Vulnerabilities in a network are an unfortunate certainty. With technology and software continually being updated and developed, this creates a continuous cycle of new vulnerabilities and weaknesses arising in cyber infrastructures. This, however, doesn’t need to be a cause for panic. Instead, organisations need to manage their vulnerabilities as effectively as possible and prepare for potential attacks by increasing their cyber resilience.
What is cyber resilience?
Cyber resilience refers to an organisation’s ability to prepare for, respond to, and recover from cyber attacks and threats. Building resilience is important because attacks are inevitable – so the best defence is to minimise the potential impact and time it takes to recover from successful attacks.
With a robust cyber resilience stance, organisations can more easily adapt to threats and maintain business continuity.
What is vulnerability management?
Vulnerability management is a key process in cyber security and business continuity strategies. Vulnerability management involves understanding the vulnerabilities present across your IT infrastructure. The aim is to identify and evaluate these vulnerabilities, in order to inform actions taken to reduce your attack surface and mitigate the business risk of cyber attacks.
A key element of vulnerability management is prioritisation by considering threat intelligence and building situational awareness. How vulnerability exploitation can lead to the compromise of critical assets, and the potential business impact of successful attacks are important factors to consider when prioritising your vulnerabilities based on their contextual risk.
Vulnerability management and cyber resilience
Proactive vulnerability management is a core part of preparing for a cyber attack. By considering which network assets are business critical, a targeted Vulnerability Management Programme (VMP) provides a way to reduce the network attack surface, the exploitability of critical assets and the risk of business impact.
The challenges of implementing an effective vulnerability management programme
When implementing a VMP, organisations face some common challenges when it comes to addressing the network attack surface:
A vulnerability scan can be performed to assess potential points of exploitation and detect system weaknesses. The volume of vulnerabilities that a scan will find can be overwhelming. There is often no feasible way IT teams can address every vulnerability, especially considering that some patches won’t be available and new vulnerabilities will arise during the patching process. The reality of course is that not all of these vulnerabilities will pose a risk to business critical assets or systems, so trying to find key vulnerabilities without the relevant tools is almost impossible.
Major updates take time and, for that reason, will often be delayed. However, these delays only make the problem worse and the solution more intimidating.
Resource and cost
Upgrades and patching can be a time-consuming endeavour. A scan may recognise hundreds of vulnerabilities would require significant resource from your IT team to address without clear prioritisation. Patching to this extent may also cause organisational disruption while systems go offline which could have a knock-on impact on business performance.
Some legacy systems might not be able to be patched, and replacing them wholesale wouldn’t be a viable expense.
How does vulnerability management help?
Every organisation that uses digital technology will be subject to vulnerabilities and therefore could benefit from a VMP. Situational awareness is extremely important when running a business, from finance to operations, executives need an overarching view of company performance and potential threats. Executives should therefore place the same importance on having awareness over their cyber security.
An effective VMP will enable organisations to understand the vulnerabilities that are present within their cyber landscape. When Vulnerability Assessments (VA) are performed regularly, organisations can ensure that consistent awareness.
Download our white paper on organisational cyber resilience and vulnerability management
A guide to vulnerability management
The NCSC has outlined a 3-step methodology for implementing and performing vulnerability management.
New vulnerabilities arise all the time, so this is a step which needs to be repeated frequently. Assessing your vulnerabilities involves scanning your systems, networks, and accounts to detect existing vulnerabilities. This stage gives you awareness of the present risks associated with your entire digital landscape and can be run automatically, without training, using a Vulnerability Assessment System (VAS).
This stage involves evaluating the outputs of vulnerability assessments to determine the contextual severity of a vulnerability. While most solutions will provide a severity rating, they don’t consider the business impact and therefore contextual risk associated with that vulnerability. For example, a vulnerability that could lead to the loss of availability of an asset which is fundamental to your sales performance should be prioritised above a more severe vulnerability that would actually have a low business impact.
Prioritise vulnerability fixes
Next is prioritising all your vulnerabilities based on their overall risk. Assessing the technical and downstream business impacts of any given vulnerability can help organisations prioritise their patching activities. However, these impacts, and therefore priorities, can be challenging to accurately determine without considering attack paths across the network attack surface.
Our cyber resilience solution goes far beyond traditional vulnerability scanning solutions. It can be layered on top of existing asset management systems and network scanners to provide additional intelligence about vulnerabilities. It calculates cyber attack paths to business-critical network assets, in order to determine the potential business impact of any breaches and provide recommendations for prioritising and optimising patching activity.
Featuring easy-to-understand visualisations and interactive user interfaces, the solution supports users to more seamlessly communicate threats and the need for mitigations in a way that both cybersecurity professionals and senior management can understand.