Key Takeaways
- Continuous scanning is essential
- Risk-based prioritization over CVSS alone
- Mean time to remediate is key metric
- Asset inventory is the foundation
Contents
1. Vulnerability Management Fundamentals
Vulnerability management is the ongoing process of identifying, classifying, remediating, and mitigating security vulnerabilities. It's proactive defense—finding and fixing weaknesses before attackers do.
2. VM Lifecycle
Continuous Cycle
- Asset Discovery: Know what you have
- Vulnerability Scanning: Identify weaknesses
- Prioritization: Risk-based ranking
- Remediation: Patch, mitigate, accept
- Verification: Confirm fixes
- Reporting: Track progress, communicate
3. Scanning Tools & Techniques
# Network vulnerability scanners
# - Nessus (industry standard)
# - OpenVAS/Greenbone (open-source)
# - Qualys (cloud-based)
# - Rapid7 InsightVM
# Web application scanners
# - OWASP ZAP
# - Burp Suite Pro
# - Acunetix
# - Nuclei (template-based)
# Authenticated vs Unauthenticated scans
# Authenticated: More accurate, sees local vulns
# Unauthenticated: Sees what attackers see
# Nuclei example
nuclei -u https://target.com -t cves/
nuclei -l targets.txt -t technologies/4. Risk-Based Prioritization
# Don't rely on CVSS alone!
# Factors for prioritization:
# 1. Exploitability
# - Is there public exploit code?
# - In the wild exploitation?
# - CISA KEV catalog
# 2. Asset Criticality
# - Crown jewels > workstations
# - Internet-facing > internal
# - Production > dev
# 3. Business Context
# - Compliance requirements
# - Compensating controls exist?
# - Downtime impact
# Risk = Likelihood × ImpactCVSS Score Interpretation
| Score | Severity | SLA |
|---|---|---|
| 9.0-10.0 | Critical | 24-72 hours |
| 7.0-8.9 | High | 7-14 days |
| 4.0-6.9 | Medium | 30-60 days |
| 0.1-3.9 | Low | 90+ days |
5. Remediation Strategies
- Patch: Apply vendor fix (preferred)
- Mitigate: Compensating control (firewall, WAF)
- Accept: Document risk acceptance
- Transfer: Insurance, contractual
6. Patch Management
# Patch management process:
# 1. Identify patches released
# 2. Assess relevance and risk
# 3. Test in staging environment
# 4. Deploy to production (phased)
# 5. Verify successful installation
# 6. Document
# Windows patching
# - WSUS/SCCM/Intune
# - Patch Tuesday (2nd Tuesday)
# Linux patching
apt update && apt upgrade
yum update
# Automate where possible
# But test critical patches first7. Key Metrics & KPIs
- MTTR: Mean Time to Remediate
- Coverage: % assets scanned
- Scan frequency: How often scanned
- Vulnerability density: Vulns per asset
- Age of vulnerabilities: How long open
- SLA compliance: % fixed within target
8. Building a VM Program
- ✅ Complete asset inventory
- ✅ Regular scanning schedule (weekly minimum)
- ✅ Defined SLAs by severity
- ✅ Clear ownership and accountability
- ✅ Integration with ticketing/ITSM
- ✅ Executive reporting and dashboards
- ✅ Exception and risk acceptance process
FAQ
How often should we scan?
Internet-facing assets: weekly or continuous. Internal systems: weekly to monthly. New assets: immediately on deployment.