Best Practices and Effective Vulnerability Management Strategy

Posted: April 1, 2021

Vulnerabilities are a fact of life. It’s an imperfect world. There is simply no way to avoid them. Fortunately, vulnerabilities can be detected, and resolved or mitigated to remove or limit the risk they present. The goal is not to try and achieve a world with zero vulnerabilities—the goal is to implement an effective vulnerability management strategy that enables you to be proactive and minimize your exposure.

Over the course of this series on vulnerability management, I have touched on many elements of effective vulnerability management. Some of the things I have shared are strategies specific to a given vendor’s approach, but regardless of which platforms or tools you use, the core principles and best practices of vulnerability management are universal.

Vulnerability Management Best Practices

  • Vulnerability Management is more than just vulnerability scanning. Vulnerability scanning is just the process of using a tool to scan your applications and network environment to identify vulnerabilities. Vulnerability management is a more comprehensive strategy that includes proactive vulnerability scanning, as well as the processes and tools necessary to prioritize and remediate issues.
  • Vulnerability Management must be continuous. Neither vulnerabilities nor cybercriminals operate on a schedule. It is not sufficient to address vulnerabilities on a weekly or monthly basis, because you may be exposed to unknown risks at any point in between.
  • You can’t protect what you can’t see. You can’t have effective vulnerability management of just part of your network or some of your assets. It’s imperative that you have comprehensive visibility so you can detect and resolve all of the vulnerabilities that may impact your network, devices, applications, or data.
  • Context is key. The criticality of a given vulnerability is subjective. Context is crucial because how your prioritize and respond to vulnerabilities should be informed by a variety of factors such as the sensitivity of data or business value of a given system, combined with other security controls and mitigations that might be in place to reduce the exposure to risk.

Effective Vulnerability Management Strategy

The best practices remain the same no matter how you choose to address the broader vulnerability management strategy. As I explained in earlier posts in this series, Rapid7 uses a vulnerability management methodology built around four steps: Visibility, Assessment, Prioritization, and Remediation. These four stages encompass the best practices describe above and provide a framework that enables customers to manage the vulnerability management process.

Tenable Network Security has a different approach. I wrote about the risk-based vulnerability management strategy embraced by Tenable. It is designed to give customers the visibility, information, and context required to assess risk and determine which vulnerabilities are most likely to be targeted by attackers so that remediation and mitigation efforts can be properly prioritized. Asset discovery and classification are key components of the Tenable strategy—ensuring comprehensive visibility and scoring asset criticality to provide necessary context.

Vulnerability Management Is a Team Sport

Following vulnerability management best practices and implementing tools that fit your vulnerability management strategy are both essential, but management support and clear communication are also crucial components of an effective vulnerability management program. The IT security team can’t be successful without cooperation and support from executives and other teams and departments in the company.

It’s important for executive leaders to advocate for and support the vulnerability management program. Employees take their cues from executive management, so it’s imperative that they see that the leaders of the company consider vulnerability management important.

Clear communication also helps. IT security teams can sometimes come across as a bit draconian—demanding security for the sake of security. Everyone is on the same team and working for the success of the business. Effective vulnerability management requires that IT security communicate with other business areas to ensure that everyone is on the same page in terms of the resources required and the potential impact on their teams or objectives.

There are certainly wrong ways to do vulnerability management, but there is no single right way. Start with a solid foundation built on vulnerability management best practices, then find a solution that fits your strategy and collaborate with key stakeholders throughout your company to ensure your vulnerability management program supports your business objectives while giving you the tools and processes you need to protect your networks, systems, applications, and data.


This blog was written by Chandresh Patel,  Sr. Solutions Architect at Set Solutions.