Developing a Risk Based Vulnerability Management Program

Posted: March 11, 2021

There are many vectors for an attacker to penetrate an organization. The method of taking advantage of vulnerabilities in an environment is one of the common vectors for an attacker.

I have had an opportunity to work with some of the vulnerability assessment tools; they are not listed in any particular order. Alert Logic, Retina (BeyondTrust), DDI, OpenVAS, Qualys, Rapid7, Tenable and Tripwire. In two previous blog posts for this vulnerability management series we have covered methodology for Rapid7 and Tenable who are leading vulnerability assessment technologies today. The vulnerability assessment tool an organization chooses is based on the requirements, their comfort with the tool and preference of the staff.

The most successful vulnerability management programs had few things in common.

  • Executive sponsorship and support: Not just financing the vulnerability management program but truly advocating the program and supporting the overall strategy for Vulnerability Management Program to reduce organization risk.
  • Choosing right solution based on the identified requirements: well defined requirements for the final outcome an organization is important.
  • Clear communication with business areas that will be impacted: knowing what may be impacted and resources needed in is a difficult task when there is a lack of visibility. This is hard to determine but can be measured based on sampling or a small scale POC/POV of a vulnerability assessment tool.
  • Clear timeline for implementation: The risk based approach to implementing and operationalizing the vulnerabilities has the best chance meet clearly defined timelines. There will be issues but they can be addressed as discovered.
  • Considering resource constraints: This is true for most organizations but even for those organizations that have enough resources to remediate the newly discovered vulnerabilities, there can be a learning curve.

The difficult part is most vulnerability assessment tools and vulnerability management programs are managed by IT Security teams but remediation efforts are generally part of IT Operations teams. These team members are not necessarily opposed to remediation efforts but they are overburdened with operational activities.

Risk based approach

The risk based approach for Vulnerability Management is fundamental for an organization. The balance has to be achieved between business and IT Risk. In order to properly secure this organization’s information technology assets, typically the information security team is required to assess the security stance periodically by conducting vulnerability assessments and penetration testing.  These activities involve scanning of desktops, laptops, servers, network elements, and other computer systems owned by an organization on a regular, periodic basis to discover vulnerabilities present on the systems.  Only with knowledge of these vulnerabilities can an organization apply security fixes or other compensating controls to improve the security of an environment.

All vulnerabilities should be addressed but the risk based approach can help prioritize most critical vulnerability for each organization. Placing an 800 page vulnerabilities report for a dev server on a server admin desk accomplishes nothing. Without proper context on how to prioritize, these reports will not help mitigate the vulnerabilities. Many of IT resources are already overburdened with operational activities and adding to their work with large reports of vulnerabilities will not help reduce organization risk and it will not help you make any friends.

There are many considerations to developing a risk based vulnerability management program. Each of these are based on organization risk appetite.

  • Agent or agentless: Many organizations are already working to reduce number of agents on endpoints, this may be organizational preference or what is known as agent fatigue. It could also be that certain systems may not allow for agent to be installed.
  • Adding a physical appliance or virtual: the vulnerability scanner technologies require a way to scan devices from within a network. An organization can choose virtual or physical appliance based on their requirement and cost.
  • Whitelisting scanning appliance: this is often overlooked. Vulnerability scanners often generate logs on the systems that are being scanned. These logs can be collected for correlation and can generate alerts. It is a good idea to understand how to properly respond these alerts.
  • Tuning the appliance to make sure it does not impact operation: this is another part of operations that is based on organization risk appetite. Making sure that
  • Internal vs external scanning: scanning from within the network will show different results than scanning from external. If these results are same, there may be some serious concerns to be immediately addressed.
  • Authenticated vs unauthenticated scan: This is also another item to consider based on the organization risk appetite but my recommendation would be to start with unauthenticated scans for an organization that is implementing vulnerability management program. It is a good start without getting too inundated with too many vulnerabilities. The unauthenticated scan can still show many vulnerabilities that should be addressed.
  • How are you managing vulnerabilities for cloud environment, co-located facility, IoTs, SCADA, Healthcare devices?
    • What are your specific needs based on your industry?
    • Are there regulatory requirements? HIPAA, NERC, FREC, PCI?

Tools are powerful but the true power of tools come from knowing how to use them effectively for the organization.

I will summarize four blogs in the final installment of this five part series. The important part of any vulnerability management program has to do with risk based approach.


This blog was written by Chandresh Patel,  Sr. Solutions Architect at Set Solutions.