What is Risk-Based Vulnerability Management?

In: #patching

Risk-based vulnerability management is the process of reducing vulnerabilities across the attack surface of an organization’s assets by prioritizing remediation based on the risks they pose. 

Unlike other vulnerability management techniques, risk-based vulnerability management goes beyond just discovering vulnerabilities. It assists the IT experts to know vulnerability risks with threat context and knowledge about the impact on business. 

Risk-based vulnerability management involves machine learning to link asset criticality, threat actor activity and vulnerability severity. It reduces vulnerability overload. This will help IT professionals focus on the vulnerabilities that pose the most risk. 

Nowadays, defenders are overwhelmed with the job of managing security vulnerabilities. In 2017, 17,000 new vulnerabilities were reported, a rate equaling one new vulnerability every 6 minutes. 

Nevertheless, the total number of vulnerabilities poses a problem for teams responsible for patching. Even if you have a competent security team, patching and testing can take a long time. This is based on the number of applications or systems and the types of resources involved.  

The constant stream of new vulnerabilities and the extended process of fixing them make it hard to manage them effectively without a strategy to determine priority. If vulnerability management teams focus on fixing the wrong vulnerabilities at the initial stage, they may waste lots of time and effort while exposing their organizations to unnecessary risk.

Vulnerability Management vs Risk Management

Generally, this situation happens to IT security teams with alarming frequency. For many years, defenders depend on CVSS scores to guide their patching prioritization. However, many high-scoring vulnerabilities present little or no possibility of getting exploited. Therefore, it poses minimal risk. 

More than 1000 vulnerabilities that are listed in the common vulnerabilities and exposures (CVE) list that was published by Microsoft in 2010 have a severity score of seven and above. Nevertheless, only a few of these vulnerabilities were used in exploits. 

How Enterprise Risk-Based Vulnerability Management Works

Risk-based vulnerability management (RBVM) is a technique that is designed to ensure that vulnerabilities are ranked for remediation in a way that reflects the level of risk those vulnerabilities pose to an organization’s most valuable assets.

This process often starts with ensuring full visibility exists within a secure environment, which includes data, applications, users and devices. It’s not possible to secure what cannot be seen, so organizations need to have visibility into traffic, endpoints and cloud environments. Without this visibility, defenders are flying blind.

The next step in the process is scanning and monitoring attack vectors to detect any security gaps that exist. Given the wide range of vulnerabilities that continue to arise, this process should be continuous and include the fullest possible range of attack vectors.

Once those vulnerabilities are known, the risk context then becomes vital. This means knowing the severity of vulnerabilities, the criticality of each asset, the impact of successful exploits, the likelihood of exploits and the existing security controls in place.

Once risk is known and scored, remediation work can start in a way that prioritizes addressing the relatively small number of exposures that present the highest risk to critical assets.

Generally, this risk-based vulnerability management process limits risk through the continuous assessment of vulnerabilities for key risk factors and the ranking of vulnerabilities that are more likely to be exploited while having the most hostile impact.

For most of today’s IT organizations, the best way to ensure that risk-based vulnerability management or threat-based vulnerability management is executed properly is through the integration of an advanced risk-based vulnerability management tool that is designed to do the following:

  • Identify vulnerabilities in a continuous manner. Visibility into evolving vulnerabilities is critical and you cannot defend what you cannot see. A continuous view is vital.
  • In addition to continuous identification, such tools must provide the critical risk context by providing risk-based patch management. If you do not understand risk, you cannot prioritize effectively.
  • Finally, such tools should also provide least-effort remediation to ensure that the most dangerous vulnerabilities are addressed quickly.

By following an up-to-date risk-based vulnerability management technique and using the right supporting software, organizations can save time and money and better protect their most valuable assets.

Five basic vulnerability management categories are used to construct a context-based risk score. Each category contains multiple sub-factors. The categories include the following:

  • Vulnerability: The individual characteristics of the vulnerability. In this case, the CVSS score offers a sound starting point for vulnerability risk analysis.
  • Asset: The asset on which the vulnerability resides. Is the asset critical to the organization? Does it house sensitive or critical information?
  • Network: The distinctive characteristics of the environment in which the asset is located. Is the asset connected to the Internet? What policies surrounding the asset make it more or less susceptible to attack?
  • Organization: How is the vulnerability and the asset on which it resides related to the organization’s business goals?
  • External Threat Environment: Is the vulnerability associated with trending topics on the dark web, chat boards and other social feeds? Is the vulnerability likely to have an exploit published for it in the future or is there one available now?

By considering these factors when evaluating the risk of an individual vulnerability, security operations teams can get a 360-degree view of potential threats to the organization. 

Doing so for each vulnerability means the organization can rank all its vulnerabilities regardless of how many there are, and they will be able to make intelligent decisions on where to deploy valuable remediation resources. This is the essence of risk-based vulnerability management.

Is Prioritization Essential in Risk-Based Vulnerability Management? 

Meaningful vulnerability and remediation prioritization is not only essential, but it’s also the main component of risk-based vulnerability management. It’s not possible to have one without the other. 

There are many ways to prioritize vulnerabilities, but only a comprehensive and contextualized view of the risk of each vulnerability provides the confidence remediation teams need to trust the result. Risk-based vulnerability management assumes that not all vulnerabilities are going to be remediated. Therefore, it’s essential that those identified as high risk and assigned for timely remediation be the right ones.


Photo by Felix Mittermeier on Unsplash

Written by Kent Weigle

Leave a Reply


    See all

    Related Post

    Strong Cyber Hygiene is only One Click Away

    Want to take TOPIA for a free ride? Schedule A Meeting with our 🐺team!

    Let us know what would like to see 😀