Why Vulnerability Management Starts with Knowing Your Assets
In the broadest sense, “Asset Management” means managing the complete life-cycle of every corporate asset, from procurement to safe disposal. Effective Asset Management ensures that every expense fits both corporate goals and security standards, including guidelines and policies related to Vulnerability Management, such as how vulnerabilities are prioritized and resolved.
Both theory and practice show that a complete inventory of hardware and software, that includes information about how assets interact with each other, is essential to managing both assets and vulnerabilities. As APMG International puts it, ”you can’t defend what you don’t know you have.”
Why Asset Management is a Crucial Part of Vulnerability Management
To see how Asset Management, or more precisely, complete knowledge of assets and their connections to other entities, can make a difference to Vulnerability Management, consider the opposite scenario: Imagine an enterprise-sized company whose Asset Management program consists solely of knowing how many licenses and parts it has. Imagine that their security team then discovers a software vulnerability and patches it using Chef.
This would be just fine, except that Chef is not installed on all of the affected assets — and this is not noted in the company’s Asset Management data. As a result, IT reports that it patched “everything” using Chef, but in reality, an unknown number of assets are still vulnerable because the patch was never installed on them. Without this kind of information about how elements of its network interact, a company cannot create an effective vulnerability management program.
On the positive side, when correctly implemented, Asset Management gives companies information about the configuration of each asset and what’s protecting it. This has several benefits. First, it can help a company reduce risk from known vulnerabilities. For example, consider a vulnerability that has a high CVSS score, but can only be executed via USB.
A company that operates via the cloud is not susceptible to this sort of attack, so this vulnerability doesn’t pose a real threat. However, without a solid Asset Management program, the company would not realize that it was safe and might waste valuable time and effort trying to fix a problem that had no impact on it. Given time and manpower limitations, in addition to the dangers that go along with patching, reducing any unnecessary remediation efforts is a must.
When remediation is needed, good Asset Management can help any risks associated with it. Consider a case in which a threatening vulnerability can only be exploited using a certain port. A company with a proper Asset Management plan would be able to block the port in its firewall in order to neutralize the vulnerability — and would not implement an unnecessary patch or take other unneeded actions.
Given the importance of detailed knowledge about assets and vulnerabilities, it will come as no surprise that the best Vulnerability Management solutions include both:
- Thorough asset scanners, such as OWASP ZAP, Bandit, Archery, Hawkeye, and Clair
- Information on how each remediation measure affects assets besides the one being fixed
These Asset Management tools must be used in combination. No single scanner can identify all of a network’s assets and not all solutions for a vulnerability work equally well for all networks.
Find. Remediate. Repeat.
This is ultimately what the future of Vulnerability Management is going to look like. Complete scanning, asset identification, and mapping all under one roof. By integrating scanning, deployment and asset management tools, Vulcan Cyber helps you discover deployment gaps that must be fixed for proper asset management. Furthermore, these integrations provide the context you need to better execute your TVM program.
Ready to see what the Vulnerability future looks like? Schedule a demo with a member of the Vulcan team for a guide to our complete vulnerability remediation platform.