What is Risk Based Vulnerability Management?
August 13, 2020
To understand risk based vulnerability management, it’s first important to appreciate the history of vulnerability management, and how the concept of risk based vulnerability management evolved.
The major vulnerability assessment companies were all founded between 1999 and 2002, while the CVSS vulnerability scoring system was introduced in 2005. Thus, conventional vulnerability management, as defined by the historical players in this market, has been around for nearly 2 decades.
The initial emphasis in this space was the identification of vulnerabilities, so discovery and scanning drove innovation, and reports that detailed the vulnerabilities identified by scanners were effectively the deliverables. The teams responsible for fixing or remediating those vulnerabilities were largely on their own to decide which ones should be remediated. Moreover, there were fewer vulnerabilities to worry about in the early days of vulnerability management: 4,932 vulnerabilities were published in the NVD in 2005, compared with 17,306 in 2019. And those figures account for just the new ones published, and don’t include the cumulative totals of the years prior, a much larger number in 2019 than 2005.
During this time, there were no tools to assess the risk of individual vulnerabilities on networks beyond the CVSS score, a good first step, but a flawed metric when relied solely upon. It’s only been the past few years when technologies and solutions that work to classify the risk of individual vulnerabilities on individual networks have become available.
Risk based vulnerability is a strategy for handling the myriad vulnerabilities on a typical enterprise network according to the risk each individual vulnerability poses to the organization. At first blush, the concept of risk based vulnerability management sounds relatively simple, but when most organizations are confronted with tens of thousands, hundreds of thousands, or even millions of vulnerabilities, determining which pose the most risk to the organization is a non-trivial undertaking. The key to risk based vulnerability management, and the primary departure from the static, one-size-fits-all CVSS score, is a comprehensive analysis of each vulnerability in its context on the network and in the current external threat environment. To build a context-based risk score, five categories are accounted for, with a number of subfactors in each that can collectively total more than 40 overall. The five basic categories are:
- Vulnerability - the individual characteristics of the vulnerability itself. Here, the CVSS score offers a sound starting point for the vulnerability risk analysis
- Asset - the asset (machine, device, etc.) on which the vulnerability resides. For example, is the asset critical to the organization in some way, or does it house critical or sensitive information.
- Network - the unique characteristics of the environment on the network in which the asset is located. Is the asset connected to the internet, for example, or what policies surrounding the asset make it more or less susceptible to attack.
- Organization - how is the vulnerability and the asset on which it resides related to the business objectives of the organization?
- External Threat Environment - is the vulnerability associated with trending topics on chat boards, the dark web, and other social feeds? Is the vulnerability likely to have an exploit published for it in the future, or is there one available now?
Considering all these factors when assessing the risk of an individual vulnerability provides a 360 degree view of its threat to the organization. Doing so for each vulnerability means the organization can risk rank all its vulnerabilities, no matter how numerous, and make intelligent decisions on where to deploy precious remediation resources. This is the essence of risk based vulnerability management.
What is the strategy behind risk based vulnerability management?
Risk based vulnerability management is designed to address 2 key objectives:
- Genuinely reduce an organization’s risk of being breached as the result of an un-remediated vulnerability
- Effectively manage the overwhelming number of software vulnerabilities that are present on the typical enterprise network, and that are newly published every day
Confronted by an existing vulnerability count that can number in the millions on some enterprise networks, security and IT teams can become overwhelmed by the sheer volume of vulnerabilities. Couple that with seemingly endless pronouncements about the latest “critical” vulnerability that must be patched “ASAP,” and it’s difficult to overstate the confusion and challenge confronting organizations pursuing legitimate vulnerability risk reduction.
Thus, risk based vulnerability management brings a strategy to confront this vulnerability overload challenge that just about every organization encounters. By providing a means to identify the vulnerabilities that truly pose a risk to the organization out of the hundreds of thousands on the network, risk based vulnerability management provides a remediation roadmap for IT teams to follow, and that roadmap ultimately leads - if followed - to a legitimate reduction in enterprise vulnerability risk.
Is risk based vulnerability management easy?
With the advent of modern vulnerability management solutions, including advanced tools like contextual vulnerability prioritization, risk based vulnerability management is certainly easier than it ever has been. And, indeed, there is an argument to be made that practically accomplishing a risk based vulnerability management program has only been possible with the introduction of such technical capability. For example, if an organization were called upon to determine which vulnerabilities out of, say, 200,000, pose the highest risk to the organization, and they were asked to do so manually, it’s simply not feasible. Now, however, a solution like Delve Lab’s ML-driven contextual prioritization engine can evaluate each vulnerability on a given enterprise network using over 40 factors for each, and determine the relative risk of each every five minutes, all without any human intervention. Such technology, without question, makes implementing a risk based vulnerability management program infinitely easier than it would have been just a few short years ago.
Is prioritization important in risk based vulnerability management?
Not only is meaningful vulnerability and remediation prioritization important, it’s the essence of risk based vulnerability management. It’s simply impossible to have one without the other. And the operative word here is “meaningful.” There are a number of superficial ways to prioritize vulnerabilities, but only a comprehensive, contextualized view of the risk of each vulnerability provides the confidence that remediation teams need to trust the result. Risk based vulnerability management assumes that not all vulnerabilities are going to be remediated, so it’s very important that those identified as high risk and earmarked for timely remediation be the right ones.