Implementing a Risk-Based Approach to Vulnerability Management

The modern cyber ecosystem is anything but static; it’s a constantly shifting, evolving entity that continually expands to encompass new technologies, systems, and individuals. Unfortunately, this makes security a daunting task. New digital vulnerabilities are being discovered on a nearly daily basis, accounting for thousands of new threat vectors every year that may be exploited—causing significant problems for organizations across essentially every industry. And according to the Ponemon Institute, the global average cost of a data breach in the United States is $8.64 million [1]. As such, responding to attacks only after they occur is simply not an effective defense. In addition, systems and services are growing more complex and more integral to modern society. Mistakes will happen as users configure, maintain, and add more tech and devices to the environment. Each mistake is an opportunity for a problem. 

“Known vulnerabilities are the most likely flaws to be exploited. Risk from known vulnerabilities is reduced by implementing the software vulnerability management (VUL) capability. The VUL capability focuses on managing known vulnerabilities and common sources of software flaws known to produce vulnerabilities.”

Vulnerability management is a term that describes the various processes, tools, and strategies of identifying, evaluating, treating, and reporting on security vulnerabilities and misconfigurations within an organization's software and systems. In other words, it allows you to monitor your company’s digital environment to identify potential risks, for an up-to-the-minute picture of your current security status.

Software vulnerability management recognizes that even authorized software—software that has been assessed and approved by the organization for execution on a system—can have known vulnerabilities and (presumably) unknown instances of coding weaknesses that result in vulnerabilities. Software Vulnerability management offers a solution as it allows you to identify, prioritize, and respond to software issues and misconfigurations that could be exploited by attackers, lead to inadvertent release of sensitive data, or disrupt business operations. 

Risk-based vulnerability management (RBVM) is a process that reduces vulnerabilities across your attack surface by prioritizing remediation based on the risks they pose to your organization. Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. Risk-based vulnerability management uses machine learning to extend vulnerability management beyond traditional IT assets, incorporating cloud infrastructure, IoT devices, web apps, and more. This allows businesses access to relevant insights across their entire attack surface. 

In order to establish a successful risk-based Vulnerability Management program, we need to enable the organization to properly identify, prioritize, and remediate vulnerabilities on information technology assets used to conduct business operations.

A mature risk-based vulnerability management program is a foundational element of any functioning cybersecurity program.

Organizations should choose to adopt a successful program strategy to apply high-level functions; to identify, protect, detect, and respond to vulnerability management. 

Identify

One of the pillars to building a risk-based vulnerability management program is to identify your assets. That is, to develop an understanding of information assets that are used to meet business needs and the risk to business operations. You can’t secure IT assets you can’t see or don’t know exist. Automatically identify all known and unknown assets on your global hybrid-IT—on prem, endpoints, clouds, containers, mobile, OT and IoT—for a complete, categorized inventory, enriched with details such as vendor lifecycle information and much more. Build a comprehensive up-to-date inventory of all assets across modern fragmented IT environments. This includes on-premises, public cloud, mobile devices, OT environments, and items that are hosted outside of your network or that are internet-facing. Maintaining an asset inventory of hardware and software is core to any successful cybersecurity program.

Protect

The second pillar into building an effective risk-based vulnerability management program is to protect your assets by Implementing safeguards to limit the impact of a malicious event. Additionally, by documenting a vulnerability management plan to include policies, processes, procedures, and controls. In my view, we should look to use business context to assign criticality to assets e.g., production assets hosting critical information vs dev systems. Use threat intelligence to enrich understanding of vulnerabilities e.g., which ones are exploited in the wild, have an exploit available, and the ease with which they can be exploited. These are vulnerabilities that are more likely to be exploited.

Detect

The third pillar into building a successful risk-based vulnerability management program is to detect. That is, to implement solutions to identify vulnerabilities early and often. For example, one can perform vulnerability scans and continually assess the effectiveness of the scans. When a continuous vulnerability assessment is performed, then that provides an accurate picture of risk as often as possible. In my view, a successful risk-based program looking to perform secure configuration assessments to validate system hardening is consistent with adopted security controls based on industry standard guides such as Centre for Internet Security (CIS) or DISA STIGs.

Respond

Lastly, as the 4th pillar, a winning risk-based approach will look to respond. That is to use the combination of asset criticality assignment and threat intelligence to prioritize the remediation of vulnerabilities that pose the most significant risk to the business and mission-critical applications.

Risk-based Vulnerability management ensures to implement automation where possible to proactively patch and configure systems to reduce resource constraints on remediation teams; and to automate ticket creation to assign vulnerability triage tasks to remediation teams for action. For example, the risk-based approach can look to implement actionable metrics to convey risk to operational and executive teams. These metrics will aid in decisions on allocating resources to tackle risk items and measure program effectiveness.

When known software vulnerabilities are unmanaged, uncorrected, or undetected, software is left open to exploitation. As a result, vulnerable software is a key target that attackers use to initiate an attack on an organization’s network and expand control to attack other components on that network. A well-designed vulnerability management capability helps prevent software with vulnerabilities from being installed on a network, detect software with vulnerabilities already installed on a network, and respond to the vulnerabilities detected (e.g., by patching the vulnerabilities or through other mitigations). Automated assessment of known software vulnerabilities and weaknesses helps verify that the software vulnerability management capability is working. When known vulnerabilities are managed, the level of effort needed to initiate an attack and expand control to other components on the network is increased since the attacker must identify another method of attack.

The scale of vulnerabilities identified in large organizations in today’s threat landscape has made the practice of managing them a seemingly endless challenge. Traditional vulnerability management programs tend to adopt an “everything is a risk” approach which leads to frustration among IT remediation teams to remediate an exponentially increasing pool of vulnerabilities, many of which do not pose a real risk to the organization. Instead of using arbitrary methods to prioritize remediation organizations should refine their remediation methods to enrich vulnerability data with business context, threat intelligence, data science, and machine learning to prioritize vulnerabilities that are most likely to be exploited thereby causing the most harm to a given organization. This requires vulnerability management programs to use more accurate methods of assessing risk to keep pace with evolving threats. Therefore,  a risk-based approach to look to address the most significant flaws to reduce risk to critical systems and make efficient use of limited resources.

[1] Cost of Data Breach 2023. IBM Reports