What is Risk-Based Vulnerability Management?
Conventional vulnerability management has been in the market for nearly two decades, with an initial emphasis on identifying vulnerabilities. Discovery and scanning drove innovation, and the only deliverables were reports that detailed the vulnerabilities identified by scanners. The teams responsible for fixing or remediating those vulnerabilities worked largely on their own to decide which ones should be remediated. Moreover, there were fewer vulnerabilities to worry about in the early days of vulnerability management: 4,932 vulnerabilities were published in the National Vulnerability Database (NVD) in 2005, compared with 17,306 in 2019. Those figures account for just new vulnerabilities published, and don’t include the cumulative totals of the years prior, a much larger number in 2019 than 2005, when the CVSS vulnerability scoring system was introduced.
During this time, there were no tools to assess the risk of individual vulnerabilities on networks beyond the CVSS score: a good first step, but a flawed metric when relied solely upon. Only in the past few years have we seen an emergence of technologies and solutions that work to classify the risk of individual vulnerabilities on individual networks.
What are the Basics of Risk-Based Vulnerability Management?
Risk-based vulnerability management is a strategy for handling the myriad vulnerabilities on a typical enterprise network, according to the risk each individual vulnerability poses to an organization. At first blush, the concept of risk-based vulnerability management sounds relatively simple. But when most organizations are confronted with tens of thousands (or hundreds of thousands, or millions) of vulnerabilities, determining which pose the most risk to the organization is a significant undertaking. The key to risk-based vulnerability management – and the primary departure from the static, one-size-fits-all CVSS score – is a comprehensive analysis of each vulnerability in its context on the network and in the current external threat environment.
Five basic vulnerability management categories are used to construct a context-based risk score. Each category contains multiple subfactors, totaling more than 40. The categories are:
- Vulnerability: The individual characteristics of the vulnerability itself. Here, the CVSS score offers a sound starting point for vulnerability risk analysis.
- Asset: The asset (machine, device, etc.) on which the vulnerability resides. Is the asset critical to the organization in some way, or does it house critical or sensitive information?
- Network: The unique characteristics of the environment on the network in which the asset is located. Is the asset connected to the Internet, for example, or what policies surrounding the asset make it more or less susceptible to attack?
- Organization: How is the vulnerability and the asset on which it resides related to the organization’s business objectives?
- External Threat Environment: Is the vulnerability associated with trending topics on chat boards, the dark web, and other social feeds? Is the vulnerability likely to have an exploit published for it in the future, or is there one available now?
By considering these factors when assessing the risk of an individual vulnerability, security operations teams can receive a 360-degree view of potential threats to the organization. Doing so for each vulnerability means the organization can risk rank all its vulnerabilities, no matter how numerous, and make intelligent decisions on where to deploy precious remediation resources. This is the essence of risk-based vulnerability management.
What is the Strategy Behind Risk-Based Vulnerability Management?
Risk-based vulnerability management is designed to address two key objectives:
Genuinely reduce an organization’s risk of being breached as the result of an un-remediated vulnerability
Effectively manage the overwhelming number of software vulnerabilities that are present on the typical enterprise network and new vulnerabilities that are published every day
Confronted by an existing vulnerability count that can number in the millions on some enterprise networks, security and IT teams are often overwhelmed by the sheer volume of vulnerabilities. Couple that with seemingly endless pronouncements about the latest “critical” vulnerability that must be patched “ASAP,” and it’s difficult to overstate the confusion and challenge confronting organizations pursuing legitimate vulnerability risk reduction.
Risk-based vulnerability management helps to confront the vulnerability overload challenge that just about every organization encounters. With the means to identify the vulnerabilities that truly pose a risk to the organization out of the hundreds of thousands on the network, risk-based vulnerability management suggests a remediation roadmap for IT teams to follow. If followed, that roadmap ultimately leads to a legitimate reduction in enterprise vulnerability risk.
Is Risk-Based Vulnerability Management Easy?
With the advent of modern vulnerability management solutions, including advanced tools like contextual vulnerability prioritization, risk-based vulnerability management is certainly easier than ever. There is an argument that practically accomplishing a risk-based vulnerability management program has only been possible with the introduction of such technical capabilities. For example, if an organization had to manually determine which vulnerabilities out of 200,000 pose the highest risk to the organization, that simply isn’t feasible.
A solution like Secureworks® Taegis™ VDR can evaluate each vulnerability on a given network. VDR is driven by machine learning and features a software-driven contextual prioritization engine that uses more than 40 factors to determine the relative risk of each vulnerability, all without any human intervention. Such technology makes implementing a risk-based vulnerability management program infinitely easier than it would have been just a few years ago.
Is Prioritization Important in Risk-Based Vulnerability Management?
Meaningful vulnerability and remediation prioritization is not only important, it is the essence of risk-based vulnerability management. It’s simply impossible to have one without the other. The operative word is “meaningful.” There are many superficial ways to prioritize vulnerabilities, but only a comprehensive, contextualized view of the risk of each vulnerability provides the confidence remediation teams need to trust the result. Risk-based vulnerability management assumes that not all vulnerabilities are going to be remediated, so it’s very important those identified as high risk and earmarked for timely remediation be the right ones.