What is vulnerability management? Processes and software for prioritizing threats

John Breeden II | Nov. 28, 2017
Organizations handle vulnerability management in various ways, from training and best-practice implementations to filtering out all but the most dangerous threats. Here's a look at some of today's more innovative solutions.

vulnerability

Vulnerability management is the process of staying on top of vulnerabilities so the fixes can be more frequent and effective. Vulnerabilities in need of fixing must be prioritized based on which ones post the most immediate risk to the network. It’s handled in various ways by security companies working in the field, from training and best-practice implementations to filtering all the vulnerability noise down to just the most dangerous threats for a protected organization.

In cybersecurity, vulnerabilities are a big deal because without them, there would be very few breaches. But vulnerabilities on their own aren’t active threats, so it’s difficult for companies to figure out which to address, and in what order. This is especially true when the number of vulnerabilities climb to staggering levels — sometimes into the millions for larger networks.

Think of vulnerabilities like holes in a suit of armor. The holes might not instantly pose a problem, but probably will cause trouble eventually. Ideally, patching those holes before someone exploits one, sending an arrow through it for example, is a good idea. The problem in cybersecurity is that there are a lot of vulnerabilities.

Almost anything can become a vulnerability and thus a liability to network security. Things like unpatched operating systems, or programs and apps running old software versions are common vulnerabilities, as are siloed applications plugged into a modern network. On the more advanced side, attackers may find exploits that nobody else knows about, attacking a hole in the armor that was previously unknown. Even users can sometimes be considered vulnerabilities, especially today when many of the most targeted attacks, such as phishing, are designed to trick users into lowering the defenses for attackers.

 

Vulnerability management software

Here's how 4 innovative vulnerability management tools are tackling this critical topic.

1. Kenna Security

Kenna Security's vulnerability management platform is designed to prioritize the most dangerous vulnerabilities that could potentially harm a protected network. In a nutshell, it monitors most major threat feeds, and compares that data with assets inside a protected network.

The Kenna platform is deployed in a software as a service (SaaS) model, where users pay a yearly subscription fee to log into the secure site that collects their specific vulnerability data. The data collected by Kenna is used to improve security across the platform, so the more organizations that purchase it, the more threats it will likely encounter. Currently, Kenna tracks over two billion vulnerabilities worldwide, and the number grows daily.

2. Crossbow

Sometimes the best defense is a good offense. That was the philosophy behind the SCYTHE security company’s efforts to create the Crossbow vulnerability assessment platform. Deployed using either software as a service (SaaS) or through an on-premises installation, Crossbow is a virtual threat sandbox, allowing administrators to load up and deploy actual historical attacks like WannaCry, Goldeneye or Haxdoor, or create new threats from scratch. Once loaded or created, those attacks can be sent against a protected network to probe for any vulnerabilities.

Crossbow is perhaps one of the most dangerous defensive programs that CSO has ever reviewed. All of the attacks that it can load or create are real, using actual techniques and tactics that have historically broken through cybersecurity defenses at many organizations. Only the payload is neutered, and even then, that part is optional. This makes Crossbow one of the most realistic tools out there for accessing, testing and managing vulnerabilities. To put it in perspective, Crossbow is much more akin to a live fire exercise in the military than a simulation, because the virtual threats Crossbow fires are real.

3. Risk Fabric

Many vulnerability management programs will direct IT teams to the critical threat on the non-critical asset, and place one that could potentially cripple your organization thousands of places down on the priority scale. It’s not the program’s fault. It just doesn’t know context. That is one of the major problems in the vulnerability management space that the Bay Dynamics Risk Fabric program is designed to solve.

It would not be an inaccurate description to call Risk Fabric a next-generation vulnerability management tool. By adding real context to raw scan results, IT teams are given a much better picture of the true risks hiding within their networks, including the potential costs if those problems are not fixed quickly. 

4. CAWS Continuous Security Validation Platform

At its core, the CAWS Continuous Security Validation Platform from NSS Labs is a testing lab dedicated to finding and fixing threats against networks. Customers who make use of the program can elect to use one of two flavors of the product — public or private — both of which could be tremendously helpful when planning defenses and trying to manage vulnerabilities.

For SMBs and organizations with smaller networks, the public instance of CAWS can be an invaluable tool for alerting IT teams about real threats with the ability to breach their defenses. But Fortune 500 type companies, financial institutions, government organizations, and those with either large networks or networks that are high value targets for attackers may want to spring for the more expensive private service, which offers a perfect mirror of the real network that it will ultimately be protecting. Highly destructive threats can be run against the mirror network and don’t have to be neutered in any way, since they are only going to ravage the test network. Having a whipping boy to take the punishment and reveal vulnerabilities — with no risk whatsoever to the actual network — is an invaluable tool for networks with high security needs.

More on vulnerability management

IDG Insider