Key Points:

• The Vulnerability Management Process is an ongoing cybersecurity approach to identify and mitigate vulnerabilities, focusing on weaknesses exploitable by attackers.
• Vulnerabilities are ranked and categorised using the Common Vulnerability Scoring System (CVSS), assigning scores based on factors like criticality and impact.
• The process involves identifying vulnerabilities, evaluating them with CVSS scores, remediating, assessing effectiveness through penetration testing, and reporting for compliance and future prevention.
• Metomic can help you identify where sensitive data and company secrets are stored, and remediate them effectively with automatic redaction. 

In the cybersecurity world, new threats are emerging all the time, and with them, plenty of vulnerabilities that could be exploited. 

In 2022, the number of vulnerabilities reported was 25,227 - up from 20% in 2021. ‍

What is meant by vulnerability management in terms of cyber security?

‍In cybersecurity terms, vulnerability management is the process of identifying and minimising risks to your business. Rather than being a one-off event, vulnerability management is ongoing, and a proactive approach to minimising the risk of threats. 

What are the differences between a vulnerability, a risk, and a threat?

You’ll hear these three terms a lot when it comes to cybersecurity, and while they are related, they are distinctly different. 

• A vulnerability is a weakness in your system, network or application that can be exploited by bad actors.
• A risk assesses how likely it is that a vulnerability will be exploited. 
• A threat refers to the external and internal factors that could exploit that vulnerability, for instance, hackers or insider threats. 

How are vulnerabilities ranked and categorised?

Vulnerability managers use the Common Vulnerability Scoring System (CVSS) to rank and categorise vulnerabilities. 

The score for each vulnerability is based on factors like how critical the vulnerability is and the impact it could have on the system. The rating system is universal, ensuring cohesion between security professionals, and works on a scale of 0.0-10.0. 

Are there differences between vulnerability management and a vulnerability assessment?

Yes, a vulnerability assessment is a one-off process that seeks to understand the current state of the vulnerabilities in your business, whereas vulnerability management is ongoing and includes steps such as remediation to mitigate the risks they pose. 

When you’re carrying out a vulnerability assessment, you may outline and classify the risks, but you won’t take the necessary steps to accept, or minimise the risks. 

What are the 5 main stages of the Vulnerability Management Process?

The Vulnerability Management Process involves 5 main stages that ensure all vulnerabilities are accounted for, and managed effectively. 

‍

‍

1. Identify vulnerabilities 

Your first step is to identify where your vulnerabilities lie. This can be part of a penetration testing process.

Creating an inventory of all your IT assets, either manually or with a scanner, can help you to compile a list of firewalls, servers, operating systems, and endpoints like third party apps that could potentially hold vulnerabilities. 

This can help you determine your attack surface, and understand what you’re dealing with. It’s best to do this outside of peak hours to minimise disruption to your employees.  

2. Evaluate your vulnerabilities

This is where your CVSS scoring system will come in handy. 

Use the system to rank your risks in order of priorities from 0.0 - 10.0. Evaluating your vulnerabilities in this way can help you communicate the risks to your wider team, and can help everyone to understand the most urgent risks your business faces. 

“When you’re evaluating your vulnerabilities, you’ll need to focus on factors like how easy it would be for a hacker to exploit,” says CEO of Metomic, Rich Vibert. “You should also be paying attention to your current data security posture and whether that would be able to minimise the risk of a vulnerability being exploited.” 

Bear in mind that if you choose to automate this process, you’ll still need a security professional to question whether the risks are false positives or genuine concerns. 

3. Remediation 

Once you’ve evaluated your vulnerabilities, and identified which ones will need to be addressed urgently, you can start the process of remediation. 

Ensure all your patching systems are up to date and running regularly, and put protections in place to keep systems safe, including limiting access for users until the situation is resolved. 

The risks that aren’t critical and don’t need to be dealt with straightaway can be accepted as low risk vulnerabilities. 

4. Assess 

Now is the time to check whether the remediation process has worked with penetration testing. You can use this time to step back and understand whether you’ve been successful in remediating the vulnerabilities or whether you’ll need to return to them in order to make sure they’re 100% fixed. 

Ask yourself: 

• What percentage of vulnerabilities have been resolved, and how many will still need to be resolved? 
• Have you completely resolved the issue without creating any more problems in the meantime? 
• What can you report on to the senior leadership team to give them an idea of your current security posture? 

5. Five: Report 

It’s tempting not to take the time to reflect when you know you have so much to get done, but reflecting on what has happened can help you prevent incidents happening in the future. 

You’ll also need to report on your vulnerabilities for your compliance records, so it’s key that you document how you’ve addressed them, and what the outcome was.

How can Metomic help?

Understanding your risks when it comes to sensitive data can be tricky when you have a lot of SaaS apps to monitor. 

Metomic can help you identify where sensitive data like PII, PHI, and company secrets are stored, and remediate them effectively with automatic redaction. 

To get a glimpse into what we do, book a personalised demo of our data security platform to understand where your sensitive data lives and who has access to it.  

‍