Secure your business with EMBER’s complete suite of enterprise class services and solutions.
Solutions that adapt to any industry, helping organizations reduce risk, streamline operations, and achieve business outcomes.
When people hear vulnerability management, they usually think patching. While it is a big part of it, it’s not the whole story anymore.
Back in the Windows XP days, you might get a patch once a month, maybe. Sometimes not at all. Things were a lot simpler then.
Microsoft still does Patch Tuesday, but everything else has moved on. Your browsers, your applications, even smaller tools you barely think about, are getting patched constantly. Some things update several times a month, sometimes multiple times a week.
And that’s not even getting into developer environments where there’s a rapid release cycle for features and fixes before anything goes live. So, back to what I said in the beginning, it’s not Patch Tuesday anymore. Patches are happening more regularly, and that’s changed how we think about vulnerability management completely.
Vulnerability management is a lot of patching, because most of us don’t control the software we use. You can’t make code changes to Microsoft Word or Chrome yourself; you have to wait for the vendor.
But it extends way beyond patching.
There’s a lot that has to do with configuration, which is the way systems are set up. A lot of things, like Windows or macOS, aren’t inherently secure out of the box. They come with default settings that don’t always meet modern security baselines.
A recent example I like to use is NetBIOS. You don’t technically need NetBIOS anymore, but it’s still enabled by default in Windows. That can leave you a little more exposed than you’d expect.
And sometimes, a fix doesn’t come from a patch at all, it comes from changing how something’s configured. Maybe you disable a protocol, maybe you adjust a registry entry, or maybe you secure an app that’s using HTTP instead of HTTPS for its admin interface.
So, when we talk about vulnerability management, we’re talking about more than updates. We’re talking about identifying where you’re vulnerable, deciding if it can be patched, or if it needs to be fixed through hardening or configuration changes instead.
The fundamentals of vulnerability management haven’t really changed, but the expectations and speed have.
Everything’s interconnected now, cloud environments, remote users, multiple platforms all talking to each other. That interconnectedness is great for productivity, but it also means there are more moving parts and more things to keep an eye on.
The pace has picked up too. You’ve got to be paying attention almost daily if you want to stay on top of things. Vulnerabilities are discovered faster, fixes come out faster, and attackers move faster too.
A lot of people think vulnerability management is only running a scanner, like Tenable or something similar, and getting a report. But that’s only one small piece of it. You can run the scan and get a 100-page report, but unless you’re actually reviewing it, prioritizing what matters, and understanding what it means, you’re not really managing anything.
And those tools don’t catch everything. There are vulnerabilities related to compliance or configuration that won’t even show up in a scan. If you’re doing PCI or HIPAA, you’ve got to go beyond the tool and make sure your systems meet those extra security requirements too.
At EMBER, vulnerability management starts with visibility. We collect a lot of data from client environments and do a deep review of it.
When we scan, we do a full breadth sweep. Everything we can possibly look at, we do. That means we pick up a lot, not just critical items, but medium, low, and even informational findings.
Some of those might seem minor, but they’re still good to keep track of. They tell us what’s running and how it’s behaving.
From there, we triage. We look at the critical findings first, “what’s most likely to cause a real issue” and work our way down.
We also spend a lot of time figuring out why something is there. Is it an actual issue, or just the way a tool reports it?
For example, Office 365 always shows up in scans as “vulnerable” between releases. That doesn’t mean something’s broken, it just means the product updates so quickly that the scanner can’t always keep up.
So we review it, document it, and decide: is this something we fix now, or something that’ll be addressed in the next patch cycle?
That’s a big part of it: reviewing, validating, and understanding. Not just reacting. We want to know why something is flagged, what we can do to mitigate it, and how to keep it from coming back.
We also look at policies and procedures during those reviews. If something keeps showing up across multiple clients, maybe it’s time to change a configuration standard or update how we handle it globally.
Communicating risk is one of the harder parts, because not everyone has the same technical background.
We’ve got clients who are very technical and others who just want to know, “Are we secure?”
So we try to keep it simple. Instead of saying, “You’re vulnerable to a privilege escalation in a subsystem of Office,” we’ll say, “There’s a vulnerability that could let someone get access they shouldn’t, but we’ve already pushed a fix.”
We break it down into plain language:
What we’re doing about it.
They don’t need to know registry keys or CVE numbers. They just need to know what the risk is and that we’ve got it under control.
The key is to communicate clearly and give confidence, not fear. We want clients to understand what’s happening without overwhelming them with technical jargon.
If there’s one thing I’d tell anyone trying to improve their vulnerability management, it’s this: have a process.
You can’t just patch whenever you remember. You need a plan.
When do you scan? When do you patch? What’s the schedule? Who reviews the findings?
Having a defined process helps you stay organized and calm when new vulnerabilities pop up, because they will pop up.
Say your scan runs Wednesday and finds 17 missing patches, but your patch cycle is Friday. That’s fine since you already know why. There’s no need to panic.
Having policies and procedures in place makes everything smoother. It also helps you spot patterns over time. Maybe the same issue keeps coming back. That’s a sign something in the process needs to change.
The goal is to mature over time and to make each cycle better than the last.
Vulnerability management today is about visibility, review, and constant improvement.
Some fixes are easy, some take more work, and some might break something else if you’re not careful. That’s why process and planning matter so much.
You can’t just rely on “Patch Tuesday” anymore. That world’s gone.
Now it’s about staying aware, understanding your environment, and making smart, deliberate changes every day.
Because at this point, vulnerability management isn’t a once-a-month job.
It’s every day.
