Home(https://www.digitaldefense.

com) » Vulnerability Management

Vulnerability Management
What is Vulnerability Management?
Why Vulnerability Management is Important
The Stages of the Vulnerability Management Lifecycle
Vulnerabilities vs. Threats vs. Risks
Components of a VM Program
Vulnerability Management Benefits
Vulnerability Management vs. Risk-Based Vulnerability Management
What to look for in a VM Solution
Featured Resources
 What is Vulnerability Management?

Vulnerability management (VM) is the continual process of identifying,

evaluating, reporting, managing, and then remediating IT infrastructure
vulnerabilities. An efficient vulnerability management program
(https://www.digitaldefense.com/blog/vulnerability-management-program-
basics/) combines a team of trained IT experts and security solutions. VM
helps minimize attack surface areas by proactively scanning, detecting, and
prioritizing vulnerabilities, which then allows the security team to step in
and help guide remediation efforts.

Why Vulnerability Management is Important

Cyberattacks aren’t going away. As organizations adopt digital flexibility into their business strategy, cybersecurity gaps can persist. As attack methods evolve and
newer opportunities to exploit weaknesses are found, vulnerability management becomes even more important for proactive security.

The average cost for a data breach has risen to $9.44M in the United States and globally, $4.35M (https://www.ibm.com/reports/data-breach#3135690).
Compliance and regulation penalties, downtime to fix cybersecurity weaknesses, and customer loss are the largest portions of these costs.
On average it takes 9 months to discover a data breach has occurred. In that timeframe, the cost of recovering from data theft becomes more than money. An
organization’s reputation and customer trust plummets, and executive liability and accountability is now being taken into account during the penalty phase of a
data breach. The initial damage is monetary; however, the long-lasting impact is the ability to regain consumer trust in your business.

Designing and implementing vulnerability management into a proactive, layered cybersecurity stack (/products/offensive-security-bundles/) is a fraction of the
cost when compared to the penalties and reputation damage that can be levied after a breach.

The Stages of the Vulnerability Management Lifecycle

1. Identify Vulnerabilities – Vulnerability management solutions (https://www.digitaldefense.com/products/fortra-vulnerability-management/) take inventory
of all assets across an environment, identifying details such as operating systems, applications, services, and configurations when searching for
vulnerabilities. These include network scans and authentication-based scans. This is often performed regularly through automated schedules.
 2. Prioritize Remediation Tasks – Identified vulnerabilities need to be categorized and assigned risk-based prioritization (/blog/security-gpa-grade-with-risk-
based-prioritization/) based on company-specific risk context.
3. Assess Improvement – Establishing a risk baseline for point of references as vulnerabilities are remediated. Assessments allow ongoing baseline over time,
and create proof of value conversations with intuitive reporting and understandable metrics.
4. Remediate Vulnerabilities, Threats - Vulnerabilities need to be fixed. Controls should be in place for remediation to be successfully completed while
documenting progress.
5. Verify Remediation - Remediation effectiveness can be validated through post remediation scanning, scoring, and reporting.
6. Secure Posture Reporting - Executives and teams need to understand the risks associated with every vulnerability. IT needs to report on vulnerabilities
identified and remediated, so executives can provide a summary of a vulnerability’s state.

Vulnerabilities vs. Threats vs. Risks

Network security is all about identifying and remediating security vulnerabilities, the success of which depends greatly on risk assessment and threat
identification. Many discussions about security use the terms vulnerability, risk, and threat interchangeably. But in the cybersecurity world they have very different
meanings.

A vulnerability, simply put, is a gap in a company’s network security. These security holes can be anywhere across the network, from servers to workstations,
smartphones to IoT devices. It’s a known weakness that could be exploited, the door through which the attacker can enter. Common vulnerabilities include data
(https://www.digitaldefense.com/)
that isn’t backed up, an unsecure cloud configuration, lax standards around data access, and weak or non-existent data recovery plans. Vulnerability scans
(/blog/what-is-vulnerability-scanning-and-how-does-it-work/) identify system vulnerabilities, making a security gap easier to address.

(https://www.digitaldefense.com/)
A threat is something that can exploit a vulnerability. It is what an organization is defending itself against. A threat can be deliberate, like viruses and malware, or
unintended, like lost credentials. Some of the top threats according to Verizon’s Data Breach Investigation’s Report (DBIR) in 2020 included:

denial of service
 phishing (/blog/phishing-attacks-what-is-phishing/)
mis-delivery of documents and email
use of stolen credentials

Broadly, threats can be broken down into four buckets: structured, unstructured, internal, and external. The threat landscape is always in flux so it can be difficult
to know what’s coming. But a strong IT security team can take steps like staying aware of existing and evolving threats, employing good vulnerability
management software, and performing penetration testing based on known threats.

Risk is the possible damage that could happen when a threat exploits a vulnerability. A risk might include:

possible financial loss

data loss or corruption
reputational damage
legal and compliance problems.

Every company should know its risk context, which forms the basis of how to tackle known security vulnerabilities. All organizations face cyber security risks but
understanding the specific risks a company or enterprise is likely to encounter can help prioritize remediation.

A good VM program must understand a specific customer’s risks to find and remediate vulnerabilities, which reduces the possibility of harm from new and
existing threats.

Components of a Vulnerability Management Program

Vulnerability management contains different components. Legacy VM may only contain scanning and detection, however risk-based vulnerability management
will include reporting, prioritization, and apply threat context analysis.
Vulnerability Assessment
Vulnerability assessment is a single point in time activity, compared to the
ongoing nature of VM, that discovers security weaknesses within operating
systems, software and/or hardware elements being assessed. Vulnerability
assessments are usually an automated process that may span days or even
weeks. Essentially, a given assessment is an engagement that occurs once.
An organization that receives the information gleaned from a vulnerability
assessment will likely act based on the findings. For example, the
organization may correlate the identified vulnerabilities with knowledge of
exploit availability, security architecture, and real-world threats. An
organization will also likely attempt to remediate some of the identified
vulnerabilities and will assign those deemed critical to their IT security staff.
Although performing a one-time assessment followed by taking the
aforementioned actions are critical activities and are elements of VM, if an
organization stops at a one-time assessment and does not perform
recurring vulnerability assessments, it’s not really vulnerability
management. VM is continuous, repeated instances of vulnerability
assessment (https://www.digitaldefense.com/blog/what-is-vulnerability-
assessment-2/).
Vulnerability Scanning
Vulnerability scanning scans all internal and external assets whether on-
premise, cloud-based, or hybrid. Scanning provides information needed to
assess the security posture of the devices connected to an organization’s
networks across the globe on an individual IP or enterprise-wide basis. Scan
needs to include hardware, networks, and applications to be effective.
Vulnerability scan types include:

external
internal
authorized
unauthorized
comprehensive
limited

Vulnerability scans are different from penetration tests. Penetration tests

(https://www.digitaldefense.com/blog/vulnerability-scanning-vs-
penetration-testing/) are designed to actively exploit weaknesses to prove
they are exploitable. Vulnerability scanning
(https://www.digitaldefense.com/blog/what-is-vulnerability-scanning-and-
how-does-it-work/) serves to identify vulnerabilities and create awareness
of them so they can be mitigated.
Penetration Testing
Penetration testing, also known as ethical hacking, is another part of
comprehensive VM. It’s sometimes confused with vulnerability scanning but
differs in a few ways. Scanning is usually automated and broad and detects
a wide variety of vulnerabilities. A penetration test, or pen test, is typically a
manual test done by a security professional to find and exploit a specific
system vulnerability. Together, a vulnerability scan may find vulnerabilities
and a pen test determines if a potential vulnerability is truly exploitable and
if it could lead to data compromise. Learn more about vulnerability scanning
vs. pen testing > (/blog/vulnerability-scanning-vs-penetration-testing/)

Organizations can use pen testing services

(https://www.digitaldefense.com/professional-services/penetration-testing)
or pen testing software (https://www.coresecurity.com/products/core-
impact?
__hstc=186486070.5d311cd5679db4d9974c7015affe8919.1723212882
205.1723448446113.1723453908815.4&__hssc=186486070.1.1723453
908815&__hsfp=1218336316). Pen testing software is available to
companies that already have an IT security team in place, and they need the
tools to conduct their own testing. Pen testing services include an outside
security team to conduct their own security tests.

Based on these results, companies can examine the financial, resource, and
reputational cost of a potential breach and then plan remediation.
 Vulnerability Management Benefits
A thorough and well-executed VM program delivers risk reduction and damage mitigation to organizations of all sizes across the industry spectrum. Additional
benefits of vulnerability management include:

Real-time security Compliance with Speedy

Availability of Discovery of Efficient use of
visibility across all security protocols remediation
security program priorities for personnel
assets developer resources
reports
education to
mitigate future
vulnerabilities

Vulnerability Management vs. Risk-Based Vulnerability Management

There’s a big difference between vulnerability management and risk-based vulnerability management (RBVM). Legacy vulnerability management scans and
discovers vulnerabilities, without adding any risk context or threat prioritization. RBVM scans, discovers, and then applies insight into the severity and threat
context of found vulnerabilities and the potential damage they can cause.
Risk-based vulnerability management (/vulnerability-management/risk-based-vulnerability-management/) uses intelligent automation to prioritize an
organization’s asset management. It can find critical, exploitable vulnerabilities that are located near sensitive company data and prioritize those weaknesses
based on the likelihood of exploitation as well as the company data that can be compromised.

RBVM scans, prioritizes, and generates reports based on each company’s individual network and assets. This customization helps enterprises focus on the
vulnerabilities that are an actual threat to them and doesn’t overload IT teams with every potential vulnerability, whether it’s dangerous to them or not.

Read more about risk-based vulnerability vulnerability management > (https://www.digitaldefense.com/vulnerability-management/risk-based-vulnerability-

management/)

What to Look for in a VM Solution

Each organization has their own unique cybersecurity concerns that need to be taken into consideration when selecting the right vulnerability management
solution. Below are a few things you may want to consider during your search.

Deployment Ease of Use

Fast and easy deployment is critical. Look for a A vulnerability management solution isn’t effective if
solution with a flexible SaaS platform that can be it’s too complicated to use. The faster and easier a VM
stood up in hours vs. days and scale up or down with solution is implemented and understood
your business needs. (https://www.digitaldefense.com/platform/fortra-
 vm/), the faster you can begin protecting your
business with scanning, monitoring, and reporting on
Security Gap Coverage
security weaknesses.

Quality of Support
Regulations and Compliance Standards

Vulnerability Management Solutions from Digital Defense

Fortra Vulnerability Web Application Scanning Active Threat Sweep Penetration Testing
Management Easy to conduct dynamic testing Quickly and reliably assesses Proven and exhaustive
The industry’s most with accurate assessment active threats in your network penetration testing that identifies
comprehensive, accurate, and results, no matter how often your using powerful, patented cyber security weaknesses
easy-to-use SaaS vulnerability web apps change. technology. before they're attacked.
management solution.
Learn More > Learn More > Learn More >
Learn More > (https://www.digitaldefense.com/ (https://www.digitaldefense.com/ (https://www.digitaldefense.com/
(https://www.digitaldefense.com/ products/web-application- products/active-threat-sweep) professional-
products/fortra-vulnerability- scanning) services/penetration-testing)
management)
 Browse vulnerability management subscriptions > (https://www.digitaldefense.com/products/subscriptions/)

Featured Resources

Blog Video Guide Guide

The First Step in Building a Total Vulnerability Management - The Expanding Role of The Comprehensive Vulnerability
Comprehensive Security Securing Both Networks & Vulnerability Management Management Buyer's Guide
Program: Vulnerability Applications (https://www.digitaldefense.com/ (https://www.digitaldefense.com/
Management (https://www.digitaldefense.com/ resources/guides/expanding- resources/guides/comprehensive
(https://www.digitaldefense.com/ resources/videos/total- role-of-vulnerability- -vulnerability-management-
blog/vulnerability-management- vulnerability-management- management/) purchasing-guide/)
comprehensive-security/) securing-both-networks-and-
applications/)
 Get Expert Help Choosing Your Security Solution
Our professionals will help your company select the right vulnerability management solution

CONTACT US (/contact-us/)

Products Services Resources

Fortra Vulnerability Management Penetration Testing Services Blog (/blog/)

(https://www.digitaldefense.com/)
(/products/fortra-vulnerability- (/professional- News (/resources/news/)
management) services/penetration-testing)
Digital Defense Guides (/resources/guides/)
Web Application Scanning Red Team Penetration Testing
Videos (/resources/videos/)
(/products/web-application- (/professional-services/red-
Main Line: 888-273-1412 (tel:888-273-1412)
scanning) team-penetration-testing/) View All (/resources/)

Sales: 888-273-1412 ext 1 (tel:888-273-1412, 1) Active Threat Sweep Social Engineering Services
(/products/active-threat-sweep) (/professional-services/social-
Customer Support: 888-273-1412 ext 2 (tel:888-273-
engineering)
1412, 2) View All (/products/)
Fully Managed PCI Scanning
support.ddi@fortra.com (/professional-
(mailto:support.ddi@fortra.com)
services/managed-pci-scanning)

View All (/professional-services/)

 Copyright © Fortra, LLC and its group of companies. Fortra™, the Fortra™ logos, and (https://www.facebook.com/fortraofficial)
(https://www.linkedin.com/company/fortra)
 (https://twitter.com/fortraofficial)
(https://www.youtube.com/@fortra)
(/feed/)
other identified marks are proprietary trademarks of Fortra, LLC.

(https://www.fortra.com/privacy-policy?
9974c7015affe8919.1723212882205.1723448446113.1723453908815.4&__hssc=186486070.1.1723453908815&__hsfp=1218336316)

(https://www.fortra.com/cookie-policy?
9974c7015affe8919.1723212882205.1723448446113.1723453908815.4&__hssc=186486070.1.1723453908815&__hsfp=1218336316)

Sitemap(/sitemap/)
This website uses cookies. You may change your settings at any time. ACCEPT REJECT ALL MANAGE COOKIES