and not on data, which leads to poor results.

2. Protect

The Protect phase entails restricting or containing the impact of a potential cybersecurity event and involves the deployment of suitable protections to ensure delivery of critical infrastructure services. In terms of vulnerability management, it answers the question, ‘Have you implemented appropriate safeguards to ensure the protection of your organization’s assets?’.

With respect to vulnerability management, the Protect phase could entail the following actions:

• Implement security controls: Follow best practices and take advantage of security systems and tools, such as, but not limited to:
  • Proactive security: anti-malware protection, anti-virus, email security, endpoint protection, endpoint security, ransomware protection, URL filtering and more.
  • Preventative security: backup, training and encryption
  • Security management systems: data loss prevention (DLP), identity access management (IAM), multi-factor authentication (MFA), patch management tools and security information and event management (SIEM)
• Deploy vulnerability management software: Vulnerability management software will help you with the subsequent phases in this framework: detect, respond and recover. There are significant advantages to using a tool that allows you to automate vulnerability management.

3. Detect:

Detecting potential cybersecurity incidents is critical. The Detect phase defines the activities that are undertaken to identify the occurrence of a cybersecurity event in a timely manner. In terms of vulnerability management, it answers the question, ‘Have you implemented appropriate mechanisms to identify security vulnerabilities?’.

With respect to vulnerability management, the Detect phase could entail the following actions:

• Detect vulnerabilities: After mapping your attack surface, you should institute tooling and processes to identify security weaknesses and flaws in systems and in the software running on them. Identifying vulnerabilities is an integral component of a vulnerability management program.
• Prioritize vulnerabilities: With every organization having hundreds or thousands of vulnerabilities, it’s important that you effectively prioritize vulnerabilities for remediation. Doing so will ensure your security team isn’t racing to address issues that pose little or no real risk to your business-critical assets.
• Quantify risks: Invest in tooling that allows you to quantify cyber risk in monetary terms. Calculating cyber risk in monetary terms provides a common language that you and your leadership can use to prioritize projects and spending and to track the effectiveness of your overall cybersecurity program.
• Monitor continuously: Implement continuous monitoring capabilities to identify newly discovered software vulnerabilities and to discover new assets and other changes to your environment.

4. Respond

The Respond phase focuses on the actions you need to take once you detect a cybersecurity vulnerability. This phase answers the question: ‘Have you deployed the processes and tools needed to contain the impact of the vulnerability?’

When it comes to vulnerability management, the Respond phase could include the following actions:

• Clarify ownership: Clearly establishing who is responsible for remediating each vulnerability is crucial. Ownership clarity ensures accountability and it drives response.
• Establish reporting and gamification: Reports provide all stakeholders with the status of detected vulnerabilities. Creating reports by risk owner allows you to compare, and even gamify, their respective progress. You can use leaderboards, alerts and reminders to drive risk owners to do their part in vulnerability and risk management.
• Communicate status periodically: You can keep stakeholders informed of the remediation queue in a timely manner. Another aspect of status communication is that you can generate board-ready reports to show risk reduction progress and the value that your security program is driving for the business.
• Implement a risk acceptance strategy: It is generally not feasible to immediately remediate all identified vulnerabilities. For example, there may be instances where fixing a vulnerability would require taking a business-critical asset offline. You should implement a risk acceptance strategy  informed by your risk tolerance and business needs.
• Develop remediation strategies for “peacetime” vs “war time”: In peace-time, security teams are focused on burning down high volumes of important vulnerabilities and closing security gaps quickly and efficiently. In war-time, a new critical vulnerability that is actively being exploited has been identified. Attention turns to urgently identifying and deploying patches or quick mitigations to fix these critical vulnerabilities before attackers can cause serious damage to the organization.

5. Recover

The final phase of the NIST cybersecurity framework is the Recover phase. The Recover phase involves renewing and maintaining plans for resilience and restoring any capabilities or services that were impaired due to a cybersecurity incident. In terms of vulnerability management, this phase answers the question, ‘Have you implemented appropriate processes and tooling to better detect and remediate future vulnerabilities?’

When it comes to vulnerability management, the Recover phase could include the following actions:

• Deploy advanced search capabilities: One of the preemptive steps in vulnerability management recovery is to have in place the capability to search for affected assets. During the Detect phase, you should be able to quickly and accurately identify all affected assets. Similarly, during the Recover phase, you should be able to verify that vulnerability instances have been responded to. In some cases, that search capability may mean being able to search through the software bill of materials (SBOM), for example, searching for Log4j instances. Searching for Log4j is complex as it can exist as a library resource, a JAR file or embedded in a custom application.
• Expand coverage to unmanaged areas of your attack surface: Organizations’ attack surfaces are exploding, a phenomenon that is accelerating due to the increasing use of cloud infrastructure. During the recovery phase you may need to improve your visibility across traditional assets (desktops, laptops and mobile devices) and newer types of assets (cloud assets, IoT/OT devices, etc.) that aren’t currently covered by your tools. A CAASM solution can fill in this gap and provide an accurate, near real-time view of your organization’s assets.
• Capture lessons learned: You should update processes to include the lessons learned from breach incidents and evolve your existing cybersecurity strategies.