What is vulnerability management?
Matthew de Klerk
on 12 December 2024
Today, computers are more sophisticated, interconnected and complex than ever. This means they’re more capable than ever – but it also comes with a downside: that their attack surface is larger than ever, leading to an elevated risk of cyber incidents. Therefore, your approach to managing vulnerabilities needs to be holistic and prepare for all the ways in which vulnerabilities could cause damage to users, systems or your organization’s operations and reputation. In short, you need a vulnerability management plan.
The first step in any good plan is good intel. In this blog, we’ll define vulnerability management and explore the approaches, considerations and functions a good vulnerability management program must have to effectively secure and maintain open source software. We’ll also give an overview of industry-standard frameworks and best practices you can draw from to optimize your vulnerability management processes, before demonstrating how Canonical’s solutions, like Ubuntu Pro and our secure container offering, offer a powerful toolkit for effective vulnerability management .
What is vulnerability management?
Vulnerability management is the holistic process of identifying and handling security risks in an organization’s networks, systems and devices. Vulnerability management serves an overarching strategy that describes and outlines the many individual efforts and steps taken to reduce cyber incident risk to acceptable levels and improve overall organizational cybersecurity posture (for example, asset inventory, vulnerability intelligence, patch management, bug fixes, vulnerability monitoring, mitigation through hardening, and so forth).
Considerations and challenges for vulnerability management
Designing a good vulnerability management plan isn’t easy, as it often involves complex systems and trying to create a set of uniform principles across very different teams and departments. Then there’s your software, which can contain hundreds of packages, each with their own dependencies and vendor sources. Here’s a few challenges and considerations that you need to think about in order to get your vulnerability management right.
A lack of staffing and other resources
The first and most important barrier to good vulnerability management has nothing to do with software or systems, but about the people who do it and the resources they have access to.
Security operations teams are often understaffed and under-resourced, with hiring demand currently greatly exceeding the supply and frequent training required to keep knowledge up-to-date. In fact, 41% of companies have zero skills to maintain open source deployments. The technology stack in an organization often comprises a wide range of technologies and languages, which makes it even harder to find employees with expertise that covers all its essential elements.
The complexity of your software stack
You don’t get secure software stacks by just securing its constituent parts. As more technologies, tools, systems and applications connect, interact and communicate, your overall attack surface and likelihood of vulnerabilities increase. Therefore your chosen path for vulnerability management needs to think holistically, and secure the larger synthesized whole and the bridges or connections between parts, as well as the discrete pieces.
Dependencies and nested dependencies
Dependencies are difficult to keep track of, especially when system complexity introduces dependencies within dependencies. This is important to vulnerability management, because developers might not even be aware that these buried dependencies exist, let alone that they’re outdated and in need of patching. In such cases, every dependency increases your overall attack surface, and presents potential vectors for exploitable flaws. In 2023, an OSSRA report found that of 1,500 codebases analyzed, 91% contained outdated open source components, and 88% contained at least one vulnerability, of which 48% were high-risk vulnerabilities.
The varied origins of security failures
A common flaw in approaches to vulnerability management is considering only the CVEs or patching process. However, the failure points of software and systems go beyond just CVEs. These include things like insecure configuration, bad setup and deployment of systems, and plain old human error.
Successful vulnerability management should look beyond CVE discovery and patching to consider other factors in the failure chain of software. For example, vulnerability management should:
- Involve all relevant stakeholders in the development of a vulnerability management policy, and share the knowledge of vulnerability management practices with all involved parties
- Integrate regulatory and industry compliance requirements
- Reduce the potential for human error with sufficient training, checks and validation
- Reduce human error by automating manual, repetitive, labor- or time-intensive tasks, and work that has a history of vulnerability to human error
- Reduce slow remediation times by creating clear and robust channels for communication
- Respond in a timely manner to any vulnerabilities that surface, proportionately to the risks they introduce
- Ensure consistency with other relevant security policies, standards or procedures, such as the patch management policy, configuration management policy, security assessment policy, etc.
The only secure approach to vulnerability management is a holistic approach that follows an established, comprehensive security framework to cover all aspects of security and compliance.
What does vulnerability management involve?
Vulnerability management usually encompasses numerous steps, phases, tools and programs under its wide umbrella. These can include:
Discovery and inventory of IT assets
In order to address vulnerabilities, you need to know what you’re working with and what devices, system, networks, hardware and software you need to secure against vulnerabilities. Discovering and inventorying all of your IT assets is a fundamental part in defining your vulnerability management plans, policies and scope. Equally important is ensuring that these devices are properly configured, and monitored continuously so that you can detect unknown devices or shadow IT systems.
Security configuration management
Ensuring that all of your IT assets are configured properly with adequate security protocols and parameters is vital. Your vulnerability management plan must work in synergy with your configuration management processes, allowing you to easily configure, monitor and report on the security settings of all the devices or users in your organization.
Asset classification
Different systems require special handling, depending on regulatory requirements or the criticality of data they process. For example, PCI DSS only considers systems that process cardholder data in scope, while privacy regulations, like GDPR, define special for the handling of sensitive data.
Risk management and triage of vulnerabilities
It is very important that your vulnerability management plan helps you to categorize and triage vulnerabilities. You should adopt a framework that allows you to group and label vulnerabilities by factors like likelihood, potential fallout or disruption. One example of such a framework might be the Common Vulnerability Scoring System (CVSS), which categorizes vulnerabilities by their seriousness and characteristics. Adopting a framework and having a process for vulnerability triage is very important, as it allows you to have a protocol in place for balancing your available resources with your risk appetite, and address risks on a timely basis that fits your operations and system needs.
Discovery and detection of CVEs
Discovering what vulnerabilities your IT assets have is the next step. A good vulnerability management plan includes tools and processes that continuously assess systems for CVEs, outdated packages, misconfigurations or other risks.
Vulnerability intelligence, CVE database access and awareness of known vulnerabilities
New threats, risks and vulnerabilities are being discovered every second. In order to respond proactively to these vulnerabilities, you need to be aware of them and prioritize them according to their seriousness. It is therefore vital that your vulnerability management tools and procedures subscribe to or track exploit databases, security notices, threat advisories and other vulnerability tracking knowledge repositories, so that you can plan and react accordingly to mitigate the risks of cyber incidents.
Prioritization and remediation of vulnerabilities
Not all vulnerabilities are created equal, and not all need to be patched (or are feasible to patch). Knowing how to prioritize threats and risk probabilities within your available resources is a fundamental part of vulnerability management. Remediation must prioritize the most serious cyber incident risks, and outline steps to address them.
The Known Exploited Vulnerabilities Catalog (KEV), for instance, is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a reference to help organizations better manage and prioritize vulnerabilities and keep pace with threat activity. Read more about how the Ubuntu Security Team prioritizes vulnerabilities in the KEV.
Security updates, bug fixes, and patch management
When vulnerabilities are discovered in the software, hardware or systems you use, patches are typically issued by the vendors or companies who make and maintain that product. Good vulnerability management relies on being able to check for these updates and patches regularly, and distribute fixes to all devices or systems across your organization.
Assessment and continuous improvement
A vulnerability management plan isn’t just about the plan itself: it’s also about its feedback loop and continuous improvement. You should take steps to ensure that your vulnerability plan undergoes regular assessment and evaluation, to gauge how well it is working and to incorporate successes, failures and lessons learned into its core design. A good vulnerability plan deals with vulnerabilities; a great learns and adapts to the changing threats landscape over time.
Best practices for vulnerability management
Great vulnerability management comes down to risk management and strong, practical decision making. Let’s examine the best practices that you should consider adopting in your vulnerability management plan.
Reduce human error through automation
Human error was involved in 74% of all data breaches last year, either via error, privilege misuse, use of stolen credentials or social engineering (2023 Data Breach Investigations Report by Verizon). Automation is key to preventing human error. It can help increase security through automating and scaling configuration, patching and hardening processes, and it also reduces the number of tedious and repetitive tasks that are susceptible to error.
Secure the full stack, not isolated blocks
All new infrastructure needs to coexist and integrate with a lot of other systems, some of which may be outdated. Cybersecurity posture is improved when the infrastructure architecture is designed to isolate elements in your technology stack through segmentation and confinement. Strict confinement ensures that the application is isolated and cannot access or modify critical system resources without explicit permission. Often, companies’ security operations tend to focus only on the applications at the top of the stack. But the best practice is always to include the effects of dependency chains into your security considerations when testing and implementing new software.
Prevention through secure configuration
System configurations are sometimes a trade-off between usability, performance and security. Industry recommendations like the CIS Benchmarks or DISA STIG provide hundreds of configuration recommendations to increase the security posture of software deployments and lock systems down. However, the sheer number of configuration steps makes manually hardening and auditing a Linux system a tedious and error-prone process. Therefore, to run regulated and high-security workloads and allow easy audits, it is advisable to use trusted automation tools that can conform to the chosen cybersecurity and compliance frameworks. A good example is the Ubuntu Security Guide, which streamlines the configuration process and satisfies requirements for hardening and compliance profiles.
Supporting your plan with the right tools
To implement a vulnerability management plan , you’ll need a powerful stack of tools, software and technologies to deliver it. As a minimum, your vulnerability management plan should include patch testing, automated patch deployment, vulnerability monitoring and discovery, automated rollbacks and failovers, certified and authenticated packages, detailed event monitoring, and the ability to manage device and system security at scale.
Canonical’s approach to system cybersecurity and vulnerability management is to provide a stack of tools with high interoperability that deliver security patches and vulnerability metadata offering a robust foundation for open source development.
How an Ubuntu Pro subscription complements your vulnerability management processes
Ubuntu Pro is Canonical’s enterprise support subscription for security, support and compliance. Simply put, it’s an extra layer of services on top of every Ubuntu LTS (Desktop and Server) that ensures the open source you use is maintained, secured and tested, wherever it’s deployed. Let’s break down how Ubuntu Pro can help you simplify vulnerability management.
Simplified vulnerability management
Ubuntu Pro provides security coverage for Ubuntu and the open source packages in Ubuntu’s Main and Universe repositories for up to 10 years, providing a trusted source for your developers to pull software from. This includes vulnerability management for up to 36,000 packages, including popular open source toolchains like Python, Go, PHP and others.
Compliance and hardening
Ubuntu Pro also provides FIPS-validated packages and support for many security profiles, including CIS Benchmarks, and DISA STIG. This subscription comes with the Ubuntu Security Guide, which applies your CIS Benchmarks and DISA STIG baselines and generates audit reports. It is available on-premise or ready-built on public clouds.
Read more about our compliance automation solutions.
Systems management and patching automation
Landscape (included in an Ubuntu Pro subscription) is a systems management tool that allows you to manage and monitor all critical security and compliance requirements on your Ubuntu-based systems. Landscape features a high degree of customizability and custom scripting, allowing you to create your own software repositories for updates that have additional requirements or restrictions, make fine-tuned adjustments for specific needs, or even extend and customize Landscape itself via its API.
Landscape is a one-portal platform that lets you simplify package management, system auditing, access management and compliance. Through Landscape, you can gain insights about your entire Ubuntu estate, anywhere, through a single pane of glass, and remotely update and customize systems as needed.
Explore how Landscape makes it easy to deploy, configure and manage systems and updates at scale by visiting our Landscape page.
Livepatch is another tool included in Ubuntu Pro which allows you to patch and fix high and critical CVEs in the kernel automatically, without requiring a system reboot. Livepatch further reduces downtime and disruption to operations by eliminating or significantly reducing the need for planned reboots. Livepatch also takes the manual efforts out of critical security by periodically applying available patches without the need for user input.
Find out more about how Livepatch enables restartless protection right at the core of your systems by visiting our Livepatch page.
Get security maintenance for any package, even outside of Ubuntu
Of course, many of the vulnerabilities enterprises encounter these days are found in containers and the dependencies within them. Canonical also builds distroless Docker images to customer spec that include upstream components not packaged in Ubuntu, and fix critical CVEs within 24 hours, supported on RHEL, Ubuntu, VMware or public cloud Kubernetes for 12 years.
As part of the container design and build service, Canonical will analyze your app dependency tree, identify open source components not yet covered in Ubuntu Pro, bring those under CVE maintenance, and create a container image which may at your option be minimal, containing the smallest possible attack surface for added security benefits (or chiseled as we like to call it).
Conclusion
In short, vulnerability management is a vital foundation for any cybersecurity program and critical to an organization’s overall security posture. It looks beyond simple case-by-case and need-by-need security tooling to serve as a wider umbrella for all parts of your cybersecurity, from building the systems and keeping them robust against new exploits, to defining processes, policy and communications for cyber incidents as well as the how-to for remediation and restoring systems after an incident.
Find out how you can secure your open source supply chain with Canonical
White papers and more security resources
Talk to us today
Interested in running Ubuntu in your organisation?
Newsletter signup
Related posts
How Ubuntu keeps you secure with KEV prioritisation
The Known Exploited Vulnerabilities Catalog (KEV) is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a...
Meet Cyber Essentials requirements with Ubuntu Pro
Cyber Essentials is an increasingly important security standard within the UK that allows organisations to demonstrate to their customers that they operate...
What is patching automation?
In software, patches are updates that are designed to overcome problems, flaws or vulnerabilities in the programming. Patch management is the process of...