The average enterprise is beset by millions of vulnerabilities—digital weaknesses that can make computer systems, networks, applications, and IoT devices susceptible to cyber attacks. And as companies grow and their assets and networks proliferate, their attack surface grows with it.
This should be a sobering thought for any Security or IT team responsible for patching those digital holes ahead of the next malicious attempt, malware infection, DDOS attack or ransomware infiltration. Since only 2% to 5% of all those vulnerabilities will probably emerge as legitimate threats to your IT environment, how can you know with confidence which are likely to be weaponized?
Well, you can’t. At least not without help. That’s why vulnerability management platforms are rapidly moving away from merely scanning and identifying vulns–an unhelpful “everything’s at risk” approach that led security and IT teams to try to patch all known vulnerabilities–to predicting which vulnerabilities will pose a threat and then prioritizing those.
In other words, the industry has moved toward risk-based vulnerability management (RBVM). As a segment of vulnerability management overall, the RBVM market has been evolving for a decade, with breakthroughs in prioritization and predictive modeling assisted by machine learning and other advanced techniques. But only lately have multiple vendors begun to crowd the space. The reason is that in the past two years, virtually everyone has awakened to the realization that defending businesses from hackers and other cyber threats lies in their ability to predict and block the next knock-out punch.
That’s why it’s now clear the future of vulnerability management is risk-based.
A consensus around the “critical need” to focus on risk
Whether it goes by that specific acronym or not, RBVM has been identified by a growing number of industry analysts as a defining trend in how enterprises defend themselves against cyber threats. In its 2019 Market Guide for Vulnerability Assessment, I believe Gartner clearly spotlights risk-based methodologies as a growth area: “Gartner has called out the critical need to assess assets for configuration issues and vulnerabilities, and to be able to prioritize what you do with that assessment, based on the risk to your organization.” [Gartner, Inc.: Market Guide for Vulnerability Assessment, Craig Lawson, Mitchell Schneider, Prateek Bhajanka, Dale Gardner, Nov. 20, 2019.]
Gartner is in good company. The Forrester Wave™: Vulnerability Risk Management, Q4 2019 takes a close look at 13 providers of various vulnerability management solutions. While some providers naturally fare better than others, those who have long focused on risk tend to score well within Forrester’s assessment.
451 Research also recently weighed in, acknowledging in an April 2019 report that determining which vulnerabilities pose real threats is “a long-standing problem in security that has only become worse as enterprise IT environments have grown increasingly complex.” To combat this, the research firm also has observed “a renewed emphasis on vulnerability remediation and risk reduction.”
So it’s clear that leading analysts increasingly recognize that features like risk-based prioritization are critical to modern vulnerability management solutions today, and will likely become even more critical in the future.
Evolving from basic tools
One reason RBVM is the wave of the future is that vulnerabilities have simply become too overwhelming to manage with basic tools that don’t factor in risk. For example, many enterprises still rely on the free, open common vulnerability scoring system (CVSS) as their primary way of determining which vulns to fix first. But CVSS has its limits. As 451 Research notes, under CVSS v3, you could scan 2 million vulnerabilities and 33% of them will be classified as critical. If your enterprise has 2 million vulnerabilities in total, then cheers! You’re now the proud parent of 660,000 critical vulnerabilities.
What’s missing from that picture is an understanding of the risk each of these vulns pose to your specific organization—a distinction Gartner makes in the report I cited earlier. The point is that the same vulnerability might present a much higher risk to your organization than it does to mine. Here’s 451 Research explaining the problem beautifully:
A vulnerability with a CVSS score of 9 that is found on a low-sensitivity asset that isn’t exposed externally and has no known exploit code will likely be a lower priority to a given enterprise than one with a CVSS score of 6 found on an exposed server that stores sensitive information with exploit code readily available…
Note the factors involved in determining the risk to your specific organization:
- How sensitive is the vulnerable asset?
- Is the asset exposed externally?
- Is there known exploit code associated with that vulnerability?
Though you’d need to address many other factors to get a full sense of the relative risk of a vulnerability, answering just these three questions manually would take considerable time for a handful of vulnerabilities. It would take forever to answer them for 660,000 vulnerabilities. Hence the reason analysts are bullish on RBVM solutions: They do the heavy lifting of automating that analysis, and then prioritize the vulnerabilities so you’re always focused on remediating the vulns that pose the greatest risk.
Benefits to the business
With an RBVM platform, IT and Security organizations suddenly have a clear idea of what to fix first and what patches are acceptable to apply over time. They spend less time chasing vulnerabilities that attract alarming headlines but aren’t always a threat to many, even most, organizations. These newfound efficiencies give Security and IT teams more time to tick off those projects they’ve been meaning to get to, or to focus on more strategic, higher-value activities.
And by prioritizing vulns based on risk, the friction that often exists between Security and IT teams largely disappears. No longer does Security demand that IT complete a patch list so long it’s meaningless. Now everyone understands what’s a priority and what isn’t. Security gains the confidence that they’re protecting the enterprise, and IT ensures that it’s addressing cybersecurity concerns while ensuring that remediation efforts don’t adversely impact application or web services availability.
That’s been the case at HSBC, one of the world’s largest banking and financial services organizations, which deployed an RBVM platform last year to manage security practices across its numerous IT divisions. Grant Bourzikas, HSBC Group CISO, notes that remediating based on the risk to HSBC “enabled us to unify security and IT across multiple business units, improving efficiency.”
And since corporate boards spend a lot of time worrying about risk—a Deloitte study found that risk is the No. 2 priority for board members and corporate secretaries—IT and Security teams take the same intuitive indicators that help them work together and use them to communicate how they’re lowering risk for the organization overall.
More data and greater insight
If RBVM is the future of vulnerability management, then what’s the future of RBVM? What should you look for?
- Seek out modern platforms that incorporate more external threat sources into their prediction engines so they’ll do an even better job of anticipating which vulnerabilities are most likely to be exploited through evidence-based guidance and predictive data science.
- Expect the most advanced solutions to continue to improve collaboration and communication among Security teams, IT teams, and beyond.
- Insist that your platform provides extensive integration with third-party scanners and other software to ensure a comprehensive, real-time view of your enterprise stack.
- Expect your RBVM solution to produce not just lists or scores, but actionable insights and plans that your teams can execute immediately.
It’s clear there are many good reasons to believe the future of vulnerability management is risk-based. In fact, there are millions of them.