When we talk about enterprise cybersecurity, vulnerability and patch management are among the top priorities that organisations must “get right”. But what happens when you’re a large enterprise with tens of thousands of CVEs (common vulnerabilities and exposures)? 

The challenge typically isn’t a lack of visibility of the vulnerabilities – security teams have plenty of that – but digesting it all and using it to make informed decisions for the organisation.

Vulnerability scanning on its own does not present the full picture; we have to look deeper into how organisations are currently tackling vulnerability and patch management and understand how adding asset attributes into the equation can help give security teams the context they need to make prioritisation, hence remediation, more effective in a sea of data and CVEs.

The current challenges of vulnerability management
It’s often assumed that security teams utilise high-end technology and tools at the pinnacle of automation and efficiency, but this simply isn’t the case.

Due to siloed data and a lack of tooling that's focused on solving the problem, these teams are manually extracting data from multiple infrastructure and security tools and juggling between Excel spreadsheets.

The processes for mitigating and remediating vulnerabilities, even if we were to limit the inventory to only managed IT assets, is largely slow, manual and inefficient.

The reality is, as antiquated as it may seem, spreadsheets in the back-end are running many processes in IT and security. And, while spreadsheets are a means to collate data from disparate sources, they are grossly inadequate for the vast amount of data vulnerability teams are faced with.

It’s impossible to make truly informed decisions on risk when data is stored in spreadsheets because, firstly, not all of it is visible, and secondly, it’s too difficult to identify what is actually important.

Different outputs from different systems create redundancies, with separate sources reporting events from the same assets and data being nearly impossible to normalise with spreadsheets.

Nowadays, vulnerability teams struggle to get to any conclusions from what they have without adding overheads in terms of time required to ingest loads of data manually, and even if they could feasibly do this, they still wouldn’t have the full picture. The holy grail for security teams is to have a single source of information that collates all data, analyses it, and gives the needed intelligence to make informed business decisions based on it.

Why vulnerability scanning alone falls short 
As advanced as vulnerability scanning has become, these tools alone will never provide a single source of truth, especially in large organisations where these scans could potentially identify tens of thousands of CVEs with varying degrees of CVSS ratings.

In some environments, it’s not possible to scan devices at all. In any organisation with a medical or OT environment, for instance, many of their most sensitive assets simply cannot be scanned, or it’s not practical to do so, becoming an enormous blind spot which creates unquantified gaps.

Additionally, many organisations have exception lists, which can include a number of servers that cannot be scanned because a partner organisation may not want to do so in order to avoid functionality or performance issues, or even because information might be sensitive. This leaves huge gaps in which it is impossible to discover vulnerabilities.

Prioritising vulnerabilities
For effective, efficient vulnerability management, organisations can prioritise CVEs using a four-step process.

1. Know your assets 

The most impactful way to prioritise vulnerabilities is to know more about the assets in the environment. Filtering down CVEs until only the critical ones remain, still leaves security teams with an enormous amount of vulnerabilities that must be prioritised.

To truly understand what is worth the time investment teams need to focus on those vulnerabilities affecting assets that are critical to the core function, or are in a vulnerable context -  i.e. facing the internet or in a particularly sensitive network segment. In short, the risk to the business depends on the asset that contains the vulnerability. To properly assess that risk, ask:

• What is the asset functionality?
• Who are the asset owners?
• Does it contain sensitive data?
• What is the cost of the asset?

By answering these questions and bringing assets into the purview, you can focus your remediation efforts where it truly matters.

2. Enrich vulnerability data 
Once critical assets and vulnerabilities are determined, that list needs to be sent to an owner who will be held accountable for remediation. Automation can be a powerful tool for correlating critical vulnerabilities lists to a suitable owner.

3. Deploy integrated telemetry tools 
Reporting and dashboarding tools will need to be integrated to the existing environment to work efficiently through remediation. Having telemetry tools that are suitable for multiple, diverse teams will ensure that all teams are provided with adequate context. Consider including:

• Vulnerability scanners
• Threat intelligence
• Endpoint agents
• Connected infrastructure data scanners
• CMDB synchronisation
• Ticketing systems, eg. ServiceNow

4. Track the process 
Finally, it’s important to recognise the difference between vulnerabilities a team has merely accepted the risk of, and vulnerabilities they have been instructed to fix. The problem here is that it can be difficult to report on those things separately. Vulnerability teams should be given the ability to accept the risk of a vulnerability while reporting on everything that is actually in progress, including which owners are effective at actually remediating what they are supposed to. Tracking the entire process will streamline it immeasurably.

Security teams in large organisations can take these steps to ensure vulnerabilities are managed in a way that is more efficient and improves the overall security of the business.

Seeking solutions that help understanding the criticality of each asset to the business will enable prioritisation and mitigation efforts across all assets, while optimising the use of limited resources to minimise exposure and achieve effective vulnerability lifecycle management.