top of page


In 2017 the Equifax data breach impacted 143 million US consumers. Attackers were able to exploit a web application vulnerability called Apache Struts (CVE-2017-5638). But a patch for the vulnerability was available two months before attackers exploited Equifax's site. More recently, on March 2, 2021, Microsoft released patches for a series of critical vulnerabilities in the Microsoft Exchange email server. 2 weeks later, it was estimated that between 30,000 and 60,000 organizations had been hacked, and the frequency of exploitation attacks was increasing as tens of thousands of servers remained unpatched.

What Is Vulnerability Management?

Vulnerability management is the process where a company will identify, evaluate, treat, and report any security vulnerabilities in its software and systems. It’s crucial to understand the vulnerabilities in software that your organization may be dealing with and be ready to manage those vulnerabilities to protect your data and information. Good vulnerability management involves being actively involved and engaged with your software to ensure everything is protected.

Why Does Vulnerability Management Matter?

Hackers are always looking for new opportunities to break into systems and software and exploit your data. A vulnerability management framework is critical to ensuring your organization is protected against these hackers. Regularly checking for breaches, updating to new patches, and establishing processes will help your organization avoid problems.

3 Keys to Vulnerability Management

  1. Patch management. One of the foundations of good vulnerability management is proactive patch management, and a good patch management program is built upon a strong operational change management process. There are several factors that lead to good patch management.

  2. On the second Tuesday of each month, Microsoft, Oracle, and Adobe release patches. Every organization utilizing Microsoft products should have standard operating procedures for the timely deployment of Microsoft patches.

  3. Utilize technology such as Microsoft SCCM or InTune to automate the deployment of patches to servers and endpoints. Third-party software such as IBM BigFix is also very good.

  4. Minimize operational risk by deploying patches first to a well-defined “pilot group” of workstations and servers, to ensure there are no unexpected impacts of the patches. The object is to quickly identify and resolve any software compatibility challenges before deploying to the rest of the organization. Ideally, patches can be deployed to the “pilot” groups within 3 days of their availability, and then roll out to the rest of the organization can be initiated within 7-14 days of patch availability.

  5. Pay attention to “out of band” patch announcements. If Microsoft sends out a patch outside of the normal “Patch Tuesday” schedule, this should be an indication that the associated risk is very high, and patching should generally be accelerated if there are no significant mitigating controls in place.

  6. OS patching is the critical first step, but in many cases, non-OS application software can also be vulnerable to targeted attacks. In some organizations, the responsibility for OS patches is well-defined within the IT infrastructure organization. However, responsibility for non-OS patching will often not be as well defined, which can lead to serious vulnerabilities.

  7. Proactively scan your environment. In addition to good Patch Management, organizations need to proactively scan their environments for the existence of software vulnerabilities. Vulnerability scanning tools such as Tenable Nessus, Rapid7 Insight VM, or Qualys are very good options for vulnerability scanning platforms. Vulnerability scanning should be conducted at least monthly, but weekly scanning is preferred.

  8. Externally facing applications and services are at the highest potential risk, but fortunately, these are also the easiest to assess and monitor from cloud-based vulnerability assessment tools and services.

  9. Scanning of on-prem, internal assets can be done with either on-premise scanning infrastructure or cloud-based tools and services.

  10. In addition to scanning the IT infrastructure, it may also be necessary to scan web-based applications for vulnerabilities. IBM AppScan or Rapid7 InsightAppSec are excellent options. Web-based applications should be scanned for vulnerabilities anytime there is an update to the application code.

  11. Prioritize problems. After identifying vulnerabilities through scanning, you will need to prioritize the remediation of identified vulnerabilities based on 4 factors:

  12. Vulnerability severity rating (based on a common vulnerability scoring system). Start by targeting CVSS level 9 and 10 vulnerabilities.

  13. The threat intelligence information can help highlight vulnerabilities that are actively targeted by current attack campaigns.

  14. Consider the asset criticality to business operations. This includes systems that support critical business processes or store highly confidential information. Note that scheduling a maintenance outage of critical business systems will often require negotiation with business leadership.

  15. Consider the availability of other mitigating controls, which can reduce the risk of the vulnerability being exploited. For example, in cases of legacy systems that are not patchable because the OS or application is aged beyond vendor support, these systems can sometimes be isolated on protected network segments to reduce the likelihood of vulnerabilities being exploited.

Vulnerability Management is a fundamental security control that requires proactive operational discipline, and it is easy to let this slip in favor of other pressing priorities of the day. Even though it may seem tedious or may usually result in no action being needed, missing a vulnerability could result in a huge problem for your organization. Vulnerability management is like brushing your teeth—it is key to preventing a larger problem down the line.

For more information, or to request a security program assessment or services, contact