Risk-Based Vulnerability Management: Efficient + Effective
- May 11, 2022
- Brad LaPorte
We described in the previous blog post the difference between vulnerability management and risk management. A quick reminder: vulnerabilities are the weaknesses an organization has internally while risks are the threats existing externally that potentially could harm the organization. Risk-based vulnerability management (RBVM) combines the knowledge gained by looking closely at each category to optimize a security team’s efforts.
In short, there’s no point in guarding against an identified risk if it doesn’t affect your organization. It’s the intersection of vulnerabilities and risks that matter. Let’s dig in to see how that works.
Security vulnerabilities are weaknesses that can be exploited by threat actors. One of the most common types are those vulnerabilities that appear in software. The process of software creation is complex and, unavoidably, results in coding flaws – a small percentage, but still notable. With trillions of lines of code in use across the world and more coming every day, that small percentage yields a significant number of flaws and resulting vulnerabilities. They can be nothing more than a bug, but they can also allow malware to be inserted into a network.
Vulnerabilities can appear in hardware as well, letting attackers bypass whatever security features are in place and gain access to valuable data or resources on devices such as laptops or smartphones. Networks can have vulnerabilities, too, with protocols that can be circumvented by attackers and grab valuable data. For example, an earlier generation of IoT devices were expected to be used in on-premises communications only. But the shift to the cloud means that these devices are sometimes now vulnerable to outside threat actors because they lack the up-to-date security protocols needed to keep them secure.
To initiate a RBVM process, a security team needs to use threat intelligence to shine a light on the vulnerabilities that attackers seem to be favoring. This means separating vulnerabilities that exist, but don’t seem to be exploited by cybercriminals, from those that are being employed. For example, many of the thousands of common vulnerabilities and exposures (CVEs) that are identified each year show little evidence of being exploited by forces seeking to gain from that vulnerability.
As threats are being analyzed, the security team also needs to be aware of the potential assets the business holds that could be targets of threats. This is a separate vulnerability prioritization exercise: Which of the various assets are the most critical to protect? Those are the ones that should be patched the soonest.
The steps involved in achieving these goals begin with a tool that gives the security team visibility into all the environments the organization is working in – the on-premises assets as well as mobile, web apps, cloud, and OT/IoT systems. That tool needs to be able to dynamically add assets as they come into the network, as well as give all pertinent information about the asset’s security status, usage, and the like.
When that is done accurately and thoroughly, then scanned and monitored, organizations should be able to identify vulnerabilities, such as misconfigurations and out-of-date operating systems. Again, this is not a one-and-done process. It’s essential to keep tabs on all the potential entry points for cybercriminals continually.
With the knowledge in hand of both the risks posed by external threats and the vulnerabilities of your organization’s assets (and ideally, those of anyone you’re doing business with), you’re able to start taking action.
One other important factor that is part of understanding all your assets: How much disruption would it cause to your organization to remediate a risk? Of course, anything that threatens essential data or could expose protected customer information needs to be halted immediately. But having as much context as possible is highly valuable.
With the risk and vulnerability understood about each threat, the prioritization becomes evident. You’ll want to patch vulnerabilities that are being exploited and could cause serious harm to your organization. Vulnerabilities that exist but are of minor consequence need not get much attention, and certainly not if doing so would cause significant disruption of business operations.
Even so, it’s important to recognize that cybercriminals increasingly are taking advantage of vulnerabilities that seem to be of low or medium priority because they may not get the attention of security teams. Good threat detection tools can help security teams learn about such exploits so they don’t make the same mistake.
Answer: Risk-based vulnerability management is the combination of vulnerability assessments and risk assessments. Using both criteria results in more efficient and effective cybersecurity activities.
Answer: Risk-based vulnerability management requires performing both a vulnerabilities assessment and a risk assessment. With the results in hand, an organization can properly prioritize its remediations.
Answer: Vulnerability management is assessing the overall areas in which an organization has vulnerabilities, which can include software, hardware, and network vulnerabilities. Patch management is determining the vulnerabilities that need to be patched, when those patches should be installed, and how to install them without disrupting other functionalities or operations.
Answer: Patch management is a subset of vulnerability management.
Answer: Patch management must be driven by the risks that the organization faces if the patch is not applied. Often a patch is not essential because the vulnerability has not been exploited and is not likely to be exploited. Once prioritized, the patching must be done in a thoughtful, deliberate manner.
Effectively prioritizing and orchestrating your cybersecurity vulnerabilities requires technology capable of centralizing your siloed and fragmented systems to ensure your team gets the full view of what’s really a threat to your organization. NopSec maximizes the impact of your security team. With 67% of NopSec customers improving their RBVM Maturity Score in six months and 45% less time spent in annual data triage, NopSec helps you achieve your security program’s goals and improve team effectiveness in a rapid and measurable way.
From customized context on the threats your organization faces based on your unique environments, to managed penetration testing and more, NopSec has the technology and expertise to give your security team more bandwidth and peace of mind.
See how NopSec helped Urban One’s new CISO drive efficiency and risk reduction and paid for itself 2.5 times in the first year alone.