Three Mistakes Companies Make When it Comes to

Vulnerability Management



























CORE Security
+1 617.399-6980
info@coresecurity.com
www.coresecurity.com
blog.coresecurity.com
2
Three Mistakes Companies Make When it Comes to Vulnerability Management
Vulnerability management has become a term that continues to be thrown around in security
circles as a quick and easy path to threat remediation. However, the reality is that most companies
are not actually managing vulnerabilities, but rather conducting scans that produce thousands of
potential threats. Identifying possible security risks and actually managing them through to
remediation are completely different things.
In its common definition, vulnerability management sounds like security utopia: if you purchase
the right software, implement the proper solution or engage tougher policies and procedures, etc.
you will be safeguarded from the threats of the outside world. Sounds perfect, right? Theres one
problem- it doesnt work this way. The term leads companies down a path towards a false sense of
security. This has led to many companies falling victim to the illusion that they are secure, which
can lead to dire consequences down the road. Its simply a matter of time before the gap between
identification and mediation is exposed.
But perception has a way of becoming reality. If you mention vulnerability management to
prospects, they will almost certainly tell you, predictably and definitively, they are already doing
it. Well, to that I can only parrot Sacha Baron Cohens alter ego and Kazakhstan ultra-national
Borat Sagdievs retort to an American humorist instructing him on the art of comic timing to
effectively deliver the punch line to a joke: NOT!
Because distinguishing the hype from reality and the facts from fiction of vulnerability
management can be confusing and difficult, Ive come up with a quick and simple self-assessment.
I would recommend every person charged with IT security in an organization to ask themselves
these questions on a regular basis. For executives responsible for signing off on company security, I
would also recommend that you ask these questions of your chief security officer and demand
definitive answers.
Can we provide a definitive yes to the following three questions:
1. Do we understand the actual risk?
2. Has it been properly fixed?
3. Can we validate that the fix has worked?
If the reply to any of these questions was a no or if you were unsure as to the correct answer, than
you are doing something other than vulnerability management. Dont feel too badly however, the
reality is that very few organizations are currently employing true management of threats and
vulnerabilities, but rather a form of vulnerability identification. Thats a step in the right direction,
but only the first step in the path to management.
It really boils down to three common, but dangerous, mistakes businesses make when it comes to
management.

3
1. Most people believe that if the software solution is capturing the vulnerability, collecting it the
way kids may collect baseball cards, that they are safe from the threat. They are not. A mid-sized
company may run a monthly scan that includes 10,000 potential threats, but there is little to no
visibility into how these issues affect the company. They have no insight into how these risks work
together or if any of them really matter.
2. Just as frightening, threats are typically not being managed they are simply being identified. It
becomes an exercise in moving all of the potential risks around, but nothing is actually being
resolved. Potential risks are identified and passed along to different groups, without anyone
actually seeing the threat through to mediation. It essentially becomes a game of vulnerability
pass-the-buck.
3. All this information ends up going nowhere. CISOs dont fix the perceived threats, dont believe
them, and basically end up just shifting information around. There is simply too much data to
process or act upon. Its like that classic trope recalled in the face of inevitable disaster: you can re-
arrange the deck chairs on the Titanic but regardless of how you move them, the ship is still going
to sink and theres nothing you do that will change that outcome. The same is true in the security
space. No matter how much input you receive or the level of analysis you apply to that input, your
network, once under attack, remains at risk.
When it comes to security, you can scan for vulnerabilities all day long and even convince yourself
that you know where that threat is hiding, but until youre able to capture, correlate and
contextualize it, it means nothing. Until context can be put around potential threats and
vulnerabilities, the term vulnerability management will remain something of a myth





4
About CORE Security

CORE Security is the leading provider of predictive security intelligence solutions. We help more than 1,400
customers worldwide preempt critical security threats and more effectively communicate business risk. Our award-
winning enterprise solutions are backed by over 15 years of expertise from the companys CORE Labs research
center. Learn more at www.coresecurity.com.






























41 Farnsworth Street | Boston, MA 02210 | USA | Ph: +1 617.399.6980 | www.coresecurity.com
Blog: blog.coresecurity.com | Twitter: @coresecurity | Facebook: CORE Security | LinkedIn: CORE Security

2013 CORE Security and the CORE Security logo are trademarks or registered trademarks of CORE SDI, Inc.
All other brands & products are trademarks of their respective holders.