Enhancing Vulnerability Management: A Strategy for IT Directors to Dam the Flood of Vulnerabilities

With the high volume of vulnerabilities facing IT directors, it’s impossible to patch or remediate every single one. Yet, all it takes is one exploited vulnerability to open your organization up to a cyberattack or data breach.

A few statistics demonstrate the problem.

• About 76 new vulnerabilities are registered each day. (Source)
• Less than 1% of vulnerabilities account for the highest number of risks and exploits. (Source)
• Of those 1% of vulnerabilities, cyberattackers target 25% of them immediately once they are known. (Source)
• Vulnerabilities per year have spiked drastically since 2016—climbing from 6447 in 2016, between 15,000-20,000 from 2017-2021, and climbing above 25,000 in 2022 and 2023. (Source)

So, a high volume of vulnerabilities coupled with only a few that signify a great risk means you can easily get overwhelmed by noise and miss real threats to your organization.

Vulnerability Blind Spots

With the volume of vulnerabilities only going up over time, you must navigate the flood so as to not overlook or dismiss potentially critical vulnerabilities. However, IT directors often have so much happening at once that it’s easy to miss vulnerabilities through a variety of blind spots.

1. Shadow IT

Shadow IT encompasses assets you’re not tracking that could include cloud services, personal devices, and downloaded software. Each of these assets represents potential vulnerabilities, especially if an employee rather than an IT professional is overseeing its use.

2. End of Life and Legacy Systems

These assets are no longer supported by vendors, meaning they are riddled with vulnerabilities. This problem only gets worse the longer you keep using these assets.

3. Missing Assets

It’s quite possible that you have untracked assets such as servers and workstations no longer in use or spread across different locations. If you’re not tracking an asset and you don’t know where it’s located, then it’s a security vulnerability.

4. Insufficient Scanning

Whether through infrequent scans, superficial scans that introduce too many false positives and negatives, or an overreliance on automation without manual oversight, you might open yourself up to vulnerabilities.

5. Weak Configuration Management

As time goes on, configurations degrade without rigorous oversight. Improperly implemented configurations can lead to vulnerabilities that bypass traditional vulnerability scans due to not changing default settings, improper deployment, and misconfigurations of hardware and software.

6. Third Party Tools

Another overlooked area is the plethora of third-party software and services that any organization uses. These vendors can introduce vulnerabilities beyond your direct control that you must manage.

The Risks of Vulnerability Overwhelm

The volume of total vulnerabilities might cause you to throw up your hands. However, by maintaining your status quo, you increase the risk of several scenarios.

• Data breaches: Obviously, cyberattackers gain unauthorized access to sensitive and confidential data through exploiting vulnerabilities.
• Compliance violations: Not addressing vulnerabilities can lead to fines, lawsuits, and other legal consequences from not complying with regulatory requirements.
• Financial losses: Operational disruptions, downtime, permanent data loss, and incident response costs are expensive.
• Reputational damage: You’ve read headlines where the aftermath of an exploited vulnerability can seriously harm an organization’s reputation and customer trust for years.

Strategies to Deal with Vulnerability Overwhelm

To tackle such a high volume of vulnerabilities without overwhelming yourself in the process, you need a solid plan that involves a few strategic steps.

1. Asset Discovery and Inventory

To make sure you’re not missing any assets, including shadow IT, it’s important to inventory all network assets—servers, workstations, network devices, applications, and databases connected to your network. If it’s off your radar screen, you can’t secure it.

As part of your inventorying, assess each asset’s criticality. Which assets are vital for keeping your operations running smoothly? Which assets protect your most sensitive and confidential information? Which assets help secure your network? Later, this criticality assessment will help you prioritize vulnerabilities by knowing which assets are more at risk.

2. Vulnerability Scanning

Ideally, you’re scanning assets to look for outdated software, unpatched systems, misconfigurations, and known security weaknesses. We warned earlier about insufficient scanning, so you need to scan from a variety of angles:

• Comprehensiveness: Make sure you scan your network, devices (through host-based scans), and applications. Multiple scanning tools are essential to comprehensively assess your environment. To be even more comprehensive, connect your vulnerability management tools to your SIEM, endpoint protection solutions, ticketing systems, etc.
• Manual and automated: Use a blend of automated scanning and manual assessment. Automation can help you pull in volumes of information about your environment, but having a human review the information can put these scans into context.
• Internal and external: Scan internal assets (such as servers, workstations, network devices, etc.) more often, as vulnerabilities can arise frequently on these devices. External scans can be less frequent and focus on internet-facing assets (such as firewalls, email servers, web servers, etc.).
• Signature-based and heuristic detection methods: Obviously, you want to scan for known threat signatures or patterns through signature-based scanning. This kind of scanning is fast, accurate, and reliable. However, zero-day vulnerabilities and any new, unknown threats do not have signatures. Heuristic detection analyzes files, applications, and network traffic to look for anomalous behavior that may constitute a threat.
• Threat intelligence and machine learning: Consider integrating threat intelligence and machine learning into your vulnerability scanning to provide contextual information about vulnerabilities, assess real world risk, and make more informed decisions about remediation.

3. Risk Assessment

Once you complete your scans, it’s time to identify and categorize the vulnerabilities. There are several lenses through which to analyze the vulnerabilities you find.

• CVSS scoring: CVSS is a good starting point for assessing vulnerability severity, but not your only lens. A CVSS score is based on intrinsic characteristics of the vulnerability, time-sensitive characteristics (such as the availability of exploit code), and risks specific to your environment.
• Exploitability: The attack vector, skillset needed to exploit the vulnerability, required privileges, and need for user interaction all impact exploitability. The Exploit Prediction Scoring System (EPSS) can help you identify vulnerabilities most likely to be exploited. CISA also provides the Stakeholder-Specific Vulnerability Categorization (SSVC) and Known Exploited Vulnerabilities (KEV) Catalog.
• Business impact: If the vulnerability is exploited, will it compromise sensitive or confidential data, affect the integrity of your data, or cause data to not be available?
• Asset criticality: How important are the systems or data affected by the vulnerability? A process and toolset from MITRE called the Crown Jewels Analysis (CJA) can help you identify your most critical assets.
• Existing security controls: Your existing security measures—or lack thereof—will also impact your risk. Consider conducting a cybersecurity gap assessment against a framework (such as the NIST Cybersecurity Framework). This will allow you to see where you have vulnerabilities in these standard controls—both from a technology and process/procedure standpoint.
• Exposure: Consider whether the vulnerability lies in a public-facing system or is just internally accessible.

4. Vulnerability Prioritization

Using the information from your risk assessment, you can prioritize vulnerabilities to address your most critical risks first—especially those with known exploits. Assign a risk score to each vulnerability. This doesn’t mean you will ignore lower risk vulnerabilities—just that you can decide how to prioritize based on their impact to your organization. If impact is low, you may just want to monitor them and reassess if something changes. (We recommend using automation tools that can accelerate this process.)

When prioritizing, remember the goal is to remediate vulnerabilities with the greatest risk. You’re not trying to remediate every single vulnerability or treat them all equally. Also consider ease of remediation and, more precisely, mean time to remediation (MTTR), as this may also factor into your prioritization.

5. Remediation

To ensure that you focus your remediation efforts wisely, it’s best to create a plan that defines scope, timeline, and resources based on your prioritization efforts. Tactically, you will need to plan for the following:

• Patching: You likely already patch, but your patching strategy may become more proactive, automated, and selective.
• Configuration changes: Your assessment likely uncovered configuration vulnerabilities, so it’s time to disable unnecessary services, change default passwords, tighten access controls, etc.
• Network segmentation: You may need to isolate or segment vulnerable systems from your network until remediation efforts are complete.
• Next-generation firewalls (NGFW): NGFWs can analyze your network behavior and traffic patterns to detect suspicious activity associated with zero-day exploits, providing an extra layer of protection against unknown threats.
• Plan for end-of-life and legacy system replacements: Some of the most glaring vulnerabilities exist or will emerge in end-of-life hardware, software, and applications. Replace these systems as soon as possible—every day you use them, you’re risking a cyberattack or data breach.
• Application whitelisting: For especially severe or critical vulnerabilities, you can allow or prohibit access to specific applications.

It’s a good idea to scan after your remediation efforts to make sure you are successful and that no new vulnerabilities were introduced. From there, it’s all about continuous monitoring, reassessing, and optimizing.

---

If you need help with your vulnerability management, reach out to us today.