The Secret of Successful Vulnerability Management Programs

October 20, 2016


In the complex world of cybersecurity, a formal vulnerability management program is increasingly used to identify, communicate, and remediate key vulnerabilities across a wide range of facilities from office complexes to manufacturing plants. Vulnerability management is an old concept with a lot of understanding in a high-level capacity, but the execution of a full program is not always as easy as it looks. Fully functioning vulnerability management programs are never easy to implement and maintain, but are necessary to proactively protect networks.

While a vulnerability management program is important for all businesses, those in spaces such as financial services (aka SWIFT), critical infrastructure, and SCADA have a much larger risk of significant and damaging business loss. A vulnerability management program involves understanding your networks, the threats to your networks, and a regular evaluation process to continually understand how your networks are functioning. The risks are not eliminated solely with a vulnerability management program, but when combined with a larger cybersecurity program, it greatly reduces the risks to your networks.

Security personnel from manufacturing, energy, water and other industries are often unaware of their own control system assets, not to mention the vulnerabilities that affect them. As a result, organizations operating these systems are missing the warnings and leaving their industrial environments exposed to potential threats. - FireEye

Know Who You Are and What You Want

I have said this before and I will keep saying it until everyone truly understands what I’m saying: You have to know your network. There is no middle ground with this, especially when building an effective vulnerability management program. You can only understand your vulnerabilities when you know all of your assets and the corresponding software.

You also have to protect your critical assets. Critical assets can be summed up as those systems, devices, or assets which will greatly impact your operations. This does not mean a computer in HR is a critical asset if it is a normal everyday computer used by one person for basic administrative functions. But, if that computer in HR is the only computer running your payroll system, this is an asset which needs to be assessed for criticality. This doesn’t mean it is a critical asset, but it is worthy of consideration. No device or asset should automatically become a critical asset without a review of its processes and functions and its impact to the business.

Another aspect of knowing who you are involves understanding the firmware or software that is running on an asset. In an Operational Technology environment, cybersecurity has more to do with the firmware installed on the OT systems and understanding how often the manufacturer updates that firmware. This is not as difficult as tracking and maintaining a personal computer (PC) system. A PC system is made up of multiple programs and an operating system. Because a PC is easily customizable and supports thousands of programs, it can be a daunting task to understand the software deployed on your network. Luckily, technology exists that can perform software audits on your network, help create a network baseline of programs, and regularly perform audits when new programs are added. Technology alone will not solve the problem. Processes need to be introduced to track the automatic audits and people need to be trained in the proper way to introduce new programs into the network.

Vulnerability management plans need to account for the necessary processes to maintain the program. There needs to be an understanding of how to train and educate both the IT staff and the rest of the business. Every business needs to identify what the purpose of their vulnerability management program is and implement standards and policies to support those goals. Vulnerability management is more than identifying vulnerabilities and patching. It is the totality of understanding where weaknesses in your business may be and implementing controls, both procedurally and technologically, to reduce the risk to your business’ bottom line.

Critical Security Control number one is to have an inventory of all authorized and unauthorized devices on the network. Critical Security Control number two is to have an inventory of authorized and unauthorized software installed on the assets on the organization’s network.  - Tripwire

Understanding the Threat

A major flaw in many vulnerability management programs is the lack of prioritization of events. In this context, events refer to vulnerability identification and releases of the subsequent patches. A common pitfall of vulnerability management programs is to worry about every vulnerability identified, therefore creating more work than is necessary.

In large networks, it can be a daunting task to properly understand your network assets and the associated software. Technology has made this easier, but larger businesses can have tens of thousands of assets with 30 or more software programs on each asset. A network of that size requires rock-solid processes and procedures to properly identify and implement vulnerability management techniques. This is why it's essential to understand your assets and what each asset means to the overall function of the business, and to do a complete inventory of the software and firmware on each asset.

Critical assets, by definition, should be the top prioritized event for vulnerability patches. Unfortunately, it is not always as simple as identifying a vulnerability and patching those critical assets. It's important to identify the specific function those critical assets perform as well as times to update those assets. For most IT systems, this is more often than not determined by the redundancy of the assets (multiple servers linked together) or an off-hour approach to applying patches. In an OT environment, it becomes more difficult to identify times for updates since most OT assets are functioning in a 24-hour capacity. To lessen the burden, each business must fully understand each asset’s function and work with the appropriate owners of those critical assets to identify the best possible time for an update.

Understanding the Weakest Link

The weakest link in any cybersecurity program is the people. While it is not the only thing which can go wrong with a vulnerability management program, it is usually the biggest factor.

The human element touches on all aspects of the vulnerability management program: from the selection and implementation of technology, the development of processes and procedures, to the training and education of the workforce. A basic concept of cybersecurity is that attacker only needs to be right once, while the defender always has to be right. This is a “zero sum” game where the defenders are only able to mitigate so many actions before there is a problem. Due to this, it is more important than ever to understand the different ways to handle the human factor.

Processes, procedures, training, and education are the key elements to mitigating the human factor. But, if the people are creating these processes, procedures, training, and education, how do you remove the human element? The best way is to develop routine reviews of every possible human-related action. While this may seem cumbersome, it is vital for vulnerability management processes. Reviews are designed to help identify and eliminate wasteful actions or to streamline complicated processes. The secret to performing helpful and effective reviews is fresh eyes. Identify a group of individuals who do not work inside the processes day in and day out and then receive input from all parties involved.


While technology can identify risk, a successful vulnerability management program is built on a foundation of people and process. When implementing a vulnerability management program, you must first identify the assets and programs on your network before you can understand the threat landscape. More importantly, you must understand that the human factor is the weakest link and ensure processes are in place to mitigate the risk of human error.


If you enjoyed this post, please comment and share with your network. Follow us @Idenhaus and subscribe to blog updates for IAM and Cybersecurity insights. 

 Photo Credit: Flickr

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us today!

More News