Let’s talk a little about the importance of vulnerability management. As I’ve mentioned in other posts, data has value. For some organizations, their data and intellectual property is the only item of value (that and their people). So it makes sense to do everything conceivable to keep that data as safe as possible.
Bad guys make a living accessing your data and selling it or ransoming it back to you or using it to impersonate you for nefarious purposes. Aside from social engineering (we’ll discuss that in another post), exploiting software or network vulnerabilities is the chief way they get unauthorized access to your data.
Think for a second about all the programs running on your device. You’ve got email programs, word processing and spreadsheet programs, productivity apps, social media apps, web browsers and on and on. All of those sit on top of the operating system that powers your laptop, desktop, phone, tablet, etc. The operating system is usually the largest, most complex set of programs running on your device and runs a huge amount of transactions where you never see them, under the hood.
Each of those software packages are tested extensively (we hope) by their developers, looking for bugs and other ways to keep from exposing any data they may collect. However, even the most exhaustive testing can’t simulate all the different ways people can and will work with the software when it’s released into the world. It is these bugs or vulnerabilities that bad actors attempt to manipulate to get to your data. Some vulnerabilities allow bad actors to copy and transmit data somewhere only the bad guys can get it, some allow data to be encrypted and “locked” so it can be sold back for ransom, and some allow the bad guys to take remote control of a device in order to search the network for other data or do their nefarious bidding.
Some organizations think that keeping their Windows software up to date, applying the monthly patches – as annoying as they are, is all that’s needed. These are the people that bad guys love. The operating system is important to be sure, but it’s not the only software that gets exploited or has vulnerabilities. Plus, certain configuration settings can make the difference between secure or wide open.
Vulnerability management is the process of continuously identifying, categorizing, and remediating security vulnerabilities in technology systems. It is a method of inventorying each device on your network – phone, laptop, tablet, desktop, router, switch, printer, phone, IOT devices etc. and all the software running on it.
Once you have that inventory, you need to know not only the most the most up-to-date versions available, but also if there are older pieces of the software that aren’t safe anymore; or configuration settings that make a device susceptible to being attacked. Plus, you need a way of knowing how dangerous those vulnerabilities are. There are several products in the marketplace, most commonly referred to as Security Incident and Event Management (SIEM) products.
To be clear, there are some vulnerabilities that are easy to take advantage of and the bad guys have a way to exploit them. There are others where no one has found a way to misuse them yet. This is why you need a ranking system or way to determine which are more dangerous if left unaddressed. A vulnerability is a potential weakness in your defenses. An exploit is a vulnerability that someone has found a way to compromise. This is an important difference.
The last step in managing vulnerabilities is how to fix or remediate them. A good SIEM will not only identify vulnerabilities, but also categorize them based on a severity algorithm and then provide resources to remediate them.
The Vulnerability Management Cycle in Practice
Vulnerability management isn’t a project with a start and end date. It’s a continuous operational process — and understanding each phase helps you build a program that actually works rather than one that generates reports nobody acts on.
Phase 1: Discovery and Inventory
You cannot manage what you don’t know exists. The first phase is building and maintaining an accurate inventory of every asset on your network — every device, every piece of software, every configuration. This is harder than it sounds in most organizations because networks grow organically. Shadow IT — software and devices that employees deploy without IT approval — is everywhere. A vulnerability scanner can only find what it can see. If a device isn’t on your network map, it isn’t being scanned.
Phase 2: Scanning and Detection
Vulnerability scanners — tools like Nessus, Qualys, or Rapid7 — probe your environment continuously, comparing your installed software versions and configurations against known vulnerability databases. The most widely used reference is the Common Vulnerabilities and Exposures (CVE) list, a publicly maintained catalog of known security flaws. Each CVE is assigned a CVSS score — Common Vulnerability Scoring System — a numerical rating from 0 to 10 that reflects how dangerous the vulnerability is and how easy it is to exploit.
Understanding CVE and CVSS scores is essential for anyone working in security. A critical CVE with a CVSS score of 9.8 demands immediate attention. A low-severity finding with a score of 2.1 can be scheduled for the next maintenance window.
Phase 3: Prioritization
Here is where most vulnerability management programs fail. A typical enterprise environment generates thousands of vulnerability findings per scan. Trying to remediate everything immediately is neither practical nor necessary. The goal is to prioritize based on risk — which vulnerabilities are most likely to be exploited, which have known active exploits in the wild, and which affect your most critical systems.
This is the difference between a compliance-driven program and a risk-driven one. A compliance program patches everything on a schedule. A risk-driven program patches the dangerous things first, fast, regardless of schedule.
Phase 4: Remediation
Remediation takes several forms. Patching — applying software updates released by the vendor — is the most common. But not every vulnerability has a patch available, and not every patch can be applied immediately without disrupting operations. In those cases, organizations implement compensating controls — configuration changes, network segmentation, or enhanced monitoring that reduce the risk of exploitation while a permanent fix is developed or tested.
Documentation matters here. Every vulnerability finding, prioritization decision, and remediation action should be recorded. This creates an audit trail, supports compliance reporting, and helps you demonstrate due diligence if a breach ever occurs.
Phase 5: Verification and Reassessment
After remediation, you scan again to confirm the vulnerability is actually resolved. It sounds obvious. It gets skipped constantly. Patches fail to apply. Configurations revert. New software gets installed that introduces the same vulnerability on a different system. Verification closes the loop and ensures you’re not just marking things done on a spreadsheet while the vulnerability persists in the environment.
Then the cycle starts again.
As you can see, this is a never ending cycle – scanning, prioritizing, remediating then doing it all over again. But in the overall scheme, plugging all the potential holes in the wall is an important step in keeping the bad guys away from your valuable data.