According to NIST, vulnerability management is a security practice that is designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected result is to reduce the time and money spent dealing with vulnerabilities and the exploitation of those vulnerabilities.
Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving vulnerabilities in operating systems (OS), enterprise applications, browsers, and end-user applications.
It is an ongoing, regular process of identifying, assessing, managing and remediating cyber vulnerabilities through patching and configuration of security settings.
Typically, a security team will leverage a vulnerability management tool to detect vulnerabilities and utilize different processes to patch or remediate them.
Strong vulnerability management uses threat intelligence and knowledge of IT and business operations to prioritize risks and address vulnerabilities quickly.
The Vulnerability management process
Is a defined process often used to provide organizations with a way to identify and address vulnerabilities quickly and continually. 6 processes make up the vulnerability management process.
Discover: involves taking an inventory of all assets across the network environment, identifying details including operating system, open services, applications, and configurations to identify vulnerabilities. This usually includes both a network scan and an authenticated agent-based system scan. Discovery should be performed regularly on an automated schedule.
Prioritize Assets: Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to the business operations of the organization.
Assess: Determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability, threats, and asset classification. Assessments provide an ongoing baseline over time.
Report: Measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity and describe known vulnerabilities.
Remediate: Prioritize risk according to business risk and address vulnerabilities in order of risk. Controls should be in place so that remediation is completed successfully and progress can be documented.
Verify: Validation of remediation is accomplished through additional scans and/or IT audit.
By regularly examining the entire vulnerability lifecycle and looking for ways to evolve and improve, organizations can proactively defend against any kind of vulnerability an attacker could use to threaten them.