Vulnerability Management, Taking a Wide View
VM should be about so much more than just CVEs
What is Vulnerability Management?
We’ll start at the beginning. According to ISO 27002, a vulnerability is
A weakness of an asset or group of assets that can be exploited by one or more threats.
The SANS Institute goes on to summarize Vulnerability Management as
… the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization.
In security our primary measure is “risk”, and our mandate is to understand, lessen, and control that risk. If you remember back to your ISC2 studies, risk is the outcome when you combine threats and vulnerabilities, with threats being anything that can exploit a vulnerability to cause damage to an asset.
Risk = Threat * Vulnerability
So with some of the tomes of the industry weighing in with such broad strokes, why does it often feel like the modern implementation of vulnerability management tools are so narrowly focused on vulnerability scanners, IP addresses…
