Threat & Vulnerability Management Strategies


Threat & Vulnerability Management Strategies

Vulnerability Management is the active identification, assessment and resolution of vulnerabilities that exist within an enterprise’s infrastructure. Implementing an efficient and well-designed Vulnerability Management platform increases an organisations awareness of potential flaws that could be exploited by cyber criminals.

Recent cyber threat data from the Center for Strategic and International Studies (CSIS), reveals that Australia is the 6th most targeted country worldwide when it comes to cyber breaches.

Specops Software

In this article, we look at foundational Vulnerability Management strategies that organisations can implement to identify, assess, and resolve vulnerabilities more effectively.

Firstly, we must make a distinction, conducting vulnerability scans or vulnerability assessments is not equivalent to a well implemented Vulnerability Management program. Vulnerability Scanning simply refers to a scanning platform being run against one or more targets to determine the active vulnerabilities.

While important, scanning in isolation lacks the ability to appropriately identify the underlying risk, assign stakeholders to remediate the issue or catalogue and monitor the various active/resolved vulnerabilities. Vulnerability scanning is one important mechanism of Vulnerability Management but does not by itself represent a well implemented and efficient Vulnerability Management program.

The following strategies and implementation guidelines are a culmination of best practice recommendations we have devised at Aurian, which in our experience implementing various Vulnerability Management solutions, are most applicable to all businesses without direct knowledge of their unique operation and circumstances.

Vulnerability Scanning Infrastructure

There are various players in the competitive space of Vulnerability Scanning today, such as Qualys, Nessus and Rapid7. The unique benefits of each is not the topic of this article, however regardless of the platform chosen, the installation should abide by the following principles:

  • Organisations need to decide the nature of the scanning appliances (physical appliances or virtual).
  • Determine how many appliances may be needed. For instances where large organisations have several large intranets and Local Area Networks located at different points around the world, multiple scanning appliances may be required for adequate coverage and scalability.
  • For all scanning appliances implemented, appropriately provisioned network access should be provided so they can reach and audit their target networks appropriately.
  • Secure the Vulnerability Management platform and its associated data.
  • Implement Multi-Factor-Authentication for user sign-in.
  • Implement strict Role Based Access Control to platform user accounts, ensuring that access to both data and platform functionality is provided according to the principle of least privilege.
  • Ensure that all data exported from the Vulnerability Management platform is encrypted at rest.
  • If available, enable appropriate platform logging functionality.

Asset Management and Discovery

An integral part of Vulnerability Management is the somewhat lost art of Asset Management. A Vulnerability Management program is as only as good as the targets/infrastructure that it knows about. A business can implement world-class infrastructure with experts identifying, assessing, and remediating vulnerabilities.

However, if that process is only being applied to a fraction of an organisation’s infrastructure, inevitably a cyber security incident is not far behind. Most modern Vulnerability Management platforms recognise this important fact and include some form of asset management feature set. Commonly, vulnerability platforms allow administrators to ‘tag’ (annotate a recognisable name) network and application resources.

Additionally, vulnerability platforms can discover or map out active systems running in an environment by sending specifically crafted network packets to target systems.

Asset Management at its core should consist of the following:

  • A well-defined naming convention that is consistent and provides some context as to the function/role of the underlying assets. This convention should allow for the granular labelling of resources. For example, an organisation may have one or more LAN’s in Office X with a subnet containing database servers in each LAN. One example naming convention could be [Office Name – Subnet X – MSSQL-Servers].
  • A scheduled discovery/map scan which executes against the target network ranges at a short to medium time interval.
  • Vulnerability Platforms commonly allow for software agents which acts as a diagnostic and communication bridge between the Vulnerability Management platform and the asset itself. For more advanced installations, businesses could consider agent-based rollouts, which has several advantages for both asset management and vulnerability scanning. This feature is a topic worthy of a separate discussion and as such is beyond the scope for this article.

Assigning Risk

After completing the Asset Management and Vulnerability Scanning Infrastructure phases, an organisation should now understand the underlying role and level of importance particular asset(s) have for the business. Armed with that knowledge, implementing a risk-rating matrix is the logical next step and is an essential part of classifying the risk and impact a vulnerability can have on your business. It also helps administrators and managers to determine the priority of vulnerability remediation.

Currently there are many common risk matrices available which can be leveraged by an organisation; indeed, most Vulnerability platforms include their own risk rating for identified vulnerabilities. Platform risk ratings are generally a good source of truth for identifying technical risk, which more specifically relates to the specific requirements and result of compromise if an attacker successfully exploited a given flaw. This risk rating is based on the vulnerability scanning platforms understanding of the vulnerability at a technical level i.e. sensitive information disclosure, denial of service or code execution leading to complete system compromise.

A common strategy regarding risk classification is to combine the technical risk rating provided by the vulnerability platform with an additional business risk metric devised by an organisation. While an exact structure of that additional metric is beyond the scope of this article, the design of such a metric can often be aided by the following questions:

  • Do these asset(s) hold Personally Identifiable Information (PII)?
  • Do these asset(s) hold or transact credit card payments or financial information?
  • Do these asset(s) hold Intellectual Property which has underlying equity and value to the organisation?
  • Would the compromise of asset(s) and its associated data result in direct financial losses to the business?
  • Would the compromise of asset(s) and its associated data result in an immediate failure to comply with a regulatory body the business wishes to comply with?
  • If the availability of the asset(s) were affected such that it either was non-operational or was operating less efficiently impact the businesses productivity and profitability?
  • If the asset(s) were compromised to the extent the attacker has a high level of access, is there network connectivity to other potentially sensitive assets which attackers could conduct further attacks against?

Responsibility and Remediation Strategies — A Nametag to Necessity Approach

The level of diligence and efficiency an organisation can muster in order successfully remediate vulnerabilities is the cornerstone of a successful Vulnerability Management program. It is our opinion at Aurian that no one blanket remediation strategy can lay claim to be the most efficient, as every organisation has varying levels of qualified personnel, compute resources, and regulatory requirements.

However, organisations must ensure that it’s clear who is responsible for remediating specific compute resources. A responsibility matrix should be created which outlines the personnel in charge of fixing a particular set of compute resources and the associated business risk rating (as mentioned above). This simple system is what we at Aurian refer to as our ‘Nametag to Necessity Approach’.

One potential strategy organisations can use to determine both the order of remediation as well as remediation timeframes, is to leverage the responsibility matrix, technical risk and business risk metrics. This strategy shifts priority to remediate flaws that pose the highest technical and business risk to an organisation.

Once a responsibility matrix has been implemented, a well implemented Vulnerability Management platform will include the ability to adequately track the discovery, resolution, and re-discovery of vulnerabilities.


It may seem counter intuitive to leave the design and implementation of the vulnerability scanning procedures until the end. However, if the Vulnerability Management infrastructure has not been considered, strict asset management ignored, a risk matrix and assessment system neglected, and no responsibilities matrix and remediation strategies. The usefulness of multi-million-dollar industry leading Vulnerability Scanning technology will be of little use in making your business more secure.

Once the above important considerations have been designed and implemented, an organisation can now set up the various Vulnerability Scans to commence against in-scope infrastructure. During this stage, organisations should consider the following:

  • Organisations should consider what scans need to be executed, depending on the location of target infrastructure in question. More specifically, the following common scenario
  • Internet-facing: Scan(s) should be conducted as if originating from the Internet in order determine vulnerabilities which are discoverable by the broader Internet.
  • Internally-facing: Scan(s) should be conducted which originate from either a place of trust or semi-trust to determine vulnerabilities which are discoverable from within an organisations network.
  • Organisations should consider the frequency of a given scan; daily, monthly, quarterly, or continuously.
  • Does the scanning appliance(s) need to be whitelisted from your existing perimeter/internal firewalls ?
  • If the availability of the asset(s) were affected such that it either was non-operational or was operating less efficiently impact the businesses productivity and profitability?
  • Should a scan be authenticated or not? Authenticated scans are where the Vulnerability Scanning Platform will authenticate with previously configured credentials to you target assets. Authenticated scans often allow a more thorough assessment and visibility of a host’s security posture. For scans that are executed for compliance purposes, it is likely that Authenticated scanning is a requirement.

Documentation and Maintenance

Organisations commonly make detailed documentation pertaining to disaster recovery and incident response yet seem to overlook retaining and documenting the best practice configurations, design decisions and remediation strategies that have been painstakingly implemented in their Vulnerability Management program.

As a result, if key personnel leave, their expertise, and bespoke knowledge regarding the Vulnerability Management program goes with them. Aurian recommends that organisation create and continuously update detailed documentation that describes all stages and outcomes of the design and implementation decisions that have been made.

Additionally, it’s well known to most organisations that technology and business requirements are an ever-changing proposition. As such, a well implemented Vulnerability Management program must be flexible and adapt to the inclusion as well of removal of compute resources, subsequently adjusting the scanning and remediation practices appropriately.

Creating an efficient Vulnerability Management solution is not a simple task, we hope the above strategies will help organisation make more informed decision when it comes to Vulnerability Management. At Aurian Security, we deliver bespoke and tailored Vulnerability Management as part of our Security-as-a-Service offering. For more information, please refer to our Vulnerability Management page.

Social Share