Vulnerability Management Best Practices

Author: Jason Firch, MBA / Last Updated: 02/17/23

Reviewed By: Josh Allen & Michael Swanagan, CISSP, CISA

View Our: Editorial Process

There are 8 vulnerability management best practices including Conduct Asset Discovery And Inventory, Classify Assets And Assign Tasks, Run Frequent Automated Vulnerability Scanning, Prioritize Vulnerabilities And Take Corrective Actions, Establish A Comprehensive Vulnerability Management Strategy, Use Automated Tools And Leverage Automation, Review Vulnerabilities And Generate Detailed Reports, and Integrate Vulnerability Management With Other Security Solutions And Processes.

Understanding Vulnerability Management Best Practices

In a world where hackers are lurking around every corner, we need to remain vigilant if we want to avoid becoming the next headline.

That’s where vulnerability management best practices come into play.

So, let’s start with the big question:

What are common methods for managing vulnerabilities?

To truly mitigate vulnerabilities, you need to have a multi-faceted approach that includes vulnerability scanning, penetration testing, and patch management.

Vulnerability Scanning 

When it comes to vulnerability scanning, frequency, and visibility are key.

You should aim to scan your systems on a regular basis – we recommend at least weekly, if not more often.

In addition, you should prioritize vulnerabilities based on severity and remediate them in a timely manner.

Related Article: How To Reduce Your Mean Time To Remediate

Penetration Testing 

Penetration testing is another crucial aspect of vulnerability management.

By simulating a real-world attack, you can identify vulnerabilities that may not have been caught by scanning alone.

We recommend conducting penetration tests on a regular basis, and always after major changes to your systems or software.

Patch Management 

Enterprise patch management has been a contentious issue for decades, with conflicting opinions on how to balance earlier deployment and testing.

Patch management is tougher now due to dynamic and dispersed computing assets, as well as the sheer number of installed software components to patch.

Many organizations are unable to keep up with patching, making it primarily reactive instead of proactive. Being proactive means doing more work now to reduce the likelihood of incidents in the future.

However, the disruptions from patching are largely controllable and necessary to avoid larger disruptions from incidents. 

The recommendations in the NIST SP 800-40r4 supports principles of:

• Be prepared for problems: Organizations should change their culture so that personnel are prepared to address problems when they occur. Everyone in the organization needs to understand that problems caused by patching are a necessary inconvenience that helps prevent major compromises. 
• Simplify decision making: Planning needs to be done in advance so that when a new vulnerability becomes known, a decision can quickly be made about how to respond to it. Conducting a risk assessment of each new vulnerability is not feasible. 
• Rely on automation: Organizations cannot keep up with patching without automation because of the sheer number of assets, software installations, vulnerabilities, and patches. Automation is also needed for emergency situations, like patching a severe vulnerability that attackers are actively exploiting. 
• Start improvements now: Some changes might take years to put in place, but that does not mean that other practices cannot be improved in the meantime.  

Vulnerability Management Best Practices

1. Conduct Asset Discovery And Inventory

The most important step in vulnerability management is to conduct a comprehensive inventory of all authorized and unauthorized devices on the network, including all software installed on the assets.

This inventory should include devices and software owned and managed by the organization, as well as those owned by third-party vendors.

By having a complete inventory of all assets, organizations can determine which assets pose the most significant risk and prioritize vulnerability scanning accordingly.

Note: Asset based scans do not show the full picture. Instead, you should conduct a full IP discovery scan to ensure you have complete visibility of vulnerabilities.

2. Classify Assets And Assign Tasks

After conducting an inventory of assets, it is essential to classify and rank them based on their true and inherent risk to the organization.

This risk classification will help determine the frequency of vulnerability scanning and the priority of remediation efforts.

It is also important to assign ownership of assets to system owners who are ultimately responsible for the asset’s associated risks and liability if those assets become compromised.

3. Run Frequent Automated Vulnerability Scanning

As part of continuous vulnerability management, organizations should run automated vulnerability scanning tools against all systems on the network on a frequent basis.

Vulnerability scanning tools should be:

• Reliable
• Scalable
• Accurate

Depending on the framework you follow the frequency of scanning should be at least every month or quarterly.

However, new vulnerabilities are found daily with many being weaponized by threat actors within days or hours after they’re discovered.

This means if you’re scanning monthly that your organization could be exposed to risk for the remaining 29 days in the month.

At PurpleSec, we recommend taking a continuous approach to your scanning. Depending on your organization weekly and perhaps daily scans may be appropriate.

4. Prioritize Vulnerabilities And Take Corrective Actions

After the scan is complete, organizations must prioritize vulnerabilities based on their impact on the organization and take corrective actions accordingly.

It is important to have a well-established process for remediating vulnerabilities, starting with high-risk vulnerabilities first.

When we say high risk we mean risk to the business and not CVSS scores.

5. Establish A Comprehensive Vulnerability Management Strategy

To effectively manage vulnerabilities, organizations need to establish a vulnerability management strategy that includes people, processes, and technology (PPT).

The strategy should address the information needs of all stakeholders and reduce the organization’s risk.

It is important to plan ahead and establish KPIs to guide the security team and assess ROI.

When creating your KPIs we highly recommend focusing on these top ten to measure the success of you program:

1. Average Time To Action
2. Mean Time To Remediation
3. Risk Score
4. Accepted Risk Score
5. Average Vulnerability Age
6. Internal Vs External Exposure
7. Rate Of Recurrence
8. Total Risk Remediated
9. Asset Inventory/Coverage
10. Service Level Agreement (SLA)

Organizations should also understand and prepare for their elastic attack surface, which includes:

• Web applications
• Cloud instances
• Containers
• Mobile devices
• IoT devices.

6. Use Automated Tools And Leverage Automation

Organizations should leverage automation to enhance the vulnerability management process.

Automated tools can help with:

• Asset discovery
• Vulnerability scanning
• Prioritizing vulnerabilities
• Remediation efforts

By introducing automation into the vulnerability management process, organizations can reduce human error, cut costs, and save time.

7. Review Vulnerabilities And Generate Detailed Reports

After conducting vulnerability scanning and remediation efforts, organizations should review vulnerabilities identified in reports and prioritize remediation based on the risk rating.

It is also important to generate detailed reports for stakeholders to track progress and identify areas for improvement.

For example, by having visibility into vulnerabilities at a business unit level organization’s can quickly identify where bottlenecks exisit in remediating vulnerabilities.

They can then create a plan of action to address the issue or, in the case of legacy systems, accept the risk that patching those systems will take longer than others.

At PurpleSec, we believe that the argument of legacy systems “breaking” from installing patches is no longer valid in 2023.

Organizations need to look to reinvest in their infrastructure which may be posing a greater risk to reputation and financial loss.

8. Integrate Vulnerability Management With Other Security Solutions And Processes

Vulnerability management should be integrated with other security solutions and processes as part of a comprehensive solution.

Organizations should consider integrating vulnerability management with:

• Network security
• Access management
• Threat intelligence
• Incident response

Integrating vulnerability management with other security solutions and processes provides a holistic approach to security, ultimately improving the organization’s security posture.

Likewise, results from penetration tests can be integrated into your vulnerability management process to quickly prioritize and remediate vulnerabilities identified.