Vulnerability management has served as a foundational capability since the inception of information security. Some foundational components, such as antivirus software, have gone through multiple tangible evolutions with changes in moniker like antivirus, anti-malware and Endpoint Detection and Response.
On the surface, vulnerability management may not seem to have advanced much. Many professionals who log into network vulnerability scanners for the first time in over a decade will find familiar interfaces. And even the vulnerability findings will look familiar if the environment they’re targeting has enough legacy systems unpatched systems (which they often do). This may lead people to believe there is little by the way of innovation in the vulnerability management space.
This perspective is far from the truth. In fact, innovation within vulnerability management is rapid and continuous. So where is innovation happening within vulnerability management?
Automating vulnerability discovery
One of the most apparent areas of vulnerability management innovation is occurring within vulnerability discovery. Enterprises are amid rapid IT transformations along with their digital business transformations, accelerating adoption of containerization and cloud technology. The attentive enterprises see the need to raise their capabilities in finding vulnerabilities or misconfigurations that are emerging within these newly adopted environments. The result has been a flood of new technologies such as those capable of navigating containers and cloud environments in order to assess configurations and implementations for issues.
"The combination of innovations that assist businesses in discovering more vulnerabilities and advancements in technologies that assist businesses in addressing vulnerabilities offers hope in the attempt to manage vulnerability risk"
This highlights probably the most natural environment of innovation within vulnerability management. New technologies often require new methods for vulnerability discovery. This area of innovation is largely rapid because it is highly contested. Enterprises that fail to maintain pace with the required innovation to discover vulnerabilities in new technologies will often find that malicious attackers are eager to capitalize on their lack of understanding and adoption.
This is not the only arena where vulnerability discovery is occurring however. Rather, Innovation within vulnerability discovery can be seen in how vulnerabilities are found in addition to where they are found.
Innovations in vulnerability discovery throughout DevSecOps processes are assisting enterprises in finding vulnerabilities in ways. For example, offline application scanning, such as analyzing code within repositories for the determination of vulnerabilities has also seen significant innovation. New solutions analyze code within repositories to determine if application code is leveraging vulnerable libraries or methodologies. Automation makes the bug hunting quicker and at scale. This has allowed businesses to determine what code requires an update even if developers are not currently working on the code, or worse yet, when the code becomes legacy and is not being maintained.
Translating vulnerabilities into risks to help business execs prioritize
While these advancements have allowed businesses to rapidly discover new vulnerabilities within new technologies as well as to discover vulnerabilities in new ways, the increased number of vulnerabilities found can make prioritization difficult. As a result, making a determination of the risk individual vulnerabilities have can be a cumbersome and difficult process. When combined with the continuous influx of new vulnerabilities types found in the wild, achieving acceptable vulnerability risk levels can be a constantly moving target, if not a seemingly insurmountable task.
In order to address this challenge, most enterprises have adopted models where vulnerability management responsibilities and particularly remediation responsibilities are shared across multiple stakeholders. The vulnerability findings therefore are important to several stakeholders in the organization who have to make decisions or direct their teams to take action.
Advancements in IT Service Management (ITSM) have helped bring businesses closer to the goal of having automated vulnerability management processes. As a result, ITSM vendors have incorporated features specifically targeted at assisting in the resolution of challenges associated with communication of tasks, and tracking of activity.
The increased depth with which ITSM tools can support vulnerability management operations is evolving quickly. However, the ability to convert tasks into risk understanding is often still a difficult task for enterprises leveraging ITSM alone. As a result there have been several innovations that have increased the maturity of vulnerability prioritization tools which seek to unify risk understanding of individual vulnerabilities despite the method or technology layer with which vulnerabilities were found.
Vulnerability prioritization technologies have made large leaps forward in interoperability, and in the universal scoring of vulnerabilities in order to assist businesses in understanding vulnerabilities within their individual context. These innovations assist businesses in honing their processes to address vulnerabilities in a manner that is meaningful to risk.
Outlook on the Future
The combination of innovations that assist businesses in discovering more vulnerabilities and advancements in technologies that assist businesses in addressing vulnerabilities offers hope in the attempt to manage vulnerability risk. The value in these innovations lies within how they are adopted.
As news of the latest breaches push organizations to ask questions about whether they are vulnerable to similar attack vectors, these technologies could certainly assist in addressing their questions in an efficient manner. In tandem, however, businesses should determine how these technologies could be leveraged in a continuous manner.