A Maturity Journey: Vulnerability Management

Cyber Risk

Cybersecurity vulnerabilities are one of the top threats that affect organizations today. In 2020, more than 18,000 vulnerabilities were published in the NVD database — an increase of about 1,000 since 2019. It’s important to note that the database doesn’t account for undiscovered vulnerabilities, which means that the number of active exploits being employed by threat actors is likely even higher. This is one of the main reasons why vulnerability scanning needs to be dynamic and continuous. Understanding how to adapt to unpublished vulnerabilities is a challenge for any organization. They should be aware of any and all compensating controls that they have at their disposal in order to protect themselves from an exploit if a formal patch is not yet available for a particular vulnerability.This shouldn’t just be a concern for larger organizations, either — even small and medium sized networks are changing constantly.

This is where vulnerability management programs swoop in to save the day. Unfortunately, more organizations than we’d like to admit fail to establish, implement, and maintain a mature vulnerability management program. The goal of these programs is to reduce security risk to a manageable and acceptable level. However, using the power of ServiceNow, we have the tools and expertise to bring your organization from Level 0 maturity all the way up to Level 5. The CMMI maturity levels are as follows:

CMMI Maturity Levels

  1. Initial
  2. Managed
  3. Defined
  4. Measured
  5. Optimized

In order to level up your solution and climb the maturity ladder, your organization must move through each of the levels — you cannot fast-track or skip steps. That’s because within each level there are components that must be applied in order to progress and become more mature. You don’t need to stay long in any particular spot, but you will need to make a quick stop in each nonetheless.

Vulnerability Management Lifecycle

In vulnerability management, there are 5 recognized states of remediation that make up the lifecycle of a problem/solution, and these stages are the main focus of these programs. Many organizations fail to close the loop on this cycle and neglect to verify or confirm threat elimination after the fact, which is a critical step if you want to level up your vulnerability management solution. The stages are:

  1. Discover: discover and identify all assets across the organization.
  1. Asses: determine a baseline risk profile and eliminate risks based on criticality and vulnerability threat.
  1. Report: document a security plan, monitor suspicious activity, and describe known vulnerabilities.
  1. Remediate: prioritize and fix vulnerabilities according to business risk. Establish controls and demonstrate progress.
  1. Verify: verify the elimination of threats via follow-up audits

Or more simply put — find it, fix it, confirm it. Organizations that fall into the Level 0 maturity category aren’t doing enough to effectively and efficiently follow through on these lifecycle stages. Levels 1 and 2 maturity is when we can start implementing ServiceNow components into a vulnerability management solution, and once we get into maturity Level 3 and beyond, we can start implementing intelligence and automation processes to ensure the program’s success and demonstrate highly optimized intervals.

Further, with the help of Recorded Future (RF), we can supply a re-prioritized risk score that’s more in-depth than traditional CVSS Severity scoring. RF’s comprehensive risk scoring system considers dozens of different parameters and pulls data from a landscape rooted in the real world; all while applying different pieces of intelligence. Combine these with your organization’s business context parameters for high-confidence. All of these action items help refocus vulnerability management teams and show them exactly where to look and what to do.

For more discussion on vulnerability management and attack surface management, listen to Kirk Hogan, CIO (Iceberg) and Allan Liska, CSIRT (Recorded Future) further break down the two programs in our Ask the Expert video.

Additionally, tune into our webinar on maturing vulnerability management: Sweeten up your approach: Vulnerabilities and knowing exactly where to look taking place on Wednesday, November 10th at 1:30 pm Eastern.

See all the ‘Ask the Expert’ videos in this series related to vulnerability management:

Ask the Expert Part 1: Why CVSS isn’t enough?
Ask the Expert Part 2: How can I make my vulnerability solution more responsive?
Ask the Expert Part 3: How do you level up your vulnerability management?
Ask the Expert Part 4: What is the difference between vulnerability management and attack surface management?

Start your GRC journey.
We’ll be your trusted partner.

Start your journey