Buyer’s Guide for Evaluating Vulnerability Prioritization Tools (VPT)
- Jan 31, 2023
- Michael Tucker
If you’re reading this post, chances are you’re looking to take the next step in improving your Vulnerability Management program. At this stage, you’ve probably realized that your vulnerability assessment scanner isn’t cutting it in terms of helping reduce security workload or making a meaningful impact in reducing your risk exposure. In all reality, you probably feel like it is doing the exact opposite. Fear not, all Security teams make this realization on the journey toward cybersecurity maturity. To help with this problem, we’ve put together this buyer’s guide to aid your evaluation of a vulnerability prioritization tool so you can make the impact and efficiency gains you’re trying to achieve.
Let’s start with a fact of life – vulnerability assessment scanners, regardless of the type of scanner (infrastructure, endpoint, SAST/DAST, cloud/container) are not the end-all-be-all solution to achieve vulnerability management success. At their core, scanners do one thing – identify vulnerabilities. That’s it. This is just the first step in the vulnerability management lifecycle.
This is where vulnerability prioritization tools (VPTs) come into play.
Now most VA scanner providers will claim they provide vulnerability prioritization capabilities, but in reality many of these prioritization scores are solely based on CVSS scores. No asset context, no threat intelligence context, no mitigating controls validation, no machine-learning algorithm support. What this leaves you with, probably what you’re experiencing right now, is a long list of CRITICAL vulnerabilities that aren’t really critical after you apply the context of your organization. This is the reason why you aren’t making a meaningful impact on your risk exposure and why your workload isn’t improving. You’re remediating vulnerabilities, but you aren’t remediating those that actually matter.
Vulnerability prioritization tools are designed to supplement the work that VA scanners do in identifying vulnerabilities. A good VPT should add four major values to your Vulnerability Management program:
If the VPT you’re evaluating accomplishes these four responsibilities then you can expect to reap the benefits you may have hoped a vulnerability assessment scanner would provide. Applying a risk-based approach to prioritization will decrease your security workload and risk exposure by helping your team focus on the vulnerabilities that are most likely to be exploited. A single pane of glass for your VM team will increase your team’s efficiency and maximize the ROI of your other security tool investments. Improved remediation workflows will better bridge the gap between the VM team and ITOps netting a reduced mean time to remediation. Enhanced reporting will ensure that every role from Security Analyst to CISO will get the information they need for their role’s responsibilities.
As you evaluate VPTs, know that the devil is in the details and not all solutions are created equal. Below are the evaluation details you’ll want to be on the lookout for to ensure the VPT you’re looking at accomplishes the three value-adds detailed above.
A risk-based approach to vulnerability prioritization means including the context of your environment when risk ranking vulnerabilities. VPTs apply this context to identified vulnerabilities in order to make risk-based ranking determinations. For example, a scanner might rate a vulnerability as “critical”, but after that vulnerability is run through a VPT that takes into account a mitigating control, rating might be adjusted to a “low.”
This function is the meat and potatoes of a VPT solution. When evaluating options ask the following questions:
Aside from the first question in this list, you want a resounding “YES!” response to all of these questions. If the answer to the first question is “our risk ranking scores are based on CVSS scores,” end the conversation. The tool you’re looking at will do you no better than the scores your scanner(s) are already providing you. The rest of these questions are focused on vulnerability classification, context, and exploitability. You want a tool that has the ability to assess and stack rank a wide range of different vulnerabilities. You need the ability to overlay unique threat intel and organizational context onto your identified vulnerabilities. You need to gut check vulnerability real-world likelihood of exploitability. With these components factored in, you’ll know you have a data-backed and prioritized list of vulnerabilities to tackle. No more endless void.
Cybersecurity teams are almost always plagued by having a disparate menagerie of tools to complete the various functions they are responsible for. Hopping from one tool to another to compile information or consume data from different sources is not an efficient or effective way to remediate critical vulnerabilities. Security teams can be far more scalable and impactful when they only need to work out of one single-source console that compiles all of this information under one roof.
When comparing vulnerability prioritization tools ask providers about the following integrations:
The list of questions above covers the majority of integration types you’ll want to ask about with respect to an enterprise-level cybersecurity tech stack. What is equally important to inquire about is how these integrations bring together the data from these different sources and make it accessible to your team. Just to have it in one place is not enough. Look carefully at how tools enable you to drill into information. Raise an eyebrow if data is siloed in different unconnected areas of a tool. Some providers claim to have certain integrations, but they do this by leveraging a modular approach. One module will contain one set of information, but it won’t be shared or accessible from other aspects of the platform.
In terms of workflow, vulnerability prioritization tools are designed to bridge the process gap between identifying vulnerabilities and remediating them. A lot of time and energy is burned by Security teams walking across the aisle to discuss with ITOps what needs to be remediated and why. Many organizations rely on endless spreadsheets to handle this communication and track progress of efforts. Does that sound familiar?
Here are the questions you need to ask your potential VPT vendor about their remediation capabilities:
The points we covered in the risk-based prioritization section of this article factor into this discussion. With prioritized lists of vulnerabilities, backed by environmental context and machine-learning algorithms, the debate of WHY something needs to be patched should decrease greatly. To achieve additional efficiency, focus should then shift to aligning workflows that speak the same language. The ITSM system is that common language. Pushing tickets directly into ITSMs means slotting requests seamlessly into the system that ITOps spends everyday in. No more spreadsheets.
While the above is a big gain, it doesn’t address the necessary feedback loop in this process. Security teams need to be kept in the loop on what’s happening with remediation efforts. Bi-directional syncing between the ITSM and VPT is critical for this. Without it, those meetings for discussing the state of remediations will start to creep back onto your team’s calendars.
Similarly, when Vulnerability Management teams are marking risks as accepted or mitigated they normally would do so in the individual scanners. This deviates from the single pane of glass approach you should be striving for. Good VPT tools will enable your team to manage risk acceptance from the platform and confidently know that the next time they run a scan those same risks won’t come up.
Side note – Automated patching might be on your radar when it comes to the topic of remediation automation. We recommend treading lightly here. Some VPT vendors will have backgrounds in these orchestration functions and offer this solution, but we don’t recommend them for enterprise size companies. At least not in a broad-stroke application. There is too much that needs to be considered and verified to apply patches automatically in environments of that level of complexity. The human element is definitely still needed here to make sure something doesn’t accidentally get broken by an update.
Reporting usually ranks high on the list of time sucks for most security teams. This stems from needing to collect, clean, and present data from various tools to various roles. Again, spreadsheets are usually the answer that many companies turn to. Just like trying to track remediation efforts in spreadsheets, this doesn’t scale. Providing reports and answers should be near effortless. Your ability to do so is what ultimately tells the story of your program’s ROI.
While reporting requirements can differ heavily organization to organization, the following questions will help you shape what you can expect to get from a provider:
The first five questions on this list are fairly standard to ask when evaluating any technology’s reporting suite. Organizational needs will determine what are acceptable answers to these questions. We recommend reflecting on where you’ve had blind spots or difficulties with your historical reporting efforts to find enhancements.
The last four questions are the gold standard of great VPT solutions. Having the ability to integrate security data with a tool like Tableau or Power BI is a big plus to enterprises. This helps put security front and center, rather than leave it in the dark corner of a basement. Full-stack reporting takes the value of integrations to the next level. It’s one thing to be able to ingest data from multiple sources and leverage it from a prioritization perspective. However, being able to report on that information as well completes the single pane of glass goal. Executive level security reporting and business line reporting speak to the tool’s ability to communicate data at a business level. Security tool reports are notoriously technical and jargon heavy, making them difficult to interpret by non-technical executives. Your C-Suites will thank you for being able to communicate the state of security in a common language. It will go a long way in helping secure additional resources for the team.
The fact of the matter is that evaluating a vulnerability prioritization tools takes time. This is not a purchase to rush. As we’ve hopefully articulated here, the devil is in the details. However, the end result of those efforts will be a night and day difference for your Security team. With a successful implementation of a VPT, you’ll achieve a far more accurate assessment of your risk, be able to expedite your remediation efforts, and communicate vulnerability management in a way you’ve never been able to do before. If you’re not making the impact you want on your risk exposure with your scanners alone, adding a VPT is the next step in maturing your program.
If you have any additional questions, don’t hesitate to contact us. Our team of security experts will gladly help in any way you can. If you’re interested in seeing how our vulnerability prioritization tool stacks up to competitors, schedule a demo with us today.
Although all company’s pricing models will vary to some extent, vulnerability prioritization tools are usually priced on some basis by the number and type of asset in the customer’s environment.
On average, large enterprises with asset counts in the tens of thousands to hundreds of thousands can expect to spend in the ballpark of a $1,000,000 a year on a vulnerability prioritization tool. This cost can vary greatly depending on the specific packages and add-ons that are selected.
Common signs of needing a VPT solution including have an asset count in the tens of thousands to hundreds of thousands, having a variety of assets types (infrastructure, cloud, app, etc.), trying to manage remediation efforts and prioritization with spreadsheets, long mean times to remediation, and low trust in the accuracy of scores being provided by scanners.