Vulnerability Management: Is Remediation so Difficult?

Vulnerability management is the ongoing practice of detecting, classifying, prioritizing, and remediating security vulnerabilities in IT infrastructure and applications. For many companies, the remediation stage is where disappointment and frustration can set in. Prioritizing vulnerability remediation is the only surefire way to significantly reduce the risk of a cyber-attack. And if vulnerabilities are not tracked to remediation, the entire exercise is futile.

The challenges associated with remediation are universal. Knowing what to remediate, finding the correct people within the organization, holding individuals accountable and reporting are just a few of the issues. In a previous post, “Mistakes Companies Make When it Comes to Vulnerability Management” I discussed some of the organizational barriers that limit successful remediation. Below are some additional considerations on how to tackle remediation challenges.

Rank your assets and applications

The sheer number of systems and applications that need to be protected, even in small companies, can make vulnerability management a formidable task. With our customers, we consistently suggest that they rank assets and applications according to importance. This involves understanding exactly where your business-critical information is located as well as the systems and applications that are connected. This requires an in-depth understanding of how users interact with critical business information.

Get off the patching treadmill

I’ve heard it time and time again. Patching is an endless treadmill and the extent to which any company invests in this practice depends on the organization’s overall risk tolerance. I still find it shocking to read that it is often not the newer vulnerabilities that catch companies off-guard. Bugs in Java, Adobe, browsers and other popular applications are commonly targeted by cyber-attackers and should receive more attention when it comes to remediation. The cost of not patching can be significant if attackers are able to use a common and widely exploited vulnerability to infiltrate and escalate network privileges.

Overcome organizational obstacles

Even if you have addressed vulnerability prioritization, the internal process of finding and convincing the correct people in the company to get fixes applied can be a major roadblock. Accountability can be tricky to institute and vulnerabilities can become a game of “hot potato”. Below are some best practices to deploy in your organization.

  • Focus on the highest risk vulnerabilities.
  • Have a mechanism to notify the appropriate people that they have vulnerabilities to be fixed.
  • Gain management support on remediation time-frames and consequences of not remediating vulnerabilities.
  • Employ a consistent and visible scorecard and/or reports.

Unified VRM is vulnerability management software-as-a-service that helps companies to overcome many of the challenges that stand in the way of successful remediation of IT vulnerabilities. To learn more about how to develop a successful vulnerability management approach, download the Best Practices Guide: Vulnerability Management.