Fix Less, Secure More: Why You Should Put Vulnerability Prioritization First

NopSec has been in the risk-based vulnerability management (RBVM) game for 10 years now. Over the course of this decade we’ve seen a lot; the amount of documented vulnerabilities has exponentially grown year-over-year, the complexity level of cyber attacks has continued to intensify, vulnerability management solution providers have come and gone. While all of this has happened, one fact has remained constant: when it comes to remediating vulnerabilities and minimizing risk exposure, organizations that put prioritization first win out in the long run. To celebrate our ten year anniversary and call this fact to attention, we are changing our company’s slogan to “Fix Less, Secure More.” 

Fix less, secure more should be the goal of every Vulnerability Management team. Cyberdefenders will never have all of the resources necessary to secure and remediate EVERY vulnerability in their organization’s environment. It’s just not possible. As such, they’ll have to continue making the most out of what they have to a certain degree. But how should you go about doing this? What are those critical resources and capabilities that make the job of 20 people relatively accomplishable by just a handful?

Automation is probably the first word that will come to mind. Every vulnerability management and prioritization tool on the market today puts massive emphasis on using automation to improve process efficiency (escalations, automated patching, auto-creating ITSM tickets, communication, etc). At first glance, automation might seem like the miracle solution. Accomplish more with less manual effort. It’s hard to argue with.

Many vulnerability management solutions heavily emphasize automation capabilities above all else. While leveraging automation is unquestionably valuable to resource-constrained teams, it unfortunately isn’t the end-all-be-all. The reality is that the benefits you’d hope to achieve from implementing an automation-centric solution will always be fundamentally diminished if the prioritization components of that tool are weak or nonexistent. It’s a cart-before-the-horse scenario. Vulnerability management starts with prioritization. Everything else is downstream. If you feed the wrong vulnerabilities through these hyper optimized and automated workflows, you are still playing a zero sum game with minimal impact on risk reduction.

For example, we proudly boast about having some of the best reports and metrics on the market to visually display the state of the union for Vulnerability Management teams. However, we will never emphasize the importance of these reporting features above our prioritization capabilities. Why? Simply put, these charts and dashboards are only as valuable as the data we feed them. All of that information stems from our machine-learning algorithm’s assessment of which vulnerabilities matter most.

Don’t get us wrong. We aren’t telling you to ignore automation as a means to solving the resource constraint problem. Automation features should absolutely be part of your evaluation criteria. What we are emphasizing is don’t put these automation functionalities at the top of your most-important-criteria list. That pole position should be reserved for prioritization.

Unsurprisingly, there is a reason why the function of prioritization occurs as one of the first steps in the vulnerability management lifecycle. This step in the process ultimately makes the call of where a Vulnerability Management team spends their time and how those efforts trickle down into impact. This is the stage where confidence in decision making is the most critical. Once decisions are made and plans are put into action, that time is spent. Mistakes can’t afford to be made.

In serving our clients, we have seen massive billion-dollar organizations rely on a menagerie of spreadsheets to try to define a list of what risks need immediate attention. We’ve also seen companies consider the prioritization box checked by accepting basic CVSS scores as the law of the land. While something is better than nothing in this department, efforts like these will never make any real difference. How prioritization is performed matters greatly when looking to fix less and secure more.

For organizations leveraging risk scores from their vulnerability assessment scanners or those who have already invested in vulnerability prioritization tools, it’s important to understand exactly how those scores are being generated. All vendors in this space accomplish prioritization with their own proprietary approaches and not all methods are created equal.

• How much configuration is required to tune the risk calculation?
• How is threat and asset context factored into risk weighting?
• Are different types of vulnerabilities (infrastructure, cloud, application) stack ranked against each other during prioritization?
• Is prioritization calculated during data ingestion as part of a machine learning process or is it consumed after being ingested as part of a basic risk calculator?
• How transparent is the ML model?
• How does the model learn and recalibrate over time?

The answers to questions like these will separate solutions with a check-the-box feature versus those who put prioritization at core of their platform’s capabilities. That difference is important. It can be the deciding factor between security and a breach.

When we started NopSec 10 years ago, our vision was to enable cyberdefenders to have the upper hand in protecting their organizations. To achieve this, we’ve strived to provide cyberdefenders with the best attacker and data driven insights to enable them to better prioritize their exposures. We invite you to put our prioritization to the test and allow us to show you why you too should put it first. These principles are the core of our business and that’s why, with NopSec, you’ll be able to Fix Less, Secure More.