Vulnerability Management Needed for Security, Study Says

Companies can avoid attacks and minimize security cost overruns by practicing IT vulnerability management, according to a July study published by the Aberdeen Group.

Companies can avoid attacks and minimize security cost overruns by practicing IT vulnerability management, according to a July study published by the Aberdeen Group. The study presents solutions for IT pros, helping them prioritize their patch management strategies for operating systems, applications and network security frameworks.

Ignoring the issues won't work, according to Derek Brink, author of the study and vice president and research fellow for IT security at the Boston-based Aberdeen Group.

"Unfortunately, each week brings a new wave of threats and vulnerabilities to be managed," Brink said. "Ignoring or deferring patches for known vulnerabilities is not a responsible strategy, nor is it reasonable for most companies to disconnect their business from the Internet. So managing vulnerabilities simply has to be done."

Aberdeen's study -- titled "Vulnerability Management: Assess, Prioritize, Remediate, Repeat" -- describes what some respondents are doing to foster an effective vulnerability management program.

The "best-in-class" firms described in the study shared several common characteristics. For example, 70 percent of respondents in this category have consistent policies for managing patches and vulnerabilities. Moreover, 67 percent say they monitor external sources for vulnerabilities, threats and remediation tactics. Lastly, 93 percent of those polled maintained an inventory of all IT assets, along with conducting regular patch scans.

For every dollar invested in vulnerability management programs, companies can avoid $1.91 in vulnerability fix-related costs, for a marginal return on investment of 91 percent, according to the report.

The report suggests four essential steps to implementing a vulnerability management program that pays off.

The first step is to understand the computer processing environment -- how it works, what IT assets are essential and what threats pose the greatest risk to the organization.

Second, prioritization is important. IT pros should maintain a constant inventory of all IT assets, along with a database of known vulnerabilities and fixes. Run an initial risk assessment. As with Patch Tuesday hotfixes, know what requires the greatest attention and what's critical versus important.

Third, the report recommends that a good way to preemptively fix problems as well as plug holes is to test fixes, patches and repairs after installing software upgrades. This process is called remediation. IT pros suggest remediation should be automated, wherever possible, with manual oversight of test results conducted by trained employees.

The last step is to repeat steps one through three and then monitor the results. Companies should review the success of the remediation and create a report for auditing and compliance reasons.

When asked about Microsoft's recent appeal to its tech peers, channel partners, security vendors and academia to collaborate on security initiatives, Brink said the move underscores the need to increase the efficiency and effectiveness of an important, never-ending task: security.

"It's a task which is consuming far too high a percentage of limited IT resources," Brink said. "The fact that leading vendors are calling for collaborative, industry-wide frameworks to address threats and vulnerabilities is strong evidence of the level of pain being expressed by their top customers in this area."

Brink added that security pros can expect that their vendors will work to address the pain in the near term through individual point solutions. In the longer term, vendors will work through broader, standards-based approaches that reach across the technology communities.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.