# Vulnerability Management Lifecycle

The VM Lifecycle represents the process and series of critical stages to identify and remediate vulnerabilities/weakness to attacks and exploitation of discovered findings.

## Discovery

Detect and interrogate system assets

* Devices, platforms, applications

Identify all assets

* Identify assets that need to be monitored
* The intent is to ensure no vulnerable devices are overlooked

## Prioritize Assets

Determines the priority of discovered assets

* What assets are most business-critical?
* What assets require immediate attention?
* Helps focus resources

> Patching all assets at once is likely not feasible. Ensure to collaborate with asset owners and stakeholders to determine asset priorities

## Assess

Determines if a vulnerability exists in the system

* Compares assets to known vulnerabilities
* Determine Risk score (CVSS, VRT, etc)

## Reporting

Presents assets and vulnerabilities in a form to view findings

* Compile discovery with identified vulnerabilities
* Usually categorized by priority, location, etc
* Tailor reports for various audiences

## Remediate

Takes action on a vulnerability

* Apply patches
* Initiate compensating controls
* Accept the vulnerability/risk

## Verify

Verifies that a remediation was successful or effective

* Was vulnerability resolved?
* Is further action needed?

## VM Lifecycle Challenges

Incomplete asset information - Effective discovery requires both **asset identification** and the information about the **contents** of each asset

Incomplete asset lists - Out-of-date asset lists and mixed data sources can prevent discovery from providing complete asset accountability for a thorough risk evaluation

Overwhelming scan data - Prioritization helps target efforts for the most critical assets from the most serious threats

Organizational communication - Frequent communication, reports, system dashboards, and notifications help keep teams informed for required patching/updates

Vulnerability Identification - Vulnerability data must be up to data and relevant from authoritative sources

Timely Remediation - Efforts must be timely, organized, and effective with specific assignments and accountability

Process Tracking - Verification helps assure that remediation is successful with no new vulnerabilities exposed