What is vulnerability management?

1. What is vulnerability management?

---

Vulnerability management consists of technologies, tools, policies and procedures to identify, prioritize and fix security weaknesses across your organization. It’s a proactive process that helps your teams decrease the likelihood of a breach or cyberattack. With a risk-based approach, you can also align your cybersecurity risk management program with your organization’s operational goals and objectives.

Vulnerability management’s goal is to quickly and effectively decrease exposures and secure your attack surface — on-prem and in the cloud.

With the right vulnerability management solution, you can get comprehensive visibility into your constantly-changing attack surface to continuously monitor your environment and keep pace with evolving threats.

A mature program to manage security exposures like vulnerabilities is key to ensuring operational resilience by reducing the risk of a breach or cyberattack.

There are four key stages for vulnerability management:

• Identify assets and vulnerabilities across all your environments, on-prem and in the cloud
• Prioritize vulnerability remediation of critical exposures based on threat intelligence, your organization’s risk profile and which vulnerabilities attackers are most likely to exploit in the near term
• Remediate security issues
• Continuous monitoring, reporting and program improvements

By developing a risk-focused vulnerability management program, you can protectively know, expose and close security weaknesses that traditional vulnerability management tools miss.

And, not just for traditional IT systems, but also:

• Cloud systems and services
• Mobile devices
• Containers or serverless
• Web applications
• Operational technology (OT)

While every organization has a unique cyber threat environment, there four main types of vulnerabilities:

1. Operating systems and applications
2. Network
3. Misconfigurations and process-based
4. Human-related

Examples of a vulnerability:

• System, network or application misconfigurations
• Outdated or unpatched operating systems and software
• Open ports and unused services
• Ineffective or broken authentication
• SQL injection
• Cross-site scripting (XSS)

What are the most common vulnerabilities?

OWASP Foundation is actively updating its OWASP Top 10 vulnerability list. The previous list of common vulnerabilities includes:

1. Broken access control
2. Cryptographic failures
3. Injection
4. Insecure design
5. Security misconfiguration
6. Vulnerable and outdated components
7. Identification and authentication failures
8. Software and data integrity failures
9. Security logging and monitoring failures
10. Server-side request forgery

What does vulnerability management entail and what are the five steps of vulnerability management?

The vulnerability management lifecycle explained:

Step 1: Discover

Identify and map all assets across all computing environments, on-prem and in the cloud, and scan for vulnerabilities and other exposures.

Step 2: Assess

Understand asset criticality and risk, including vulnerabilities, misconfigurations and other security health indicators.

Step 3: Prioritize

Understand exposures in context to prioritize remediation efforts based on asset criticality, vulnerability severity, your environment and threat context.

Step 4: Remediate

Prioritize which exposures to address first based on business risk. Then use appropriate, industry best practices for remediation.

Step 5: Measure

Measure and benchmark exposure, internally and against peer organizations, so your teams can make better informed business and cyber risk decisions to drive risk reduction, compliance and program maturity.

What's the difference between vulnerability management and vulnerability assessment?

Vulnerability management and vulnerability assessment are different, but work together. The terms are often used interchangeably, but shouldn’t be.

Cybersecurity vulnerability management identifies assets and vulnerabilities across your attack surface. It helps teams plan strategies to mitigate security issues and prioritize and remediate vulnerabilities.

It’s not the same as a vulnerability scan, which has a set beginning and end date. Vulnerability analysis is a point-in-time snapshot of your attack surface. It’s part of your overall vulnerability management program and helps teams continuously identify and address cyber risks.

What is risk-based vulnerability management?

Risk-based vulnerability management provides comprehensive visibility into your attack surface so you can see which security issues pose the greatest risk.

When you know which critical vulnerabilities attackers may most likely exploit in the near term and potential impact, you can more effectively mitigate and remediate exposures to reduce risk.

AI and machine learning enhance risk-based vulnerability management practices, which should be about more than just finding vulnerabilities. The goal is to understand risk with threat context, including insight about business impact.

How is vulnerability management different from risk-based vulnerability management?

Traditional vulnerability management practices give you a high-level view of vulnerabilities and risks. They uncover threats a vulnerability could introduce. However, legacy processes don’t give you true insight into your threat landscape.

If your teams don't understand risk in context, they may waste time on vulnerabilities that aren't a threat. They can miss finding and fixing risky vulnerabilities more likely to negatively impact your organization.

What are the benefits of vulnerability management?

• Provides threat context for vulnerabilities
• Empowers teams to reduce the greatest amount of risk with least amount of effort
• Provides comprehensive visibility into all vulnerabilities across your entire attack surface
• Aligns cyber risk with business risk so you can make more informed business and cybersecurity decisions
• Facilitates benchmarking and reporting about program success
• Helps communicate cyber risk to key stakeholders in business context
• Reduces reactive security measures
• Eliminates blind spots created by legacy vulnerability management processes
• Enables teams to focus on the 3% of vulnerabilities that pose greatest organizational risk

What are common challenges for vulnerability management?

Too many vulnerabilities

• As you adopt more technologies and more technology types — traditional IT, IoT, IIoT, web apps, cloud infrastructure and services, virtual machines, and more — the volume of vulnerabilities and other security issues skyrocket.
• The risk-based solution: Prioritize vulnerabilities based on actual risk to your unique environment and business impact so you know which exposure to address first.

No threat context for prioritization

• Many vulnerability management tools find vulnerabilities but don't give context or have threat intelligence about exploit likelihood. Many rank too many vulnerabilities high or critical, even though they may never impact your business.
• The risk-based solution: Use AI, machine learning and other industry-trusted threat intelligence, like Tenable Research, to understand asset criticality ratings and threat context to prioritize exposure remediation.

Limited asset tracking and insight into all their risks

• As attack surfaces expand and increase in complexity, most security teams, especially those using disparate cybersecurity management tools, can't get full visibility into all assets and security exposures.
• The risk-based solution: Use automation and other risk-aware tools to see all assets — regardless of how quickly they spin up or how short-lived.

Patch management

• Patching is challenging. Some patches negatively impact systems and cause unexpected downtime and disruptions.
• The risk-based solution: With insight into exploit likelihood and business impact, you can make plans about which vulnerabilities to fix first and which to patch later.

Limited resources

• There are millions of unfilled cybersecurity positions, a problem compounded by the growing need for cloud security practitioners.
• The risk-based solution: Automation, AI and machine learning tools focused on risk and threat context can help you make actionable, impactful remediation decisions faster using fewer resources and expenses.

What are managed vulnerability management services?

Managed vulnerability management services are exposure management tasks organizations outsource to a third-party managed security services provider (MSSP) such as:

• Continuous vulnerability scanning
• Risk identification, prioritization and mitigation
• Remediation processes and guidance
• Metrics, documentation and reporting

Your organization may need out-sourced vulnerability management if:

• You have limited internal resources and budgets
• You're operating in complex environments, for example, a mix of traditional IT, OT and multi- or hybrid clouds.
• You struggle to keep up with the rapidly evolving threat landscape.

2. Assets and vulnerabilities

---

What is an asset?

An asset is hardware or software within your attack surface (traditional IT assets such as servers, networks and desktop computers) and other devices like:

• Smartphones
• Tablets
• Laptops
• Virtual machines
• Software as a service (SaaS)
• Cloud-hosted infrastructure
• Cloud technologies and services
• Web apps
• IoT devices

What is asset discovery and how can it mature my vulnerability management program?

Asset discovery identifies and tracks hardware, software, network devices and cloud resources. It helps teams:

• Identify critical assets and understand their role in mission-critical operations
• Know which assets are most vulnerable to cyberattacks
• Expose overlooked or missed vulnerabilities that create security gaps
• Prioritize remediation
• Find and assess shadow assets IT teams may not be aware of
• Ensure compliance to legal, regulatory and contractual requirements

What is an attack surface?

An IT attack surface consists of multiple exposure points (your assets) attackers could exploit, causing cyber breaches.

Many organizations struggle with attack surface visibility. Mitigating and remediating the vast volume of vulnerabilities over a complex and expanding attack surface makes effective process management challenging.

Quick tips to assess your attack surface:

1. Identify all assets, regardless of type
2. Determine location of each asset
3. Determine who manages each asset and who has access
4. Define asset type (cloud, mobile, traditional IT, IoT, etc.)
5. Determine if the asset is critical to business operations and prioritize accordingly
6. Evaluate what could happen if a threat actor exploits a vulnerability
7. Prioritize and remediate vulnerabilities based on business impact and likelihood of exploitation
8. Continuously monitor and address security issues as needed

What is a security vulnerability?

A security vulnerability is a weakness in hardware or software attackers can exploit like a bug, programming mistakes or misconfigurations.

Patching, which repairs issues within code, can address some security vulnerabilities.

System misconfigurations can also have vulnerabilities and create additional attack vectors.

Common ways attackers target security weaknesses:

• Exploit misconfigurations and unpatched systems
• Send emails (phishing) that look like they're from real sources (or other social engineering tactics) to trick people into revealing sensitive information like credentials
• Credential stealing to collect usernames and passwords and then use them for lateral movement across your attack surface
• Malicious software or malware injection
• Denial of service (DoS) and distributed denial of service (DDoS) flooding attacks to limit system response to real service requests
• Cross-site scripting (XSS) (inserts malicious code on websites)
• Man-in-the-middle (MitM) attacks to compromise users through unsecured networks like public WiFi
• Malicious structured query language (SQL) injection for unauthorized access to sensitive information
• Zero-day exploits before release of a patch or update

3. Vulnerability scanning

---

What is a vulnerability scanner?

A vulnerability scanner is an automated tool that discovers vulnerabilities across your attack surface.

Types of vulnerability scans:

• Credentialed scans use login credentials to discover detailed information about security issues within an asset, system or network.
• Non-credentialed scans do not need credentials and target open ports, protocols and exposed host services.
• Internal vulnerability scans performed inside your organization discover how attackers can move through your network, including gaining an initial foothold in Active Directory to facilitate lateral movement through your environments.
• External vulnerability scans performed outside your network discover security weaknesses.
• Network-based scans are for devices such as firewalls, routers, servers and network applications.
• Web app scans find security weaknesses in apps.
• Cloud-based scans evaluate cloud environments like AWS, GCP and Azure for security issues.
• Host-based scans check single devices or hosts for vulnerabilities.

How do vulnerability scanners work and what do they detect?

Vulnerability scanners work by automating processes to detect asset security weaknesses.

Common ways vulnerability scanners work:

• Uses active and passive scanning methods to find assets in the target environment
• Determines and lists asset type, operating systems, software and versions, services, applications and open ports
• Identifies vulnerabilities such as misconfigurations, code issues, missing patches, outdated operating systems and software
• Scores risk to prioritize which vulnerabilities to fix first.
• Reports findings

A vulnerability scanner may detect security issues such as:

• Outdated operating systems and firmware
• Missing patches
• Misconfigurations
• Missing or weak credentials like passwords
• Open or unsecured ports
• Known vulnerabilities
• Outdated security certifications
• Malware
• Excessive or improper permissions
• SQL injection or cross-site scripting

Active scanners

Active scanners create a detailed picture of your network and assets at a specific point in time.

Active scanning generates network traffic and interacts with devices on your network. It sends packets to a remote target, which creates a snapshot of your network at that moment.

You can then compare active services and applications to a plugin database to see if vulnerabilities exist.

Active scanning is ideal for IT devices in a converged IT/OT environment. It gives insight into:

• Installed applications
• Libraries and services
• Vulnerabilities
• Details about users, groups and installed software

Active scanning also helps with configuration assessments. It uncovers default usernames and passwords for critical systems and applications. These scans help detect malware and can uncover backdoors, open ports, bad file hashes and other problems.

Tenable Vulnerability Management has integrated active scanning, including:

• On-demand scans launched by the user
• Scheduled scans that launch daily, weekly or monthly on a set schedule
• Dependent scans that launch when a scheduled parent scan completes. You can daisy-chain dependent scans to other dependent scans.

Active scanning doesn’t include devices like tablets, smartphones or laptops that may occasionally appear on your network.

It can also cause potential disruptions. You shouldn’t use it on assets that can experience an outage or downtime if scanned. That could include systems critical to your organizational infrastructure, medical devices and IoT or industrial control systems.

Credentialed scans

Credentialed scans allow users to remotely log into devices and examine them from the inside out. They gather information about configuration settings and if malware has infected software.

You don’t have to install software on an asset to conduct a credentialed scan. However, the scan may still cause disruptions because it could use network bandwidth and processing power.

Credentialed scans may be better for IT security controls in upper layers of your OT environment. You can often use these scans with non-credentialed scans for more insight from inside-out and outside-in.

Agents

Agent scans look at each device from an inside-out approach. You generally conduct these scans on control environment systems and install them on a device or server to function. Agent scans are suitable for devices not frequently connected (or connected at all) to your network.

Agent scans can find malware and misconfigurations and uncover vulnerabilities.

Agents are generally easy to install and not intrusive. However, there are drawbacks, specifically for resources. Because they are on-device, they use power, bandwidth, disk and memory space. With on-device installation, carefully test the agent before installation, especially in OT environments.

Image registry

Image registry is a security process for software in the build/development stage. Image registries hold and scan images for assets. This includes public cloud instances and containers. The benefit of image registry is it discovers potential security issues before new software deployment. You can also use image registry for open-source software or components.

How often should I conduct vulnerability scans?

When determining how often to conduct vulnerability scans, consider:

• Size of your organization
• Industry
• Security and compliance requirements
• Risk profile
• Specifics of your attack surface

Automated continuous vulnerability scanning is best practice, but automated, continuous vulnerability scanning is optimal. If not possible, consider scanning at least once a month, but more frequently based on your acceptable risk level. Also run scans when you have network changes such as expansion, new devices or significant system, infrastructure or software updates.

Benefits of automated vulnerability scanning

• Ability to scan complex attack surfaces using fewer resources
• Reduced IT security workloads
• Real-time security exposure identification
• Ability to track changes over time
• Reduced chance of human error
• Consistent processes and policy compliance
• More comprehensive visibility across your attack surface
• Proactive security posture to decrease chance of cyberattack

4. The role of vulnerability assessment in vulnerability management

---

Vulnerability assessments play a key role in vulnerability management. Security assessments find assets and vulnerabilities so your team can prioritize and remediate them.

In terms of program priorities, vulnerability assessments can help teams understand cyber risk as it relates to business risk to make more informed and strategic decisions.

What is vulnerability assessment?

A vulnerability assessment is a way to know, expose and close vulnerabilities across your enterprise. It uses a variety of scanning tools and techniques to find security weaknesses such as missing patches, misconfigurations and out-of-date operating systems, software and firmware.

These assessments go beyond identifying vulnerabilities. They provide context and threat intelligence to prioritize and develop remediation strategies. This is a proactive approach to decrease the likelihood of a cyberattack.

Vulnerability assessment challenges

• Too many vulnerabilities to address
• No threat context or reliable threat intelligence
• Too many vulnerabilities rated critical or high that don’t pose actual risk
• Not enough information to prioritize remediation
• No established or best practice remediation processes
• Too many false positives and false negatives
• Threat alert fatigue
• Too many diverse asset types and attack vectors
• Lack of visibility into all assets
• Too many reactive security controls

Vulnerability assessment benefits

• Identification of security weaknesses across assets
• Security evaluation of your networks, systems and applications
• Risk reduction
• Proactive cybersecurity management
• Ensures compliance
• Helps secure cyber insurance
• Decreases chance of cyber breach and related fine, penalties and recovery costs

What’s the difference between vulnerability assessment and penetration testing?

Vulnerability assessments and penetration testing work together, but they are not the same. They have different scopes and priorities.

A vulnerability assessment is a point-in-time look at security weaknesses.

Penetration testing stimulates a real-world cyberattack to demonstrate how threat actors could exploit a vulnerability. Pen tests can also find other security issues you may have overlooked.

A vulnerability assessment finds vulnerabilities. A penetration test demonstrates impact.

5. Vulnerability scoring and prioritization

---

Vulnerability prioritization and scoring work together to inform remediation. Scoring assesses each vulnerability based on impact potential. Prioritization draws on scoring but goes further and also considers if the exploit exists in the wild, how likely an attacker may exploit the vulnerability in the near term and business impact. These prioritization factors can help teams plan which security issues to focus on first because they have the greatest chance of directly impacting your organization. Used together, vulnerability scoring and prioritization can reduce risk.

Why is vulnerability prioritization important?

Vulnerability prioritization, or risk prioritization, is important because it helps teams get their arms around which vulnerabilities need attention immediately and which ones can be delayed until later. Without it, teams don’t have context to understand which of the thousands of potential vulnerabilities they should fix first.

Without prioritization, security teams spin their wheels in a constant loop of reactive security. Approaching vulnerability management without prioritization is inefficient, gobbles up resources and funds, and does little to reduce risk.

What are common challenges of vulnerability prioritization?

• Too much vulnerability data with too little context
• Too many alerts
• Too many false positives and false negatives
• Poor scoring makes it difficult to know which vulnerabilities are high-risk and which aren’t pressing
• Lack of understanding how cyber risk relates to business risk
• Issues identifying all assets and understanding which are critical to operational resilience
• Challenges hiring skilled security professionals
• Budget constraints
• Disparate vulnerability management tools that silo data
• Rapidly evolving threat landscape

What are the benefits of prioritizing vulnerabilities for remediation?

• Targeted, more efficient remediation processes
• Actionable risk reduction using fewer resources and expenses
• Faster remediation of critical vulnerabilities
• Decreased chance of cyberattacks
• Increased operational effectiveness
• Increased compliance confidence
• Ability to align cyber risk with business risk tolerance and organizational goals
• Improved cyber hygiene
• Stronger security posture

What are common vulnerabilities and exposures (CVEs) and how are they used?

Common vulnerabilities and exposures (CVEs) are industry recognized identifiers for known security vulnerabilities that MITRE identified and listed in its CVE database. MITRE assigns each CVE a year and corresponding CVE number. Each CVE also includes other important information such as a name, description and potential exploit impact. There are more than 264,000 CVEs in the database.

A CVE standardizes how organizations track vulnerability data across multiple tools and technologies. Vulnerability scanners, for example, can use CVE data to elaborate on a vulnerability and guide remediation efforts.

What is VPR?

A VPR, or vulnerability priority rating, is a Tenable-based vulnerability scoring tool. Unlike the Common Vulnerability Scoring System (CVSS), VPR takes into consideration real-time threat intelligence, asset criticality, exploit activity in the wild and other factors to guide which vulnerabilities pose the greatest threat based on risk profile and attack surface. VPRs are not static. Tenable updates the VPR systems as new threat intelligence emerges.

Compared to VPR, CVSS returns a mountain of vulnerabilities listed as critical or high. Yet, security teams don’t actually need to find and fix every one. Not every vulnerability poses an actual risk. The key to VPR is understanding which vulnerabilities attackers may most likely exploit based on your attack surface and other factors.

How can I use AI and machine learning for vulnerability prioritization?

You can use AI and machine learning to quickly and accurately assess vulnerability data, threat intelligence and asset information in real time, decreasing false positives, false negatives and unnecessary alerts. AI vulnerability management tools can draw on historical data to predict future exploit activity and other patterns.

Tenable Exposure AI uses generative AI to facilitate faster vulnerability analysis and decision-making, including remediation guidance to speed up risk reduction activities. The solution provides contextual threat data so your teams can make more effective, proactive security decisions and decrease the chance of a cyber breach.

6. Network Monitors

---

What is a network monitor and how does it help manage vulnerabilities?

A network vulnerability monitor discovers vulnerabilities and other security issues within your traditional IT infrastructure, including:

• Networks
• Servers
• Operating systems
• Applications

Web application scanners are similar, but work with third-party applications and to test in-house apps.

Passive network monitoring

Passive network monitoring gives you continuous insight into applications and operating systems in your network. It helps you see:

• Who is connected to your network
• Data transfers
• Current active hosts
• When a new host is active
• Which ports/services are active
• Inter-asset connections

Passive network monitoring uses deep packet inspection to analyze network traffic. It’s ideal for IT and OT devices in a converged IT/OT environment to discover and identify active network assets and vulnerabilities and actively installed applications and services.

Active scanning isn’t always an option because it could disrupt operations. Instead, passive scanning keeps you informed of what’s happening across your attack surface, giving you more visibility.

Passive network monitoring also uses real-time asset discovery. That means you can eliminate blind spots created by periodic active scanning.

Passive network scanning is effective for discovering vulnerabilities in your industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA). Active scanning may disrupt these environments.

Nessus Network Monitor

Nessus Network Monitor (NNM) passively analyzes network traffic to eradicate blind spots. NNM is a safe and non-intrusive way to manage sensitive systems.

Tenable Vulnerability Management and Tenable Security Center include Nessus Network Monitor as a sensor.

Some benefits of using a network monitor:

• Non-intrusive continuous monitoring and risk assessment of your network
• Network traffic monitoring at the packet level for visibility into server and client-side vulnerabilities
• Enables future asset discovery and vulnerability monitoring for all of your devices, including virtual systems and cloud services
• Automatic infrastructure and vulnerability assessment
• Vulnerability detection on communicating systems, including protocols and applications
• Identification of application compromise
• Comprehensive asset discovery of all devices

What should I look for in passive network monitoring tools?

• Complete visibility into network traffic
• Sensors to connect to a physical test access point (TAP) or SPAN port. For traffic in a cloud environment or virtual infrastructure, the monitor should operate on a properly configured virtual machine.
• Support transmission control protocol (TCP) and user datagram protocol (UDP)
• Support system protocols like SCTP, ICMP, IPIP and others
• Recognize all assets across your attack surface that use your protocols
• Identify all known vulnerabilities
• Alert your security information and event management (SIEM) solution when it discovers new assets.

In Tenable Nessus, passive network monitors, which are monitoring sensors, enable continuous discovery of all active network assets and facilitate vulnerability assessments. Nessus Network Monitor integrates into Tenable Vulnerability Management.

What are network vulnerability assessments for enterprises?

A network vulnerability assessment for enterprises helps security teams identify and assess security weaknesses across your IT infrastructure. It works by scanning your network, databases, apps, and other assets to find security exposures.

Enterprise network vulnerability assessments can decrease exposures by providing visibility into your IT assets and vulnerabilities. It can also support adherence to many security frameworks and compliance standards.

7. Patch Management

---

What is patch management?

Patch management is a process to update systems and software to reduce cyber exposures.

Challenges for patch installation prioritization:

• The volume of systems and applications within your attack surface
• Vendors constantly releasing new patches

Patching priorities should align with a vulnerability risk rating. If your scoring system ranks a vulnerability high or critical, start there. Then, work your way through lower-ranking vulnerabilities.

Like asset discovery, getting a comprehensive view of patching is challenging without a vulnerability management platform.

Tenable Vulnerability Management dashboard, for example, shows which patches your critical assets need. Tenable’s VPR shows where to focus your attention first to expedite remediation.

You can even filter the patch list for a closer look. To look at published patches from the past 90 days, filter your view to see which are most critical.

Some patches cause disruptions, so you may want to pre-test a patch before deploying it in an active environment. After deployment, consider conducting internal and external penetration tests to see if the patch works as intended.

Is your patch management system effective?

• Does your team apply all security patches?
  • Develop a policy about whether or not your security professionals should cover all patches. If you do, Nessus and Tenable Security Center can determine if your patch system works. If you don't need 100% coverage, conduct an external audit to uncover security gaps patching processes don't fix.
• How quickly do you apply patches?
  • Create a policy regarding the timeframe for patch installation. You can use Nessus and Tenable Security Center to test for discrepancies within your policy and report on progress.
• Do you include new hosts in your patch management program?
  • As you add servers or desktops to your infrastructure, use Tenable Security Center to monitor your patch cycle.
• What about embedded devices?
  • Security issues exist within embedded devices such as switches, firewalls, routers and printers. Use Nessus and Tenable Security Center to find patch issues in these embedded devices.

Join this on-demand vulnerability management webinar: "Let’s End the Confusion and Get Awesome at Patching." It explores:

• What makes a vulnerability critical and its impact on effective patching
• How to close the communication gap between your security and IT teams to improve patching efficiencies
• How to streamline patching and remediation efforts

Why do some patches fail?

• Your device, like a UNIX or Windows server, may be too secure. Some configurations prevent remote user accounts or local user agents from pushing a patch.
• Limited network access. For example, your server has out-of-date network settings, such as a stale DNS server or local router that looks alive but stale.
• Firewall rules can affect systems and cause patch failure.
• There could be patch dependencies you haven’t considered.
• The patch may fail if you have limited space on your drive or partition. This is also true for self-extracting patches
• You may have limited bandwidth that prevents the patch from delivery and installation.

The role of patch management in vulnerability remediation

• Ensures prompt vulnerability remediation
• Reduces your attack surface
• Proactively addresses security issues and misconfigurations
• Reduces exploitation risk
• Improves cyber hygiene

8. Cloud vulnerability management

---

What is vulnerability management in the cloud?

Vulnerability management in the cloud involves identifying, prioritizing and remediating security risks within cloud environments. The cloud is dynamic. Resources are constantly provisioned and deprovisioned so traditional security practices don’t always work.

To ensure effectiveness of your cloud vulnerability management program, use cloud-native tools like a CNAPP, to help security teams maintain visibility, detect misconfigurations and quickly respond to potential threats in public, private and hybrid cloud environments.

What are common vulnerabilities in cloud environments?

Cloud environment vulnerabilities often contain misconfigurations, unpatched software and insecure APIs. Other common cloud vulnerabilities include overly permissive storage access, exposed services and improper identity and access management (IAM) configurations.

Security teams may mistakenly leave cloud resources, like databases and virtual machines, accessible to the public. This happens when there isn’t an understanding of the shared cloud security model and users make assumptions that a cloud services provider (CSP) or other third party will take care of security and compliance.

When cloud security gaps exist, attackers may exploit them to compromise systems, steal data or disrupt services. Regular cloud security assessments and automated cloud security tools can find and fix cloud vulnerabilities to proactively prevent breaches.

How do cloud vulnerabilities differ from on-prem vulnerabilities?

Unlike static on-prem systems and software, the cloud often has frequent changes in configurations, instances and services. This makes traditional vulnerability management practices, like periodic manual scans, insufficient for the cloud.

How can I prevent cloud vulnerabilities?

To prevent cloud vulnerabilities, adopt a proactive, risk-based approach. Implement best practices, such as ensuring secure cloud resource configuration, regular patching and enforcing least privilege access.

Use automated cloud security tools that continuously monitor for misconfigurations and vulnerabilities. Implementing multi-factor authentication (MFA) and using cloud security posture management (CSPM) tools also help secure the cloud.

Which tools are best for cloud vulnerability management?

Your vulnerability management tools should offer visibility, continuous monitoring and automated remediation across all your cloud environments.

Tenable Vulnerability Management, for example, provides comprehensive vulnerability management for multi-cloud and hybrid environments. It scans assets in real time, detects misconfigurations and provides context to prioritize remediation efforts based on risk.

Features such as integration with cloud-native APIs, detailed reporting and compliance checks ensure early vulnerability detection. Guided remediation strategies reduce your attack surface and ensure compliance.

9. Vulnerability management in AI environments

---

AI applications and services introduce new and complex security risks, including adversarial attacks, where threat actors manipulate data to mislead AI models into producing incorrect outputs.

AI security attacks can distort machine learning models so they behave unpredictably.

Additionally, AI systems integrated into cloud infrastructures can create misconfigurations, insecure APIs and outdated software that introduce new exposures. These risks are critical vectors so AI-driven applications need continuous scanning and real-time threat detection. Regular patching and updates are also crucial to mitigating these risks.

What are the main vulnerabilities in AI environments?

• Data poisoning with malicious data to distort AI model predictions
• Algorithmic manipulation
• Misconfigurations
• Insecure APIs

How do I manage vulnerabilities in AI systems?

To manage vulnerabilities in AI systems, use a vulnerability management tool that continuously monitors these environments. Conduct risk assessments to find AI security issues.

Generative AI environments involve complex infrastructures, which make traditional vulnerability management practices ineffective. Tenable’s solutions include monitoring AI development pipelines, infrastructure misconfigurations and data integrity for vulnerability identification and remediation to address AI security exposures.

How does AI affect vulnerability management?

AI systems can automate vulnerability scanning, prioritize risks and suggest remediation based on threat intelligence. However, they must be secure to prevent them from becoming attack vectors.

Leveraging AI to enhance security controls can improve program efficiency, but requires careful attention to secure AI models and infrastructure.

Challenges

• AI system complexity (intricate architectures and algorithms) make it difficult to identify and assess vulnerabilities
• Data sensitivity
• New and evolving AI threat landscape
• Integration issues and blind spots

Opportunities

• Enhanced and more efficient threat detection
• Automated remediation for consistency to reduce human error and reduction of time and resources created by manual interventions
• More effective risk assessments with increased data analytic capabilities, like the ability to learn from historical data
• Proactive security controls with learning capabilities to anticipate and mitigate threats

Which AI vulnerability management tools are available?

AI tools such as Tenable Vulnerability Management provide comprehensive solutions for vulnerability management in AI environments. They include features like API security assessments and machine learning risk analysis. Tenable can help manage vulnerabilities across the entire AI lifecycle, from development to deployment.

What is Tenable AI Aware?

Tenable AI Aware protects AI environments and large language models (LLMs).

AI Aware proactively identifies and mitigates vulnerabilities specific to AI models, addressing risks like model manipulation, data poisoning and insecure integrations. It integrates with AI development workflows, offering continuous monitoring, risk assessments and automated remediation, from training to deployment for comprehensive protection against traditional and AI-specific threats.

10. Vulnerability and risk management

---

Vulnerability management and risk management are closely related. Vulnerability management focuses on identifying, assessing, prioritizing and mitigating security weaknesses across your attack surface. Risk management assesses the impact of these vulnerabilities on operations.

By understanding how vulnerabilities affect business objectives and aligning security initiatives with organizational goals, you can allocate resources to address your most pressing security issues faster.

Effective risk management draws on vulnerability management insights. Understanding potential vulnerability consequences helps teams develop strategies to minimize threat exposure.

This enhances a proactive security posture and anticipates future vulnerabilities based on emerging threats.

What is benchmarking in vulnerability management?

Benchmarking in vulnerability management compares your security posture against industry standards, best practices or peer organizations. It helps establish measurable improvement goals.

Using a vulnerability management solution with data analytics, reporting and benchmarking capabilities gives you valuable insight into program effectiveness and return on investment (ROI).

Benchmarking can also help with setting key performance indicators (KPIs) to track progress over time. By analyzing metrics such as the number of vulnerabilities discovered, remediation time and mitigation strategy effectiveness, you can make data-driven decisions to refine risk management processes.

Vulnerability management analytics and reporting

Through analytics and reporting in vulnerability management, you get deeper insight into your vulnerability landscape. Vulnerability management reporting tools make it easier to communicate findings and strategies to stakeholders to build support for your program. Comprehensive reporting also supports compliance.

Using vulnerability management to align cyber risk with business risk

Aligning cyber risk with business risk is a fundamental part of vulnerability management. By understanding how vulnerabilities could impact critical operations, you can prioritize remediation based on potential financial and operational consequences.

This risk-based approach facilitates prioritization of vulnerabilities that pose the greatest threat to your mission, rather than simply addressing exposures based on severity score.

By framing vulnerability management in business risk context, you can enhance resilience and reduce risk.

Helping security practitioners earn stakeholder buy-in and support

Traditionally, security teams and executives and key stakeholders, like the board, spoke two different languages. Vulnerability management breaks down these communication barriers to help security professionals get buy-in from stakeholders.

By effectively demonstrating potential vulnerability impacts on operations and finances, you can articulate the importance of proactive security measures, without getting bogged down in technical terms that non-tech professionals don’t understand.

With data-driven security insights and metrics aligned to business goals, you can highlight risks associated with unaddressed vulnerabilities and present a compelling case for ongoing support and investment into cybersecurity initiatives.

Involving stakeholders in the vulnerability management process also fosters ownership and accountability. When stakeholders understand the critical nature of vulnerabilities, and they know about ongoing security efforts, they are more likely to provide support and resources.

11. Vulnerability management solutions

---

Why do I need vulnerability management?

Your attack surface has hundreds of potential attack vectors, countless assets and complex work environments. That makes it impossible for security teams to patch and fix every vulnerability. Yet, attackers are actively looking for ways to exploit these weaknesses.

Although the National Vulnerability Database (NVD) has more than 265,000 CVEs, attackers will use few of these vulnerabilities in a real-world exploitation. However, they could target any security weakness at any time.

Organizations usually give vulnerabilities marked high/critical the most attention, but attackers aren't concerned about CVE scores. They're looking for the easiest way to exploit vulnerabilities, wherever they are.

How do I choose a vulnerability management solution?

While your organization will have unique needs when selecting a vulnerability management solution, some core considerations apply across industries:

1. Continuous asset discovery

Your enterprise vulnerability solution should offer comprehensive coverage, including continuous asset discovery and complete visibility into your attack surface.

Consider a solution with:

• Network scanners
• Agents for endpoints frequently off-network, for example, laptops or mobile devices
• Passive network monitors to continuously discover assets and vulnerabilities
• Cloud connectors and pre-authorized cloud scanners to monitor and assess cloud instances
• Image scanners for static container images before deployment
• Web app scanners
• Integrations with cloud, CMDB, CI/CD, ticketing/SOAR and other technologies

2. Assessment beyond static scans

Asset assessment should be more than a scan. Your vulnerability management solution should facilitate data collection and assessment to identify security issues.

Consider a solution with:

• Container assessment before deployment with integrations into developer workflows
• Cloud workload assessment needs with API-based visibility
• Passive detection for IT and OT devices that won’t impact system performance and availability

3. Advanced prioritization

A vulnerability management platform for enterprises should synthesize vulnerability data using machine learning and AI. These tools can help you uncover blind spots and hidden patterns to better understand organizational risks.

Consider a solution with:

• Vulnerability prioritization
• Data inputs for prioritization
• Industry-leading research and data teams
• Scalable automated asset scoring

4. Automated reports and benchmarking

Your vulnerability management solution should provide out-of-the-box reporting for your basic needs. Look for a solution with a strong API for integrations and to automate reports.

Customized reports can improve program communication by tailoring them to fit your team's needs, business objectives and compliance requirements.

Also, consider choosing a vulnerability management tool that includes benchmarking metrics. This will help your teams evaluate program success internally and against peer organizations.

5. Simple pricing and licensing

Your vulnerability management solution should have simple and straightforward pricing. Select a vendor with a licensing model that doesn't penalize you for utilizing an API or threat intelligence.

6. Scalability

Your vulnerability management solution should flex and scale as your organization grows and changes over time. Look for a solution that adapts with you.

12. Vulnerability management best practices

---

Attackers can exploit weaknesses within your attack surface in many ways. A single security breach can have devastating impacts on your organization. Here are a few best practices for your vulnerability management program:

Asset identification and management

First, identify all assets across all your environments (on-prem and in the cloud).

Then determine:

• Where is the asset located?
• How do we use the asset?
• Who is responsible for asset management?
• How critical is it to operations?

Next, track and record asset relationships and dependencies with other assets in your attack surface. If an attacker compromises one, what path does it open for additional exploits? Even if an asset isn’t critical, check for interdependencies that could put you at risk.

Many organizations overlook Active Directory (AD) as an access point, so include this in your vulnerability management processes.

You should also evaluate when each device connects and disconnects from your network. You can get this insight through:

• A network access control system
• Reviewing DHCP logs and DNS server logs
• Installing vulnerability scanning agents on devices
• Routine scans

Vulnerability identification

Once you have insight into your assets, assess each for vulnerabilities, including the severity risk for each security issue.

Take a close look at how easy and likely it is for attackers to exploit each vulnerability. What is the potential related damage? Once you understand criticality, you can prioritize how to mitigate and remediate each security issue.

Continuous vulnerability management

Traditionally, vulnerability management relied on periodic point-in-time vulnerability discovery and assessment scans. To mature your security posture, continuously scan your attack surface to remediate risks and decrease the likelihood of an attack.

Continuous scanning illuminates blind spots between manual scans. It can find new security issues that can happen at any time. By scanning more often and remediating routinely, you may discover fewer vulnerabilities during each scan.

Risk assessments

You likely have a large volume of diverse assets across your attack surface, each with a different security level. You should determine the security level for each asset. Determining asset value and exposure level will help you better understand what you should do to protect it.

Change management

Devices on your network change frequently. These changes create new security issues. Develop processes to discover and address changes whenever they happen. This could be when you update applications, add hardware, change infrastructure or upgrade software.

Effective change management will ensure you address and deal with new security issues quickly and based on business best practices.

Patch management

Because of the volume of vulnerabilities traditionally discovered during vulnerability scans, it is challenging to effectively deploy patches without significant downtime or disruptions. Your vulnerability management program should integrate patch and release management processes to facilitate timely patching for critical assets.

Integrate your patch management processes with your change management processes to ensure consistent updates and patch applications.

Mobile devices

Mobile devices may make up a significant part of your attack surface. These devices bring flexibility to your users. They also add more security risks.

Security issues compound if your organization supports bringing your own device (BYOD) instead of using corporate-issued devices. Mobile device management (MDM) systems and agent deployment on mobile devices are good options to consider.

Mitigation management

Your organization may have vulnerabilities without available patches or fixes. Your vulnerability management program should include alternate ways to manage those vulnerabilities until you can address them. Some effective approaches could include increasing log monitoring, updating IDS attack signatures or changing firewall rules.

Incident response

Quick response to security incidents is a good measure of vulnerability management effectiveness. The faster you respond, the greater your chance of decreasing operational impact.

Incident response isn’t just a reaction to a breach. Adopt a proactive approach so you’re always prepared. Continuous security monitoring, process automation and alerts facilitate rapid response.

Automation

Automation helps you quickly and accurately discover, assess and remediate vulnerabilities across your attack surface. This is especially true for larger systems with a constant data flow across your attack surface. Automation helps you work through data in less time and with fewer errors.

13. How to implement vulnerability management systems

---

A mature vulnerability management program is the cornerstone of exposure management. It can help your security team more effectively identify, prioritize and remediate security weaknesses before attackers can exploit them.

Here are five steps to build a risk-based vulnerability management program:

Step 1: Inventory all assets, on-prem and in the cloud

Complete and accurate asset inventory is crucial for effective vulnerability management. This includes all devices, applications, operating systems and cloud infrastructure across your attack surface. Tenable offers robust asset discovery tools. These tools give you a holistic view of your attack surface and ensure you don't overlook critical systems.

Step 2: Continuously scan and assess vulnerabilities

Continuous vulnerability scans identify security weaknesses within your environment. Tenable provides a range of scanning options, including agent-based, agentless and cloud-native solutions. These scans go beyond basic detection. They offer detailed vulnerability information including exploit severity, patch availability and potential business impact so you can prioritize remediation efforts.

Step 3: Focus on risk-based prioritization

A holistic vulnerability management program leverages risk-based prioritization so your teams can focus on the most critical threats. Tenable integrates with industry-standard risk scoring frameworks so you can know the impact of each vulnerability. From there, you can prioritize remediation based on business risk. This ensures you address the most critical vulnerabilities first to optimize exposure management.

Step 4: Streamline patch management and reporting

Tenable simplifies patch management processes and streamlines vulnerability remediation to ensure timely patching of critical security issues. Tenable's comprehensive reporting capabilities track progress. You can also measure program effectiveness and demonstrate compliance to key stakeholders — in a business language they understand.

Step 5: Build a culture of security awareness

Vulnerability management is not a set-and-forget exercise. Maintaining a mature security posture requires continuous vulnerability monitoring, program adjustments and employee, vendor and stakeholder training and education. Tenable's advanced analytics tools help identify trends and continuously improve your vulnerability management strategy.

With Tenable, you can create a mature vulnerability management program that protects your data and assets from cyber threats.

See how