Vulnerability management is more than patching

Tenable APAC

By Nathan Wenzler, Chief Security Officer, Tenable APAC
Monday, 08 August, 2022

Vulnerability management is more than patching

Just as technology has evolved over the last few decades, so have the tools and techniques for securing and protecting those systems. After all, for as long as there have been technologies that store, transmit or process data, there have been malicious actors who relentlessly attempt to break those systems and take advantage of them. It is because of this, organisations of every size across every industry have had to evolve their security practices to align better with how they conduct their operations.

Strongest defence

While new security tools are released on a nearly constant basis by vendors trying to reinvent the ways we secure our environments, staying focused on the best practices around good cyber hygiene and core security principles are still our strongest lines of defence. No matter how dramatic the evolution of tools and technologies is within our organisations, security teams must still execute one of the most important, longstanding and fundamental practices well: vulnerability management.

If you’ve read those last two words and thought to yourself, “What’s he talking about? Is that still a thing?”, it’s possible you still think of vulnerability management as that thing security professionals have been doing for the last two decades to scan their networks looking for missing patches on their Windows and Linux systems. And 20 years ago that might have been true, but with technology evolving rapidly, vulnerability management has advanced with the times.

Increased assets, tech and services

Organisations are no longer living in a world where they only manage a single data centre with dedicated server hardware that is racked and stacked in well-controlled environments. Nor are these servers running traditional, robust operating systems that can respond well to interrogation for their configurations, software inventory, network status and all the other things that can be used to detect vulnerabilities and misconfigurations that would make those systems targets.

Instead, today’s organisations operate on distributed, hybrid networks that stretch across many data centres in multiple geolocations, cloud-based infrastructures, applications, virtualised platforms and services and much more. Simply put, there are more types of technologies, assets and services in every organisation than ever before. And each and every one of them is vulnerable to some sort of attack or threat above and beyond a simple, exploitable vulnerability caused by a missing patch. For example:

  • Web applications can be vulnerable to manipulation attacks that leverage SQL Injection or Cross-site Scripting to cause the application to serve up data it shouldn’t or be staged for fraudulent browsing.
  • Operational technology (OT) devices in critical infrastructure networks don’t often suffer from missing patches, but misconfigurations can literally be the difference between the lights turning on or water flowing to residences.
  • Even the latest cloud technologies that are being leveraged to quickly scale and provide service to customers can be taken advantage of by attackers through misconfigurations, poor system policy enforcement or inappropriate access controls and rights being implemented across the cloud infrastructure, containers and other parts of the deployment architecture.

Ultimately, there are many, many different types of assets which represent many different types of potential vulnerabilities, giving attackers more options and techniques than ever before to gain access across an organisation’s attack surface.

This is why vulnerability management, as a critical security practice, has evolved to not only “scan for missing patches” but to put the right combinations of tools and sensors to safely and securely assess each type of asset for whatever type of vulnerability may pose some amount of risk to the organisation. Of course, this generates huge amounts of disparate findings that make it difficult to determine what is actually a real exposure that needs to be addressed and what isn’t something the organisation needs to worry about today.

Modern vulnerability management

Modern vulnerability management programs incorporate a great deal of threat intelligence about real-world attacks and exploits to provide organisations far more context about their state of risk and combine that information with what the business sees as critical to the organisation. It moves vulnerability management of the past from simply determining whether or not a vulnerability exists or not to a risk-based decision engine that allows security professionals to understand the true security posture of their entire environment, how those vulnerabilities relate to each other and create exposures to risk, and provides the right kind of context to help focus on the issues that pose the most risk to the business.

In this way, we begin to see the idea of traditional vulnerability management evolving to become ‘exposure management’, where exposures of any type across any asset can be identified, put into proper business context, prioritised for remediation and drive the engine that allows organisations to protect themselves from compromise, reduce overall risk and shrink the potential number of targets an attacker has anywhere on their attack surface.

Exposure management isn’t just a rebranding of the same discipline of vulnerability management that many of us performed at the start of our careers many years ago. This practice has evolved into a proper risk management and business-enabling function that keeps it firmly within the realm of being a mandatory, fundamental part of any security program. And what happens when technology evolves again? Exposure management will evolve right alongside it, ensuring that we have the tools and techniques to best understand risk within our organisations in order to make better decisions about how and where we implement security controls to protect the environment.

Image credit: ©

Related Articles

If you want to fix cyber, stop trying to fix people

We need to stop trying to fix people and start understanding and supporting them with the right...

Managing through uncertainty requires facing security unknowns head on

Understanding the attack surface in its entirety is not just a tactical advantage; it is a...

Why the success of modern cyber defence hinges on identity security

 A single compromised identity could easily provide the keys to the kingdom if it isn't...

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd