[ABVM③] Systematic asset management and intelligent vulnerability analysis for ‘continuous security’

In modern IT environments, securing asset visibility and utilizing intelligent risk assessment methods to prioritize actual threats among numerous vulnerabilities is essential. To achieve this, establishing a dynamic asset inventory must be the first priority, requiring a multi-dimensional approach that combines the business context of assets with external threat intelligence to overcome the limitations of CVSS scores.

Even with the introduction of sophisticated technologies and analytical methodologies, a continuous level of security cannot be maintained if they fail to integrate with organizational policies and processes and remain a one-time effort. True security maturity is achieved when it goes beyond technical controls to be internalized within the organization's governance framework, when repetitive tasks are streamlined through automation, and when the capability to preemptively respond to constantly evolving threats is established.

Based on the technical framework discussed in the previous article, this paper presents methods for building a sustainable security system by integrating regulatory compliance and security governance. Furthermore, it proposes specific strategies to enhance security operations using AI and automation technologies and to effectively prepare for the future threat landscape.

Integration of Compliance and Governance

Asset-based vulnerability management can secure enterprise-wide legitimacy and execution power only when operated within an organization's regulatory compliance obligations and governance framework. Linking technical activities with organizational policies and goals is the core of sustainable security.

✅ Systematic Management of Regulatory Requirements

Companies in strictly regulated industries—such as finance, healthcare, and the public sector—must simultaneously comply with various domestic and international regulations, including the Information and Communications Network Act, the Personal Information Protection Act, GDPR, and PCI-DSS. While these regulations commonly require regular vulnerability inspections and remediation, their specific requirements, inspection cycles, evidence management, and reporting formats vary. Addressing these individually leads to redundant work, undermines consistency, and wastes significant resources.

An integrated approach is essential for effective compliance management. By mapping all applicable regulatory requirements into a single control framework, common elements and differences can be identified. Subsequently, establishing an integrated internal management process based on the strictest requirements allows a single activity to satisfy multiple regulations simultaneously. For example, if Regulation A requires quarterly inspections and Regulation B requires semi-annual ones, setting quarterly inspections as the standard fulfills both. This centralized asset and vulnerability database serves as the foundation for automatically generating audit reports in the formats required by each regulatory body, drastically streamlining compliance response tasks.

✅ Streamlining Audit Response

Regular internal and external audits impose a significant burden on many security professionals, often preventing them from focusing on core security tasks. However, a systematic asset and vulnerability management system and process can shift the audit response paradigm from "work for preparation" to "proof of daily operations."

The key is to build a system where all routine security activities serve as evidence for audits. All outputs—including vulnerability scan results, remediation history, exception approval forms, and related policy documents—must be managed systematically, and activity histories must be recorded in detail. Establishing a digital evidence management system allows for the automatic collection and storage of scan results, log files, and screen captures with timestamps, thereby enhancing the integrity and reliability of the evidence. Consequently, when an auditor requests the remediation history of a specific asset at a specific point in time, accurate data can be provided quickly with just a few clicks, significantly reducing the burden of audit response.

✅ Security Governance and Organizational Culture

No matter how excellent the tools and processes are, effective security management is impossible without the awareness and participation of organizational members. Asset and vulnerability management is not the sole responsibility of the IT department; it is an enterprise-wide activity that requires the participation of business units that own and use assets, as well as management who makes final decisions.

• Management Support and Leadership: Management must recognize security as a core investment for business continuity rather than a mere cost. To this end, communication should shift from technology-centered reporting, such as "10 CVSS 9.0 vulnerabilities discovered," to business impact and performance-centered language, such as "This action has reduced the risk of customer service interruption by 80%."

  
  

• Collaboration with Business Units: Procedures must be established so that business units always notify the security team and register assets in the management process when introducing or changing systems. Furthermore, roles and responsibilities must be clearly defined so that the business units, as system owners, take responsibility for managing their respective assets.

  
  

• Establishing a Security Awareness Culture: Continuous education and communication are necessary for all employees regarding the risks of Shadow IT, the problems with using unauthorized software, and the importance of applying patches. Sharing real-world security incident cases is highly effective in raising employee vigilance.

Preparing for the Future - Utilizing AI and Automation

Once a sustainable governance system is established, the next step is to advance security operations using AI and automation technologies to preemptively respond to the constantly evolving threat landscape.

✅ AI-Based Threat Prediction

Traditional vulnerability management focused on post-response to already known vulnerabilities. In contrast, artificial intelligence enables a paradigm shift toward predicting future threats and responding preemptively by learning from vast amounts of data, such as past attack patterns, vulnerability occurrence trends, and system configuration information.

The core of AI-based threat prediction is to possess context-aware reasoning capabilities that surpass human analysts by comprehensively learning multi-dimensional datasets that consider the organization's internal environment. Future threat prediction models comprehensively learn the following datasets:

• CVSS(Common Vulnerability Scoring System): Technical severity of the vulnerability itself

  
  

• EPSS(Exploit Prediction Scoring System): Probabilistic prediction of the likelihood that a vulnerability will be exploited in the future

  
  

• CISA KEV(Known Exploited Vulnerabilities): A verified list of threats confirmed to have been used in actual attacks

  
  

• Environmental Factors: Unique organizational context information such as the business importance of assets, data sensitivity, network location, and applied compensatory controls

AI models perform in-depth reasoning beyond simple score summation by comprehensively analyzing these four types of data. For example, if a specific vulnerability found on an externally exposed customer database server (environmental factor) has a code pattern similar to other vulnerabilities previously listed in CISA KEV and shows a pattern of rapidly rising EPSS scores, the AI can judge it as an "immediate and fatal threat to the organization" and assign the highest level of "Unified Threat Score."

✅ Automated Response System

Automation plays a crucial role not only in discovery and analysis but also in the response phase. Utilizing a SOAR (Security Orchestration, Automation and Response) platform allows for the automation of the entire process, from vulnerability discovery to analysis, prioritization, ticket generation, patch application, and verification.

For instance, a workflow can be configured to automatically apply patches to the production environment when a vulnerability satisfying specific pre-defined conditions (e.g., CVSS 9.0 or higher, listed in CISA KEV, verified in a test environment) is discovered. Such automation drastically shortens response time and helps humans move away from repetitive tasks to focus on exception handling or critical decision-making.

✅ Challenges and Opportunities in Cloud-Native Environments

Cloud-native environments—such as containers, serverless, and microservices—drastically shorten the lifecycle of assets, posing new challenges to traditional management methods while simultaneously providing new opportunities for security management.

• Immutable Infrastructure: This refers to a method where, instead of directly patching a container where a vulnerability is found, it is replaced with a new image that has the security patch applied. This is a cleaner and more definitive solution that fundamentally prevents potential errors or configuration conflicts that may occur during the patching process.

  
  

• Infrastructure as Code(IaC): By managing infrastructure configurations as code, security settings can be codified to force all infrastructure to follow consistent security standards. When a vulnerable configuration is found, the entire infrastructure can be updated quickly and consistently just by modifying and redeploying the code.

Building a Sustainable Security System

The core principles of asset-based vulnerability management discussed across the three parts can be summarized as follows:

1️⃣ First, securing complete visibility is the beginning of everything. You cannot protect what you cannot see, and you cannot manage what you do not know.

2️⃣ Second, a priority-based approach is the realistic solution. Since it is impossible to resolve all vulnerabilities at once, the most important ones must be handled first, considering business impact and actual threat levels.

3️⃣ Third, automation and integration are the keys to efficiency. Manual work should be minimized, and various tools and processes should be integrated to create a consistent and efficient management system. 

4️⃣ Fourth, continuous improvement is necessary. As the security environment continues to change, processes and tools must also be continuously evolved.

Security in the digital age is no longer a choice but a matter of survival. Invisible assets and unknown vulnerabilities can become fatal threats to an organization, but they can be managed effectively through systematic asset management and intelligent vulnerability analysis. The important thing is to pursue continuous improvement rather than perfection; technology alone is not enough, and true security can only be achieved when processes, people, and organizational culture harmonize.

New technologies and threats will continue to emerge in the future. However, organizations equipped with a system that can answer the fundamental questions of "What do we have?" and "What should we protect first?" will be able to respond effectively to any challenge. Asset-based vulnerability management is the core of such a system and a fundamental capability that every organization must possess.

DATANET