Vulnerability Management Blog

Prioritizing Vulnerability Remediation

Given that more than half of all breaches can be traced to, or involve in some way, an unpatched vulnerability, the process of prioritizing vulnerability remediation is key to ultimately reducing the vulnerability risk of an enterprise meaningfully.  In the post below, we answer some of the most common questions about vulnerability remediation.

What is Vulnerability Remediation?


The process of neutralizing the exposure of a software vulnerability to an attack is called vulnerability remediation.  There are a few general vulnerability remediation solutions:

- “Patch” the vulnerability by replacing the older version of the software with a newer version that includes a fix for the vulnerability

- Isolate the asset with the vulnerability or otherwise re-configure network settings to make it difficult or impossible for unauthorized users to access the asset

- Remove the asset from the network or the vulnerable software from the asset

Each of these options can often be either extraordinarily difficult to accomplish, or even flat out impossible, as networks are complex, and taking assets offline to patch and test can mean that critical business systems are unavailable for a period of time.  Thus, the remediation of vulnerabilities can appear, at first glance, to be straightforward, but in practice, presents significant problems for most organizations.


What is remediation in security?


The term remediation in the field of cyber security typically refers to addressing, often by patching, security holes in software that can expose the organization to a successful cyber attack. Remediation can take different forms, for example, network isolation or configuration changes, but remediation in security usually involves replacing the software with the flaw with an updated version in which the flaw has been fixed. Remediation in security is often the responsibility of an IT or infrastructure team, although the information security team is closely involved in the process, and responsible for the initial identification of the vulnerabilities using tools called vulnerability assessment or vulnerability management tools.

Remediation in security can be challenging since it often involves “patching” software with flaws - another way to say “vulnerabilities” - a process that requires installing new software that has fixed the flaw. Although that may sound relatively straightforward, installing new software can incur risk, as the newer version could break existing functionality. Patches need to be tested, and the process of installation and testing can require critical business systems to be brought off-line, a potential challenge to the continuity of business operations. All in all, remediation in security is critical to an effective cyber security program, but it can be expensive and intrusive when done correctly.

What is the importance of vulnerability assessment and risk remediation?


One of the key pillars of enterprise cyber security is vulnerability management. Information security experts estimate that more than half of all successful cyber breaches can be connected to an unpatched vulnerability.  Thus, a major element of risk risk mitigation can be attributed to the identification, and most importantly, the remediation of vulnerabilities. The first step, however, in vulnerability remediation solutions is a vulnerability assessment, or the process of discovering assets on the network and then identifying vulnerabilities on those assets. The challenge for most organizations is to move beyond the vulnerability assessment stage and onto prioritizing vulnerability remediation.  A vulnerability assessment can sometimes be mistaken for a vulnerability management program, but if the assessment and the accompanying reports are not followed up with vulnerability remediation solutions, then there will be no risk reduction benefit from the vulnerability assessment. If risk remediation is the objective, then a vulnerability assessment alone will not provide the results one may expect.

Who is Responsible for Vulnerability Remediation?


Remediation of vulnerabilities is typically handled by the IT or infrastructure team. However, the identification of vulnerabilities on the network is often the purview of the cyber security team, and this separation of responsibilities can result in political conflict given the number of vulnerabilities on the typical enterprise network. The information security team, using network scanning technology that is very good at finding vulnerabilities may identify thousands or even millions of vulnerabilities, a number that is simply impractical for an IT team to remediate in total.  This is why modern vulnerability remediation solutions need to have a reliable, meaningful means of prioritizing vulnerability remediation efforts, for example, Delve Labs’ leading edge Contextual Vulnerability Prioritization. With a robust and intelligent prioritization solution, the IT team is not left holding the bag (full of hundreds of thousands of vulnerabilities), but rather has a vulnerability remediation solution that can guide their remediation efforts, and maximize the efficiency of their remediation resources to maximize the reduction of vulnerability risk across their enterprise.


What is the difference between mitigation and remediation?


In the context of vulnerability management, the difference between mitigation and remediation is subtle, and they’re closely related.  Most organizations attempt to mitigate their vulnerability risk by deploying a vulnerability management program. And the key to any vulnerability management program is the remediation of vulnerabilities. So, in the simplest terms, mitigation requires remediation, and the most effective vulnerability remediation solutions are very good and efficient at prioritizing vulnerability remediation. Prioritization is critical because most enterprise networks have hundreds of thousands of vulnerabilities, and it’s simply not feasible to patch them all.

Note that there are those who may define vulnerability mitigation as the process of addressing a vulnerability without patching it, for example by re-configuring the network or building in policies that isolate the asset with the vulnerability. In this definitional approach, remediation is reserved for traditional patching. However, most practitioners would define remediation as eliminating the risk from the vulnerability, which could take the form of patching or another tactic like isolation or access policy modification.

In the context of vulnerability management, the difference between mitigation and remediation is subtle, and they’re closely related.  Most organizations attempt to mitigate their vulnerability risk by deploying a vulnerability management program. And the key to any vulnerability management program is the remediation of vulnerabilities. So, in the simplest terms, mitigation requires remediation, and the most effective vulnerability remediation solutions are very good and efficient at prioritizing vulnerability remediation. Prioritization is critical because most enterprise networks have hundreds of thousands of vulnerabilities, and it’s simply not feasible to patch them all.

Note that there are those who may define vulnerability mitigation as the process of addressing a vulnerability without patching it, for example by re-configuring the network or building in policies that isolate the asset with the vulnerability. In this definitional approach, remediation is reserved for traditional patching. However, most practitioners would define remediation as eliminating the risk from the vulnerability, which could take the form of patching or another tactic like isolation or access policy modification.

The remediation process in vulnerability management starts with asset discovery and scanning, or the process of identifying the vulnerabilities on the enterprise network.  Scanning technology can use agents and can also be agent-less.  After the network is scanned and, presumably, all vulnerabilities are identified, the list of vulnerabilities can be overwhelmingly large, perhaps tens or even hundreds of thousands. Thus, the next step is the most crucial:  prioritizing vulnerability remediation. Most prioritization methods are outdated, many relying on the flawed CVSS score (which excludes the vulnerability’s context on the network as a factor in its prioritization) or highly manual efforts to determine which vulnerabilities need to be addressed first, and which can be deprioritized. Delve Labs, for example, offers a state-of-the-art, machine learning-based solution called contextual prioritization that accounts for over 40 factors in determining remediation priorities.

Once the remediation priorities are in place, the highest risk vulnerabilities are then remediated, a process that most typically involves installing updated versions of the software with the vulnerability. The process may involve bringing the system housing the software off-line temporarily, and is also likely to include testing after the patch has been applied, as updating software can break existing systems or those they’re connected to.

Typically, vulnerability remediation solutions are integrated with ITSM (information technology service management) systems like ServiceNow, or other task tracking systems like Jira. So, after a patch has been installed and tested, the team responsible can track their progress and record work that has been accomplished.


What are the normal steps to take to remediate a vulnerability system?


Remediating a vulnerability or vulnerability system can be done in multiple ways, but the most common is to apply a software patch, or, in other words, replacing the software with the vulnerability with an updated version of the software in which the vulnerability or flaw has been fixed.  Other vulnerability remediation solutions include isolating the asset with the vulnerability on the network or limiting its access to specific credentialed users. Adjusting network access policies can also be used as a method to remediate a vulnerability system as well.  No matter which technique is used, the remediation of vulnerabilities is key to reducing the overall cyber risk of an organization, and prioritizing vulnerability remediation among the myriad other tasks on the plates of IT and security professionals is where that vulnerability risk reduction starts.


What are the Challenges of Vulnerability Remediation?


Remediation of vulnerabilities is a challenge for two primary reasons that are closely related:

- Most enterprise networks house hundreds of thousands of vulnerabilities, and new ones are released every day

- Patching vulnerabilities is not only time-consuming and resource-intensive, but is also risky, as installing updated software can break the system on which the software resides, or those it’s connected to

It’s because of these factors that effective vulnerability remediation solutions emphasize meaningful, automated prioritization, maximizing risk reduction for a given amount of patching activity. With robust prioritization, IT or other remediation teams can be confident that the effort and risk associated with patching and the remediation of vulnerabilities will be focused on the highest risk vulnerabilities to the organization, and not squandered patching vulnerabilities that are low priority.

There’s no magic bullet that can eliminate the challenges of vulnerability remediation, but modern remediation prioritization can go a long way toward mitigating the pain of those challenges.


How do you prioritize vulnerability remediation?


The short answer:  in context.  Until recently, IT and security teams relied on the CVVS score to bucket vulnerabilities on their networks into high, medium, and low categories, a method that provided a good first pass at understanding which vulnerabilities needed to be addressed immediately, and which could wait. The CVSS score aided the triage process in vulnerability management that mirrors the same process in a typical hospital emergency room:  all patients (or vulnerabilities) are important, but some are much more important than others. Knowing the difference reliably and meaningfully is the key to prioritizing vulnerability remediation. Currently, the conventional “state-of-the-art”  in vulnerability remediation prioritization is predictive exploitation, or the attempt to predict whether or not a vulnerability will have an exploit published for it at some point in the future. This is a reasonable step beyond CVSS, but it still ignores the vulnerability’s context in the network on which it resides, which has by far the most to do with it’s criticality.  An even more state-of-the-art vulnerability remediation solution is Contextual Prioritization, a technique pioneered by Delve Labs that accounts for over 40 factors when prioritizing vulnerability remediation, only one of which is predictive exploitation.  Contextual prioritization uses machine learning and “the wisdom of the crowd” to calculate the relative priority of each vulnerability on an enterprise network every 5 minutes.  To take a deep dive into the philosophy behind Contextual Prioritization, we recommend one of our latest blog posts written by our lead AI researcher.


Can Vulnerability Remediation be Automated?


Elements of vulnerability remediation can be automated, but it’s unlikely that patching vulnerabilities can ever be completely handed off to even the most advanced automated system.  As discussed above, perhaps the most critical element of vulnerability management - prioritizing vulnerability remediation - is being automated today using machine learning technology to take the human effort out of the remediation prioritization process.  There have been attempts to automate patching, and there are certain systems that can be patched and updated without human intervention, but most vulnerabilities require human-based remediation and the subsequent testing required to validate patches.

Given the reality and risk of updating complex enterprise software and systems, the most effective technologies work to automate all the vulnerability management functions leading up to the actual remediation, including discovery, scanning, prioritization, and remediation planning. Doing so doesn’t completely automate the entire vulnerability management process, but it can remove a great deal of manual effort from VM operations.


What is a vulnerability assessment tool?


A vulnerability assessment tool is typically a tool that discovers assets on an enterprise network and scans those assets for vulnerabilities, often delivering voluminous reports that list hundreds of thousands or even millions of vulnerabilities on large corporate networks. A vulnerability assessment tool may include custom reports that aid in regulatory compliance (for example ISO, NIST, or PCI), and they often include the ability to customize scans and manually identify business-critical assets.

A vulnerability assessment tool differs from a vulnerability management tool in that the latter includes all elements of an assessment tool, but also includes mechanisms for prioritization and intelligent remediation planning.  Delve Labs is one company offering a comprehensive vulnerability management solution, part of which includes a vulnerability assessment element. Typically, an organization driven by compliance adherence and reporting requirements will opt for a vulnerability assessment tool, while an organization working to genuinely reduce its vulnerability-related information security risk will deploy a more action-oriented vulnerability management solution.

Most Recent Related Stories

A Predictive Model for the Publication of Exploits using Vulnerability Topics

Read More

Leveraging Collective Intelligence for Contextual Prioritization in Vulnerability Management

Read More

Re-defining Vulnerability Remediation Prioritization

Read More