Vulnerability management is an IT security practice that involves identifying, assessing, and remediating security flaws in devices, networks, and applications, in order to reduce the risks of cyberattacks and security breaches.
Security professionals view vulnerability management as an important part of security automation. It’s a necessary capability of Information Security Continuous Monitoring (ISCM), as defined by the U.S. National Institute of Sciences and Technology (NIST).
Vulnerabilities are tracked as Common Vulnerabilities and Exposures (CVEs), a system used by the security industry to catalog flaws identified by security researchers and IT vendors. Because new CVEs arise all the time, vulnerability management is an ongoing process. A vulnerability management program helps security teams automate their detection and remediation processes, including vulnerability scanning and patching.
Vulnerability management aims to reduce the risk of cyberattacks and protect IT infrastructure. These processes can help reduce an organization’s attack surface by identifying and removing exploitable security issues or misconfigurations, maintaining software patches, and detecting and mitigating attacks due to an exploited vulnerability. It can help ensure everything from endpoint devices to servers to networks to cloud assets are properly patched and configured.
Vulnerability management can be thought of as five overlapping workflows:
- Discovery: Check an organization’s IT assets for known and potential vulnerabilities.
- Categorization and prioritization: Categorize identified vulnerabilities and prioritize them by level of criticality and actual risk (i.e., a highly critical device vulnerability that can only be exploited when connected to the internet poses no risk if that device will never be connected to the internet.)
- Resolution: Resolve vulnerabilities through remediation (fully addressing the vulnerability), mitigation (make it difficult to exploit or lessen its impact), or acceptance (choosing leave unaddressed vulnerabilities with low risk scores).
- Reassessment: Conduct new assessments to ensure previous efforts worked and did not introduce any new vulnerabilities.
- Reporting: Establish baseline metrics for vulnerability management and monitor performance over time.
As a component of information security, vulnerability management supports the same functions. Under the cybersecurity framework established by NIST, these functions include:
- Identify: Understand systems, people, assets, data, and capabilities.
- Protect: Be able to limit or contain the impact of a potential cybersecurity event.
- Detect: Enable timely discovery of cybersecurity events.
- Respond: Take appropriate action when a cybersecurity incident is detected.
- Recover: Plan for resilience and to restore any capabilities or services that were impaired by an incident.
IT security vulnerabilities are cataloged and tracked by the CVE List, an industry resource overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security. Security flaws that become CVE entries can be submitted by researchers, vendors, and members of the open source community.
In addition to brief CVE entries, security professionals can find technical details about vulnerabilities from the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and other sources such as product-specific lists maintained by vendors.
Across these different systems, CVE IDs give users a reliable way to recognize unique vulnerabilities and coordinate the development of security tools and solutions.
The Common Vulnerability Scoring System (CVSS) is an industry standard for scoring CVEs. It applies a formula that weighs a series of factors related to the vulnerability, such as whether the potential attack can be conducted remotely, the complexity of the attack, and whether it requires a user to take action. The CVSS assigns each CVE a base score ranging from 0 (no impact) to 10 (highest base impact).
This score alone is not a comprehensive assessment of risk. Two other kinds of reviews—temporal and environmental—can help form a more complete CVSS analysis. A temporal review adds details around current exploitation techniques, the existence of attacks leveraging the vulnerability, or the availability of patches or workarounds for the defect. An environmental review adds organizational-specific details about mission-critical data, systems or controls that might exist in the end-consumer’s environment that could alter the impact or probability of an attack being successfully executed.
Vendors and researchers can use other scales in addition to CVSS scores. For example, Red Hat Product Security uses a four-point severity scale to help users evaluate security issues. Those ratings are:
- Critical impact: Flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise without requiring user interaction.
- Important impact: Flaws that can easily compromise the confidentiality, integrity or availability of resources.
- Moderate impact: Flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances.
- Low impact: All other issues that may have a security impact, including ones believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.
As the number of vulnerabilities grows, and businesses assign more people and resources to security efforts, it becomes important to prioritize the work optimally. Using broad and inaccurate risk data as part of a vulnerability management program could lead to over- or under-prioritizing certain vulnerabilities, increasing the risk of a critical issue going unaddressed for too long.
Risk-based vulnerability management (RBVM) is a newer approach that seeks to prioritize actions based on the threat risk to a specific organization. RBVM considers stakeholder-specific vulnerability data, including threat intelligence, the likelihood of exploitation, and the business importance of the affected assets. It can include artificial intelligence and machine learning capabilities to develop more accurate risk scores. RBVM also aims to monitor vulnerabilities in real-time, with automated continuous vulnerability scanning.
A vulnerability assessment is an examination of an IT system’s security measures to identify security deficiencies. This can include gathering data about a system and its resources, a check for known vulnerabilities, and reporting that classifies the findings by brisk and identifies methods for improvement. You can think of a vulnerability assessment like an internal audit and scan of all infrastructure to check for security problems. Though it might be scheduled as part of a regular process, a vulnerability assessment is essentially a single event that ends with a conclusion—a report that represents a snapshot in time.
Contrast this with vulnerability management, which is an ongoing effort that is automated and runs continuously. The functions of vulnerability management are ongoing, overlapping, and continuous. In this way, responses to address critical vulnerabilities can happen early and quickly, thereby improving security.
As a leader in open source software, Red Hat prioritizes transparency and accountability for customers and communities. Red Hat communicates about vulnerabilities frequently, and in 2022 became a Root organization within the CVE program.
Red Hat also equips organizations to more securely build, deploy, and run cloud-native applications. Red Hat® Advanced Cluster Security for Kubernetes can help you better detect and manage vulnerabilities in Kubernetes environments.
Red Hat Ansible® Automation Platform can help your enterprise automate security responses to rapidly identify and address vulnerabilities, before they become urgent issues. Red Hat and our partners also maintain Red Hat Ansible Certified Content Collections—pre-built, supported automation content that you can apply to your security operations center.