Defining a Solid Vulnerability Management Strategy

Posted: January 8, 2021

There is no such thing as perfect code. Vulnerabilities are a fact of life. Applications contain mistakes, and flaws, and bugs—no matter how small—and attackers work around the clock to find exploits to take advantage of those flaws, gain access to your networks and applications, and compromise your data. Vulnerability management is essential for any organization, but effective vulnerability management must be built on a solid methodology. 

There are a variety of security vulnerabilities and attackers often come up with unique and innovative exploits. For the most part, though, security vulnerabilities tend to fall into a handful of common buckets, such as broken authentication, SQL injection, cross-site scripting (XSS), cross-site request forgery (XSRF), or security misconfiguration.  

Rapid7 has defined a vulnerability management methodology comprised of four steps: Visibility, Assessment, Prioritization, and Remediation. Each step has clear objectives, and with the right tools and execution the Rapid7 methodology can help you identify and mitigate vulnerabilities in your environment.  


If you don’t know something exists, you can’t do a very good job of remediating vulnerabilities or protecting it from cyber-attacks. That is why comprehensive visibility is crucial. Digital transformation and DevOps culture have transformed IT to accelerate and streamline productivity, but the result is also a more complex ecosystem that is more challenging to monitor and protect. The modern attack surface is a hybrid or multi-cloud environment, and organizations need to have visibility across local, remote, cloud, containerized, virtual infrastructure, and even at the application layer 

Rapid7 InsightVM delivers live vulnerability and endpoint analytics to help organizations remediate faster. A lightweight endpoint agent collects data from all endpoints and helps to ensure comprehensive visibility. Rapid7 also offers Nexpose, an on-premise vulnerability scanner to enable collection, prioritization, and remediation of vulnerability intelligence for smaller, less complex environments. 


Once you know where all of your assets are, the next step is to monitor and scan for vulnerabilities so you can address them proactively to reduce risk across your attack surface. In addition to InsightVM for general vulnerability scanning, Rapid7 also offers InsightAppSec to conduct dynamic application security testing of web applications, and DivvyCloud for continuous security and compliance across multi-cloud environments. The suite of tools from Rapid7 enables you to continuously scan every asset and application in your environment to identify vulnerabilities and assess risk in real-time. 


The sheer volume of vulnerabilities can sometimes seem daunting, and few organizations have the resources to tackle all of them at once. It is important to prioritize the vulnerabilities so you can focus attention on the ones that pose the greatest risk. Risk is subjective, though. Vulnerabilities are typically rated based on their perceived criticality, but prioritizing vulnerabilities in your environment requires a deeper understanding of the business value of the vulnerable systems or applications, as well as other mitigating factors you have in place. One of the things that differentiates Rapid7 from its competitors is the unique, granular system of prioritizing risk on a scale from 1-1000. Rapid7 factors in all of the relevant insight and context to identify where IT teams should focus first to protect critical assets and have the greatest impact on the overall security of the environment. 


Assessing and prioritizing vulnerabilities won’t do you much good without the fourth step of the vulnerability management methodology: Remediation. Now that you have the intelligence, insight, and context to know where the vulnerabilities are and the relative risk they pose, you need to take steps to patch the flaws, or mitigate the risk in some way to ensure those vulnerabilities can’t be exploited. 

InsightVM and the suite of Rapid7 tools help streamline remediation. The Automation-Assisted Patching feature of InsightVM helps accelerate patch deployment and updates with minimal human intervention. It also includes workflows to integrate with major patch management tools like BigFix or SCCM. Automated Containment provides built-in workflows that integrate with third-party tools from Crowdstrike, Cisco, Palo Alto to implement policies and take automated steps to mitigate risk until a patch can be applied.  

One of the most important elements of remediation, though, is collaboration. InsightVM facilitates collaboration with a streamlined view of risk across the environment and simple reports to share relevant insights and information. Rapid7 also integrates with common ticketing solutions like ServiceNow and Jira to help security teams work effectively with IT and cross-functional teams within the organization to manage vulnerability remediation. 

Every network and application has vulnerabilities, and new vulnerabilities are discovered every day. Vulnerability management is critical around the clock, and organizations need to have a comprehensive vulnerability management system that provides visibility, assessment, prioritization, and remediation in order to stay one step ahead of attacks and protect against exploits and compromise.  

There are variety of factors that influence why an enterprise might choose one tool over another. In the next blog in this series, we will discuss the vulnerability management capabilities of Tenable. The post will cover Tenable vulnerability assessment tools and methodology, and highlight some of the unique features and strengths of their solution.  


This blog was written by Chandresh Patel,  Sr. Solutions Architect at Set Solutions.