In today’s digital world filled with proliferating devices and escalating cyber risks, organizations across the globe are searching for the best way to manage threats and vulnerabilities. Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.

Regardless of which vulnerability management steps the enterprise puts in place, the overall objective is to achieve some degree of cyber-resilience by understanding the company’s security posture, identifying vulnerabilities, prioritizing actions, and setting to work mitigating those threats that pose the most serious risks to the organization.

Working toward cyber-resilience

As the newest emerging vulnerability management goal, cyber-resilience refers to an entity’s ability to use vulnerability assessment and vulnerability management to continuously deliver intended outcomes despite an ever-present wave of adverse cyber events.

Risk-based vulnerability management programs are aimed at addressing the security weaknesses that are inherent in software, devices, and IT infrastructure. These are the kinds of vulnerabilities that create opportunities for cyber-criminals and other adversaries to exploit weaknesses, and they may result in unauthorized access to a system or network, access to or theft of confidential data, or damage to valuable digital assets. Exploited vulnerabilities and breaches inevitably lead to regulatory problems, financial losses, and reputational impacts to the business.

Key risk-based vulnerability management strategies

If vulnerability management is aimed at detecting, removing, and controlling the inherent risk of vulnerabilities to an organization, then vulnerabilities in need of fixing must be prioritized based on which ones post the most immediate risk. These can stem from unpatched operating systems, or programs and apps running old software versions, or siloed applications plugged into a modern network. They can also include users who might bring infected devices into the network or share sensitive data inappropriately.

4 basic risk-based vulnerability management building blocks

  1. Visibility into everything (all assets) on the network or in the environment – managed and unmanaged (BYOD) devices, apps, users, and data.
  2. Scanning and monitoring across a broad range of attack vectors for each asset.
  3. Prioritizing results based on context – for each asset, this means knowing how critical it is to your business (the value of the asset); how vulnerable it is (the severity of the vulnerability); any existing security controls already in place; and any ongoing global threats.
  4. Guidance on the best approach as you work to mitigate identified vulnerabilities.

Food for thought …

As IBM CEO Ginni Rometty recently declared, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber-crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”

Vulnerability management best practices

Scanning the network for vulnerabilities or deploying multiple tools against the “threat of the week” as a one-size-fits-all approach no longer aligns with reality. Mobile and IoT devices often operate under the radar for such security tools, as do public cloud resources, software-as-a-service applications, and industrial control systems.

So what approach makes the most sense, and how do you maintain accurate, real-time visibility across your dynamic attack surface?

  • You can’t secure what you can’t see. Network visibility is critical to removing security blind spots, and this means being able to “see” all endpoints and traffic that traverse the company network, even extending into the public cloud.
  • With everything digital and cybersecurity threats so widespread, it’s crucial for organizations to have full visibility into all of its digital assets and understand the risks associated with them.
  • Vulnerability management needs to be a proactive (not a reactive) program that covers the entire ecosystem, securing an organization’s network, data, devices, and users.
  • Vulnerability management needs to continually scan, monitor, and evolve across a broad range of attack vectors.
  • Vulnerability management needs to help you understand and prioritize the risks to every network, device, user, and asset, so that you can focus your efforts on the most important things.

In short, the best vulnerability management programs are designed to defend and protect the entire ecosystem, continuously vigilant, proactive, and resilient as the threat landscape evolves over time.