NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Threat and Exposure Research

Vulnerability Management is a Lie

I came across a post by Tony Turner titled, “Vulnerability Management is a Lie” and I could hardly wait to read it with a headline like that!  Mr. Tuner approached vulnerability management from the perspective of an “Internal Security Guy” and his argument mirrored many of the challenges that we hear from our customers. Now it’s my turn to comment on exactly why he may be correct!

Mr. Turner begins his post describing the phases of vulnerability identification. What we’ve found with our customers is that jumping right into the use of a vulnerability scanner sometimes leads companies in the wrong direction. It is crucially important to understand what assets and applications are most important to your organization, so you can focus efforts. The adage, “any road looks good if you don’t know where you’re going” certainly holds true when it comes to an IT security strategy.

Vulnerability Identification

Most of our customers have a process in place to deal with identifying vulnerabilities. You can read more about this in a prior post, Mistakes Companies Make When it Comes to Vulnerability Management. Mr. Turner states, “We hire penetration testers to test our systems and pray that we get a useful report at the end of the engagement that can help us through this process.”

Classification of Vulnerabilities

In most cases classification of the discovered vulnerabilities is pretty straightforward. The database of Common Vulnerabilities and Exposures (CVEs) makes it easier to share data across separate vulnerability tools. However, we find that where most vulnerability scanners fall short is in tailoring information to the specific organization. Mr. Turner laments, “This can be difficult and time consuming if you are doing this across your enterprise.” In our solution, Unified VRM, we deliver a prioritized list of vulnerabilities based on your company’s unique business environment without you having to do the work.

Remediation of Vulnerabilities

“If your vulnerability management teams are independent from operational groups it can be really tough to pull this stuff off.” Indeed. Vulnerability management is as much a people process as a technology process. In Unified VRM, we try to help by fostering collaboration among internal teams on security projects. Provide a consistent view of vulnerabilities and help disparate teams track progress toward resolution. Mr. Turner’s suggestions on “How do we fix this?” are addressed here.

So is vulnerability management a lie?  Only if you let it. Please view our approach to vulnerability management and discover the truth —  get started by reading our Best Practices Guide: Vulnerability Management

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.