How To Build An Effective Vulnerability Management Program

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Eryk Waligora / Last Updated: 02/23/23

Reviewed by: Michael Swanagan, CISSP, CISA, CISM, Rich Selvidge, CISSP, & Josh Allen

View our: Editorial Process

There are 7 key steps when creating a winning vulnerability management program including making an inventory, categorizing vulnerabilities, creating packages, testing the package, providing change management, patching vulnerabilities, and reporting. With the introduction of automation, this process can be compressed and streamlined even further.

Threats emerge daily from threat actors, domestically and globally, with the motive of exploiting weaknesses in your network and software systems.

For instance, the operating systems that run your laptops, mobile devices, and computer workstations are usually purchased out of the box vulnerable (reset that default password!).

Advancements and new product models make technologies obsolete quicker than ever, and software program versions that run on the operating systems change constantly.

With all these vulnerabilities abound, threat actors today are specifically targeting unpatched systems and poor network designs.

As Verizon’s 2022 Data Breach Investigations Report finds, exploited vulnerabilities are up to 7% of breaches this year, double the amount from last year.

When organizations are unprepared to tackle this growing problem, this could ring disaster.

One of the biggest challenges facing organizations today is the lack of an effective vulnerability management program.

Without one, your network is susceptible to new threats and attacks.

Once a vulnerable system is exploited, there is increased risk of data loss, stolen credentials, or your data could be held for ransom for a hefty price.

This exploitation and loss can have dire consequences for the business as a whole, impacting the financial, legal, reputational, and other aspects of the business.

In this article, we provide a full view of the vulnerability challenges facing organizations today that align with their business model.

It will walk you through the steps of building a vulnerability management program.

We will define the program, explain why it is important to have a program, pitfalls to avoid, and opportunities to implement and automate features of the program.

Let’s begin by defining what is a vulnerability management program.

What Is A Vulnerability Management Program?

A Vulnerability Management Program is a management framework designed to proactively identify, classify, remediate, and mitigate vulnerabilities in applications or an IT infrastructure with the goal of reducing overall risk to an organization.

It’s an important feature of any cyber security strategy and helps to drive some of the first lines of defense.

Vulnerability Management Is More Than Scanning

An effective vulnerability management program is more than a service that scans the network. It should pinpoint specifically where and what to scan.

This includes scanning websites and applications, ports, applications, IoT and mobile devices, and other points of entry for vulnerabilities that are internal, external, and part of the organization’s IT environment.

This workflow should also be conducted by a certified defensive security expert.

Since the goal of the Vulnerability Management Program is to reduce risk, a formal security risk assessment should be referenced during the development stage of the program to help map out a strategy.

In addition to scans and assessments, the program should be holistic, encompassing input from various teams within the business to carefully identify and prioritize assets that are most critical from an exposure perspective.

What Teams Need To Be Included During Program Development?

A successful vulnerability management program starts with executive leadership support.

Executive leadership approves the policies that support the program, address budgetary concerns, and provides leadership for other areas within the business to support the program.

To properly deploy a Vulnerability Management Program, a multi-team initiative forms a coordinated effort, requiring diligence.

Although one team usually manages the tool or service, other IT and non-IT teams, such as legal, finance, and business partners may be involved.

Having the support of these other teams establishes diligence around how addressing vulnerabilities may impact other integrated technologies, compliance, budget, users, and more.

Without involving the entire organization, it’s always a good idea to include more than less when a program has potentially wide-ranging risk factors.

This is an essential function of any holistic cyber security strategy to be efficient and cost-effective.

Vulnerability Management VS Patch Management

Often the Vulnerability Management Program is also referred to as the Patch Management Program. Although related, they are different in purpose.

• Patch management enables the effort in actioning patches to a system, with the goal of eliminating known vulnerabilities. It’s the work done by a security team we most commonly associate with vulnerability management. A program around the task of patching helps to drive an accountable and systematic approach for the remediation of vulnerabilities.
• Vulnerability management is an ongoing process of discovering, investigating, and mitigating against vulnerabilities on an enterprise network. It leverages IT, threat intelligence, legal, finance teams, and others to support its goals of continuously managing vulnerabilities. This type of program typically engages in multiple projects and governs other programs at once, including a patch management program.

Learn More: Patch Management VS Vulnerability Management Explained

How To Budget A Vulnerability Management Program

To build an effective vulnerability management program, it must be properly funded to meet the risks impacting the business.

This sounds like a no-brainer, but it’s important to note that depending on the size of an organization and the tools used can determine a wide range in costs.

So, funding these features correctly will get a program up and running without wasteful spending.

Both enterprises and SMBs can expect to pay in the tens of thousands to hundreds of thousands on an annual basis to fund a program.

However, higher costs come down to the number of employees and assets an organization maintains.

With 500+ employees, an organization could spend millions on scanning and patching alone.

On average, vulnerability scans can cost between $2,000 – $2,500 depending on the number of IPs, servers, or applications within an organization.

This means an organization with about 500 IPs could possibly pay $10,000 on scans every year.

If the program is outsourced to a managed security service provider (MSSP), it is common for a business to agree to a monthly retainer model.

This model can vary in cost, but it can be less expensive than having full time in-house employees and purchasing tools and packages alone.

Now that we have defined what a vulnerability management program is, let’s next look at why it’s important for business.

Why Is a Vulnerability Management Program Important?

The ultimate goal of the vulnerability management program is to reduce exposure to risk that has the potential to disrupt and impact business systems.

With the rise in reported vulnerabilities in recent years, this goal is more important than ever.

The National Institute of Standards and Technology (NIST) released a graph showing 18,378 vulnerabilities reported in 2021.

While there were more “low” and “medium” vulnerabilities reported last year, the total number has continued its inclined trend, which should be a major concern for businesses.

Why?

Before the COVID-19 pandemic, cybercrime was already a fast-growing threat, impacting large enterprises, SMB, and individuals.

Since then, and due to the pandemic in part, cybercrime has become a pandemic of its own. Ransomware has risen 600%, causing an organization to fall victim to an attack every 11 seconds.

And according to MIT Technology Review’s 2021 Report, exploits to vulnerable systems carry a price tag of $1 million+ for hackers to sell to threat actors seeking to do harm to an organization.

This has put immense strain on organizations as they’re required to provide continuous reporting on vulnerabilities and deploy patches to manage them.

In addition to these outside threats, there are several other factors to consider when addressing this major threat.

Compliance And Regulatory Requirements

A formal patch management program will help to achieve regulatory requirements.

This can be done by reviewing and implementing compliances from various frameworks, such as the Payment Card Industry (PCI) and the Health Insurance Portability and Accountability Act (HIPPA).

PCI has a list of compliances that range from the more general, as in, “provide a patch audit report”, to the more specific, such as, “deploy patches on systems for both internal and external applications only after testing them in separate test environments”.

A robust set of patch management policies and procedures are required for a healthcare organization to meet HIPAA compliance.

This includes proper inventory management, testing, documentation and configurations around automatic software updates, unmanaged hosts, firmware, and more.

Burning Down Backlogs

Planning to burn down existing vulnerabilities is as important as patching new vulnerabilities.

Not every organization operates the same way or has the same type of assets or users.

Because of this, many vulnerabilities that may pose a greater risk to one organization don’t necessarily pose the same level of risk to another.

Instead of patching all new high level reported vulnerabilities, an organization should prioritize the vulnerabilities with the most impact to their operations.

This includes tackling a backlog of previously reported vulnerabilities that have yet to be remediated by the organization.

Creating a vulnerability scan policy can help address the backlog of existing vulnerabilities.

The policy should include how to prioritize vulnerabilities based on severity level, provide remediation time frames, how to reduce false positives, and how to handle exceptions.

A patching plan to reduce the backlog of vulnerable systems is then drafted based on prioritized recommendations.

Enterprise Vulnerability Management VS Small Businesses

Regardless of the size or type of business, exploited vulnerabilities can have a detrimental impact.

This is why vulnerability management goals for an enterprise and small business both seek to secure their organization against risk.

The best way to accomplish this goal is to establish a program to effectively plan and remediate vulnerabilities. However, organizations of different sizes often diverge on prioritization of this goal.

A small organization may be focused on rapid growth, having most of its resources allocated to its marketing or engineering teams, only focusing on basic vulnerability management and other security measures.

By comparison, a large enterprise may already be a market driver, with the need for greater security to protect its assets.

Both understand the value vulnerability management provides, but the means of properly attaining the level of security needed is a major factor why so many SMBs suffer cyber-attacks.

According to one cyber crime study, 43% of cyber  attacks are aimed at small businesses, but only 14% are prepared to defend themselves.

So, what can SMBs do to manage their vulnerabilities if they don’t have the personnel and tools to do so?

Many SMBs choose to outsource their vulnerability management program to a Managed Security Services Provider (MSSP). Some of the benefits include the following:

• Seeking direction from security experts to help build their cyber security program
• Lower cost compared to hiring in-house
• Lack of resources to fully manage and maintain the program

In the face of growing threats from cyber crime, requirements around compliance, complexities of triage, and managing different organizational structures, a Vulnerability Management Program helps to carefully address vulnerabilities and reduce risk, leading to lasting organizational benefits.

Benefits Of Implementing A
Vulnerability Management Program

There are many benefits to vulnerability management.

This includes maintaining compliance requirements and gaining operational efficiencies a in managing risk within the organization. This results in improved visibility and awareness of which systems are most at risk if exploited.

Other benefits of implementing an Enterprise Vulnerability Program include:

• Automated/Scheduled scans
• Robust reporting
• Business system prioritization
• Proactive risk management – measure risk
• Agile remediation

Disadvantages Of The Traditional Vulnerability Process 

As vulnerabilities become more expansive, there has been a shift away from the traditional vulnerability process.

This shift aims to develop a faster, streamlined, and secure management of potential risks to an organization compared ad-hoc scans.

The traditional process is heavily reliant on scanners, which has limitations. Scans can fail to catch threats external to a database or beyond that scanner’s capabilities.

They can also provide false positives, allowing the real threats to be undetected. Scanners alone do not provide a full understanding of risk.

To address this issue, the trend toward cloud-based environments has become more successful at providing risk-based vulnerability solutions.

Vulnerability And Patch Management
In Cloud Environments

Cloud environments help to integrate and accelerate businesses.

This ease of utilization can also apply to vulnerability and patch management, which offers a full view of cloud-enabled IT infrastructure that may be susceptible to vulnerabilities.

However, cloud environments have unique challenges for vulnerability and patch management including:

• Scanners are just one aspect of the entire vulnerability management process. They can allow enterprises to discover and report gaps in their IT network, but in a cloud environment Platform as a service (PaaS) and software as a service (SaaS) demonstrate different levels of control.
• When patching within a cloud environment, this does not include assets or technologies that may be disconnected from the cloud or located on-premises.
• Encryption and key management across a cloud network can become an extra step in accessing cloud tools and developing seamless integration.

Continue Reading: Best Practices For Cloud Vulnerability Management In 2023

7 Steps To Creating A Mature
Vulnerability Management Framework

Whether an organization chooses to outsource its vulnerability management to an MSSP or build its own in-house program, the management team will work very closely with the patch management team to help to define the process around applying the patches in a secure way.

To start building an effective program, there are seven key steps to consider when implementing a Vulnerability Management framework:

1. Make An Inventory
2. Categorize Vulnerabilities
3. Create The Package
4. Test The Package
5. Establish Change Management
6. Patch Vulnerabilities
7. Report On Results

Step 1: Make An Inventory

Knowing what devices and other technologies that impact your organization, and where they’re located, is crucial.

Ensure a repository exists for workstations, laptops, servers, and other assets on the network.

• Does the organization use Mac or personal computers, or both?
• How many mobile devices have VPN access?
• Where are the organization’s data centers located geographically?

These questions are examples of how to map and document potential vulnerabilities.

Step 2: Categorize Vulnerabilities

Having a landscape view of potential vulnerabilities through identification and categorization and be achieved through vulnerability scans of the network and applications.

Scan results are delivered on a basis determined by the client’s needs Daily, Weekly, or Monthly.

Risk can then be categorized based on asset and severity level of vulnerability (i.e., High/Medium/Low). Next, remediation items are prioritized as associated with the severity level.

This process is one of the most effective ways to address vulnerabilities because it not only helps to prioritize risk factors but provides metrics over time to for greater insights.

Step 3: Create The Packages

Having a collection and analysis of what needs to be remediated and how it is important for immediate patching, backlogs, and any future risks is necessary to determine a course of action responsibly and accurately.

Patch dependencies should be thoroughly researched, and all patches should be verified.

Afterward, an impact analysis showing the highest reward to the lowest risk to production should be produced.

Step 4: Test The Package

Using the results of the impact analysis and research created in the package, vulnerability remediation can be tested on lower environment, or non-production, systems.

Observe and report performance results post-patch.

Next, review the outcomes.

Step 5: Change Management

Once review of a successful test has been made, inform applicable teams of the patching requirements.

Make sure to document the risk and backout plan.

Then, obtain approval for production rollout by key stakeholders.

Step 6: Patch Vulnerabilities

Time to begin the remediation process with patching. First, schedule patching deployment with tools.

This is best done with a Waterfall rollout to avoid business impact.

Next, notify users of any disruption to service.

Step 7: Post Implementation Reporting

The final step is important for both learning and driving future action.

After completion of the initiative, assess the outcomes, recommend compensating controls, and deliver activity reports with meaningful metrics and hold people accountable.

Common Pitfalls To Avoid When Implementing A Vulnerability Management Program

There are a number of common pitfalls to avoid when implementing a vulnerability management program including:

• Lack Of Executive Leadership Support
• Failure To Perform A Risk Assessment
• Poorly Managed Asset Inventory
• Lack Of Security Expertise
• Lack Of An Approved Vulnerability Management Policy
• Failure To Perform A Proof Of Concept (POC)
• Setting Unrealistic Timelines
• Project Management Being An Afterthought
• Lack Of A Change Management Program
• Reactive Patching

Lack Of Executive Leadership Support

Without buy-in, a project will stop before it can even begin, which is why getting approval from decision makers is one of the first challenges of moving forward with a vulnerability management program.

It is important to streamline internal approval processes for each gateway, such as for product, legal, IT, and security teams.

When establishing ownership over a project, communication between teams is key. This is especially so when involving third party consultants.

Your vendors can provide a wealth of information to help guide you through this process, so be sure to get constant feedback from them and don’t be afraid to challenge them to help you get the best possible results.

Failure To Perform A Risk Assessment

You need to understand your attack surface and the threat landscape prior to implementing a new framework or program.

It is essential to identify threats to mitigate weaknesses in an IT environment and risk assessments help to do that.

This insight will help to determine the risk to the organization if a vulnerability is exploited.

A risk assessment is also important for gaining executive leadership support and stakeholder buy-in. It’s a resource that can help justify project approval, budget, and management of certain teams to accomplish the project goals.

Poorly Managed Asset Inventory

How can you protect what you don’t know you have?

It’s difficult to identify systems requiring patches if there isn’t an inventory asset repository.

Having a complete, up-to-date collection of all assets in a central location that can be easily accessible allows for a more efficient process when reporting, auditing, or even when responding to an incident.

Lack Of Security Expertise

Many organizations lack the funds to hire an in-house team and to develop a program, which is why managed security providers (MSP) are a convenient partner to streamline processes and lower costs.

However, security consultants vary in expertise and may not fill the gap that a dedicated sin house security team can provide.

Be selective in hiring a service provider if resources are constrained.

Getting the right people for the job may save time and money in the long term.

Lack Of A Vulnerability Management Policy

A vulnerability management policy is a framework used for carrying out the vulnerability management initiative.

A policy will describe governance and responsible teams as well as categorization, prioritization, scheduling, and remediation timelines.

Without an approved policy, a project can experience scope creep, responsibility issues, and potential compliance failures.

Related Content: Free Patch Management Security Policy Template 

Failure To Perform A Proof Of Concept

Having a thorough understanding of the tools and methods used for the vulnerability management program is important.

Performing a Proof of Concept (POC) can help to answer questions for the vulnerability management team and stakeholders. As an example, some questions may include the following about vulnerability scanners and patching tools:

• Will they integrate with our existing ecosystem?
• Does it make sense financially to purchase our own tools?
• Do we have the expertise and bandwidth to deploy and maintain these tools?
• Are we considering legacy systems that may be difficult to patch?

Setting Unrealistic Timelines

We all want to meet our compliance obligations, but it’s also important to be realistic.

There are multiple timelines, works in progress, bandwidth constraints, and other issues that can arise.

To avoid these problems, be sure to set high level milestones and define metrics for reporting on project performance.

Having a solid project plan ahead of time will alleviate these issues.

Project Management Being An Afterthought

A good project management plan will ensure milestones are on track to meet their intended goals.

To avoid confusion or roadblocks, use a centralized platform to communicate, assign tasks, and keep track of deadlines.

Lack Of A Change Management Plan

Implementing a fix to critical business system without seeking proper approval from the business owners is a critical mistake.

The remediation effort may degrade or stop the application from processing data.

Change management dictates testing and results, which provides a system for stakeholders to approve or deny application of patches.

Reactive Patching

Reactive patch management occurs as a response to a vulnerability currently impacting the system and needs immediate remediation.

While this is necessary for emergency situations, reactive patching should not be a consistent solution for the vulnerability management program.

Remediation teams should aim to communicate and simplify the processes and develop workflows based on their tools.

Automation Is The Future Of Vulnerability Management

A business may choose to outsource its vulnerability management capabilities to an automated tool or system for enhanced productivity.

As is the trend for many business operations today, automation helps to reduce risk by achieving overall improvements to the organizational structure and to prevent breaches of vulnerable networks.

There are several key benefits to using advanced technology, such as artificial intelligence (AI) and machine learning (ML), to automate vulnerability management including:

• Contextual analysis of assets makes it easier to provide enterprise level patch management.
• Lower costs to the budget or client.
• Reduces the number of staff required to maintain the program.
• Increases reporting time and efficiency.

Wrapping Up

As more technologies integrate into business networks, the attack surface widens and vulnerabilities become more prevalent.

This article has described what a Vulnerability Management Program is and the value it has in reducing and mitigating risk within your organization.

This article has also provided what an organization must do to implement a successful vulnerability management program.

Following this outline and utilizing the available resources will help bring long term benefits not only to the success of the Vulnerability Management Program but to the success of the business overall.