Why Adopt Risk-Based Vulnerability Management Approaches
Adam Palmer, Chief Cybersecurity Strategist, Tenable, highlights key reasons why it is necessary for organisations to embrace risk-based vulnerability management approaches
Organisations have embraced cloud-based technologies to support a distributed workforce, particularly during the current health crisis. These new technologies are mixed with traditional IT systems rife with data silos and outdated operational processes. The challenge is that legacy security approaches weren’t designed to handle an attack surface of this size and complexity. And the results are evident as, according to a recent study conducted by Forrester Consulting on behalf of Tenable, 94 percent of global organisations suffered at least one business-impacting cyberattack in the last 12 months.
While it might feel insurmountable, the majority of cyberattacks can be traced back to unfixed, yet known vulnerabilities. To put things into perspective, there were 17,313 new vulnerabilities disclosed in 2019 — yet attackers leveraged only a small subset of these for attacks.
Security teams need to focus on the vulnerabilities that affect critical assets first, instead of being distracted by those that are unlikely to be exploited nor pose a significant threat to the business’’ ability to function.
Here are five reasons organisations should adopt a risk-based approach to vulnerability management (RBVM):
Context Based Decisions
Correlate and analyse essential vulnerability characteristics along with other key contextual elements, including the criticality of the assets affected, threat and exploit intelligence. Organisations can also conduct an assessment with a view of current and likely future attacker activity. This helps organisations understand the actual business risk posed by each vulnerability.
Don’t Get Distracted
Prioritising remediation efforts using the common vulnerability scoring system (CVSS) alone isn’t enough. This is because CVSS is limited to a theoretical view of the risk a vulnerability could potentially introduce, rather than the actual risk it poses to the organisation. CVSS doesn’t take into account whether the vulnerability is being exploited in the wild, or if the vulnerability impacts a business-critical service or system.
Risk-based vulnerability management helps organisations understand all vulnerabilities in the context of business risk so that data can be used to prioritise remediation efforts. The ability to do so empowers security teams to move beyond the inherent problems of using CVSS in isolation. Instead, they can address true business risk as opposed to wasting valuable time chasing vulnerabilities that have a low likelihood of being exploited.
Organisations need to be able to assess modern assets, as well as traditional on-premises IT environments, to eliminate the blind spots that plague legacy tools. By having visibility into the entire attack surface, security teams can determine which vulnerabilities to prioritise for remediation based on risk – regardless of where they reside in the network.
Strategic and Purposeful
By limiting assessments to assets that fall within the audit scope can cause critical systems to be ignored. Instead, continuously discover and assess the risk associated with all business-critical assets across the attack surface. Security teams should also employ analytics that dynamically assess changes in vulnerability, threat and asset criticality data to determine risks in real-time.
Keep Disruption To a Minimum
By leveraging machine learning and artificial intelligence, to instantaneously digest feeds from various sources, security teams can build a picture of the enterprise that focuses on the business’ critical assets and the actual threat they face. These insights empower security teams to adjust their remediation strategy in near real-time. This proactively addresses the vulnerabilities that pose the most risk to the organisation, while minimising disruptions from new vulnerabilities and zero-day exploits that gain media attention.