Vulnerability Management Trends
& Predictions For 2023

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Jason Firch, MBA / Last Updated: 04/07/2023

Featuring: Joshua Copeland

Reviewed By: Josh Allen & Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Automation Is Key To Vulnerability Management

Automation of vulnerability management processes has been gaining popularity in recent years as it allows organizations to identify and prioritize vulnerabilities more efficiently.

Despite the hype around automation, its true potential lies somewhere between overblown claims and genuine value.

Leveraging automation for scans, and discoveries, and instantaneously transitioning into a proactive mode for patch deployment offers tangible benefits.

For instance, having an automated process for testing patches in a controlled environment and rapidly rolling them out to production once verified can minimize the attack surface.

Automation’s true value extends beyond just the initial detection phase.

By incorporating artificial intelligence and machine learning, organizations can drastically reduce the time it takes to respond to and remediate vulnerabilities.

In many cases, exploits have been known for months, but a lack of established processes and automation leaves organizations exposed.

The Role Of Asset Lists & Gap Analysis

An important aspect of effective vulnerability management is maintaining a comprehensive list of assets, which includes:

• Hardware
• Software
• Critical applications

Organizations often struggle with this task, leading to gaps in their security posture.

Conducting thorough IP discovery scans and accounting for shadow IT can help minimize these gaps.

Automation aims to close the gap in the mean time to remediation, which is the time between vulnerability detection and resolution.

In today’s rapidly evolving threat landscape, vulnerabilities are often weaponized within a day of discovery.

Organizations must shift their focus from monthly patching schedules to addressing vulnerabilities within days or even hours.

Detection & Response Times

The average time to detect a vulnerability currently stands at an alarming seven months.

Organizations that lack robust patching schedules or the necessary tools for identifying vulnerabilities may remain compromised for extended periods.

As threat actors become increasingly stealthy, organizations must employ a proactive approach to vulnerability management, taking into account the criticality and exploitability of vulnerabilities and then prioritizing those that pose the most significant risks.

Developing a matrix that incorporates the location and business impact of each vulnerability is key to a successful vulnerability management strategy.

Adoption Of Risk-Based Approaches

Instead of focusing solely on the critical rating of a vulnerability, it’s important to consider the cumulative impact of multiple vulnerabilities when exploited together.

A single low-level vulnerability can lead to a significant breach when combined with other vulnerabilities.

In one example of a recent penetration test, a low-level vulnerability (SMB message signing disabled) was combined with a medium-level vulnerability (SMB endpoint with no validation) and the absence of endpoint protection (no EBP or EDR).

This combination allowed attackers to hook malware into the organization’s Active Directory and potentially deploy ransomware.

Traditional patch management methodologies, like those used in the Department of Defense (DoD), prioritize patching critical vulnerabilities within a specific timeframe.

However, these methodologies might not be adequate for commercial organizations that lack the compensating controls and robust security measures present in the DoD.

Understanding and prioritizing risks based on their potential impact on business-critical systems and processes is crucial.

Focusing on medium and low-level vulnerabilities in crucial systems can be more effective than patching critical vulnerabilities in less important systems or networks.

To enhance vulnerability management, organizations need to:

• Understand their risk landscape.
• Implement appropriate controls.
• Prioritize patching based on the potential impact of vulnerabilities on their operations

Continue Reading: How To Implement Risk-Based Vulnerability Management

Continuous Monitoring

A common struggle when engaging with clients is encouraging the adoption of continuous monitoring.

Some organizations claim to perform quarterly vulnerability assessments, but this practice is insufficient and a waste of resources.

The ideal goal is to have daily or weekly scanning and patching cycles in place.

One main reason organizations haven’t adopted continuous monitoring is budgetary constraints.

Many are hesitant to pay for continuous services, as they often ask when the vulnerability management process will be “done.”

This question reflects a fundamental misunderstanding, as vulnerability management is an ongoing process.

Mature organizations that take cyber security seriously are gradually moving towards continuous monitoring, however, security still lags behind desired levels.

In certain sectors, like federal DOD and some state governments, continuous monitoring is not just a good idea but a requirement.

Monitoring is gaining traction with the help of Managed Detection and Response (MDR) services and Security Operations Centers (SOCs) that actively monitor systems.

Visibility is another important aspect of continuous monitoring because, without proper visibility, organizations can’t take the necessary steps to protect their systems.

One important thing to note is that the end goal of continuous monitoring is to generate actionable items for remediation, rather than simply producing reports to be filed away.

Organizations should prioritize risks based on their risk acceptance and tolerance levels, documenting and implementing appropriate mitigating controls.

However, not all organizations follow this best practice, leading to potential security gaps in their environment.

Increased Focus On Cloud Security

As more organizations adopt cloud-based solutions, there’s a growing need for effective vulnerability management for cloud systems.

The use of containerization technologies like Docker is only going to increase, making cloud security even more essential.

One of the biggest issues in cloud security is the rapid provisioning of devices that are not documented in the system.

This can lead to devices not being scanned or protected by defensive measures like firewalls and intrusion detection systems.

To help address this issue, organizations can:

• Rapidly provision secure systems: Instead of provisioning devices with vulnerabilities, use pre-built hardened images and templates with necessary security configurations and software already installed.
• Integrate security from the start: Focus on building secure systems from the beginning, rather than treating security as an afterthought. This helps reduce technical debt and avoids the need for costly fixes down the road.
• Perform regular updates and maintenance: Keep all devices and systems updated, including firmware on IoT devices like TVs and doorbell cameras. This helps ensure that vulnerabilities are patched as soon as possible.
• Consolidate security tools: Avoid chasing new and shiny security tools, and instead focus on using and configuring the tools you already have effectively. This helps reduce complexity and costs in your security stack.
• Target key assets for protection: Prioritize protecting scanning servers, domain controllers, and other critical assets that, if compromised, could provide an attacker with the “keys to the kingdom.”

Continue Reading: Best Practices For Cloud Vulnerability Management

Increased Use Of Threat Intelligence

Threat intelligence is essential for organizations to stay up to date with the latest vulnerabilities and trends.

Having specific threat intelligence related to your sector allows you to better understand what’s going on and to develop more effective security measures.

By focusing on the threats targeting their specific industry, organizations can set up alerts, develop SOC capabilities, and establish triggers for IDS and IPS.

One way to obtain industry-specific information is by joining Information Sharing and Analysis Centers (ISACs) targeted towards your sector.

Sharing information with industry peers can help improve security for everyone involved as well as detect emerging schemes more quickly.

When one organization experiences an attack, others in the sector can learn from the incident and take preventive measures.

This proactive approach to vulnerability management is also important in the context of cyber security insurance.

Cyber security insurance is becoming more difficult, with insurers requiring evidence of due diligence and proper security measures before providing coverage.

This trend underscores the importance of actively managing vulnerabilities and maintaining a strong security posture.

The Role Of Network Segmentation On Vulnerability Management

Network segmentation helps limit the scope of a vulnerability and reduce the potential impact of an exploit.

By dividing networks into separate subnets or even entirely separate physical networks, organizations can prevent cross-network travel and protect sensitive data from unauthorized access.

However, many organizations have not readily adopted this best practice due to:

• Complexity
• Cost
• Lack of regulatory requirements

Compliance, often mistaken for security, is merely a minimum requirement that organizations must meet.

While regulatory standards like PCI, HIPAA, and FedRAMP may require some degree of network segmentation, they do not guarantee complete security.

For this reason, cyber security professionals need to make a compelling business case for investing in network segmentation and other security measures.

One way to effectively communicate the importance of network segmentation is to emphasize the potential financial losses an organization could suffer if sensitive data or critical systems are compromised.

By tying security measures to a clear return on security investment (ROSI), cyber security professionals can better communicate the value of network segmentation to business decision-makers.

In addition, a shift in mindset is needed, whereby organizations treat cyber security with the same level of importance as other aspects of their operations.

DevSecOps: Building Security From The Ground Up

The DevSecOps movement has gained traction in recent years, with the global market size expected to grow to $23.16 billion by 2029.

The primary goal is to improve an organization’s security posture by incorporating security into the software development process from the very beginning.

Previously, products were built, shipped, and patched for security vulnerabilities as they were discovered.

DevSecOps aims to create secure products from the start, reducing the need for patches and hotfixes.

Incorporating a security-first mindset means understanding the need for proper data separation, implementing functions to prevent privilege escalation, and ensuring security is considered at every stage of development.

By adopting a DevSecOps process, organizations can instill confidence in buyers that their products are secure from the outset.

However, implementing DevSecOps is not without challenges.

It requires a cultural shift in the organization, where everyone involved in development or operations thinks about security first.

This can be difficult, as there is often resistance from developers who feel they should focus on building software rather than security.

Security should be practiced so well that it becomes second nature, just like securing one’s home or car.

To successfully adopt DevSecOps, organizations must:

• Invest in better training to educate employees on security best practices.
• Create a culture where security is prioritized and valued.
• Ensure that all team members understand the importance of securing their applications from common attack vectors, such as those found in the OWASP Top Ten.

DevSecOps is not necessarily more expensive, but rather about utilizing existing resources differently.

By making the necessary cultural changes, organizations can improve their security posture and create more robust, secure products for their customers.

The Future Of Vulnerability Assessment Tools

Agent-based tools with continuous scanning capabilities stand out as particularly promising.

These tools periodically scan systems, whether every hour or every six hours, based on preset criteria.

What makes them so effective is that they reside on the box, kicking off automated patching products to remediate issues immediately.

One significant advantage of agent-based tools is that they eliminate the reliance on patching windows.

This means less time spent ensuring all systems are online during a specific scanning window, ultimately reducing the number of missed opportunities.

However, you should always consider the potential trade-off in terms of resource consumption.

Some vendors’ agents can be quite greedy, which may lead to a suboptimal user experience.

Before engaging with a new tool you should ask about resource usage; a maximum of 10% resource usage at peak performance is considered reasonable.

An exciting prospect for the future of vulnerability assessment tools is the potential development of agentless processes or integrating the agent directly into the platform.

This would mean that, rather than installing additional software, the built-in agent would report back to the monitoring system during the platform’s regular functioning.

It would be similar to having antivirus software built directly into a device’s CPU, streamlining the entire process and making vulnerability management even more efficient.

Integration Of Incident Response Into The Vulnerability Management Process

Integrating incident response into the vulnerability management process has become table stakes.

When vulnerabilities are identified, this information should automatically be shared with your SOC or incident response team.

This ensures that they can pay extra attention to exploitable vulnerabilities that haven’t been remediated yet.

By integrating these processes, teams can create rules and alerts that help shorten the mean time to detection, allowing for quicker response times.

There are security companies, particularly MDR providers, that offer integrated solutions for monitoring and scanning.

This allows organizations to turn vulnerability scanning into signatures that can be used by both the scanner and the incident analysis tools.

This dual approach ensures that analysts in the SOC are looking for indicators of compromise (IOCs) related to the vulnerabilities.

This visibility allows them to monitor both sides of the process:

1. The presence of the vulnerability and;
2. Potential exploitation attempts.

In some cases, IOCs might be identified even if the vulnerability scanner doesn’t show the vulnerability, which could indicate that the scanner is misconfigured.

Without proper visibility, it would be challenging to identify and address such issues.

Software Bill Of Materials (SBOM) & Its Impact On Vulnerability Management

A Software Bill of Materials (SBOM) is essential for understanding what components are embedded within your software and hardware.

It helps you identify potential vulnerabilities and manage them more effectively.

The Log4j vulnerability, for example, highlighted the importance of knowing what software components are present in your network.

Lacking awareness of the software and components within your systems makes it impossible to actively monitor and track potential vulnerabilities.

Having a clear understanding of not only what you have but also what’s inside your software is crucial for effective vulnerability management.

One way to improve SBOM management is by understanding your supply chain and being aware of all the components and tools used in your organization.

In addition, maintaining an accurate inventory of your software is essential for managing vulnerabilities.

Unfortunately, many organizations struggle with this aspect of vulnerability management, highlighting the importance of investing time and resources into proper inventory management.

Wrapping Up

Automation, continuous monitoring, and adopting a risk-based approach can significantly enhance the vulnerability management process.

Incorporating artificial intelligence and machine learning can further reduce the time taken to respond to and remediate vulnerabilities.

Maintaining comprehensive asset lists, prioritizing patching based on potential impact, and focusing on cloud security and network segmentation are essential steps toward mitigating risks.

DevSecOps and the future of vulnerability assessment tools, such as agent-based scanning, can also help organizations streamline their processes and create more secure products.

Organizations must invest in proper training, create a culture prioritizing security, and understand that vulnerability management is an ongoing process to effectively combat the ever-evolving cyber threat landscape.