Risk Based Vulnerability Management. What is it? And why does my organisation need it?

‍

‍

Last year, the National Institute of Standards and Technology (NIST) reported the number of vulnerabilities logged was a new record. Furthermore, over 50% of these vulnerabilities were classified as either a 'critical' or 'high' severity. Vulnerability exploitation now happens indiscriminately across the modern attack surface —from local and remote endpoints to on-prem and cloud infrastructure to web applications and containers.

‍

Given the above, a check-the-box, compliance-driven vulnerability management program will no longer cut it. As a result, there is a very good reason why the likes of Gartner have Risk-Based Vulnerability Management as item number 2 of their 'Top 10 Security Projects' for 2022.

‍

What is Risk-Based Vulnerability Management?

‍

Firstly let's define what Risk-Based Vulnerability Management is.

‍

Risk-based vulnerability management (RBVM) is a process that reduces vulnerabilities across your attack surface by prioritising remediation based on the risks they pose to your organisation.

Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. Instead, it helps organisations understand vulnerability risks with threat context and insight into potential business impact. It helps you cut through vulnerability overload to focus on the relatively. 

For example, your vulnerability scanner may deem that you have Critical Vulnerability. However, with a Risk-Based approach, you quickly learn this vulnerability isn't likely to affect your organisation (e.g., a vulnerability exploiting the payment gateway in your ERP system when you don't use that functionality).

The above may seem obvious; however, remember this isn't an isolated event, recognising organisations are working through hundreds and even thousands of these vulnerabilities. In fact, at the last count the National Institute of Standards and Technology (NIST) reported there were over 10,000. Unfortunately, most Australian Cyber Security teams are often small in stature and stretched thin.

‍

How Can My Organisation Benefit?

Your organisation will undoubtedly have an extensive list of vulnerabilities to remediate, but it's like a funnel; when all those vulnerabilities go into the top of the funnel, you sift through them by adding contributing factors. 

Let’s look at what contributing factors we should consider when prioritising vulnerabilities:

‍

1. Business Risk: Everything in your enterprise has an associated business risk. For instance, it might be a low-risk asset (the desktop pc that only accesses email and a browser) to a very high asset (the Server containing all the personal information of your customers). As a result, organisations can focus on remediation     activities aligned with the inherent risk (i.e., what would have the most significant impact if hacked, such as revenue or brand name).

2. Exposure: Is this asset exposed on the internet? When organisations expose assets to the world outside their network perimeter, there is an increase in the risk of a vulnerability being exploited – this is low-hanging fruit for a hacker.

3. Exploit Available: Is there a known exploit for the vulnerability? Remembering, between 85% and 95% of all vulnerabilities released ARE NOT EXPLOITED. Let's put that into context; if we take an average of 90%, this means that of the 22,000 vulnerabilities released in 2021, only 2,200 (approx.) had exploits created for them, which narrows down the pool once more.

4. Threat Context: Has it been exploited? Finally, if an organisation can somehow determine if a vulnerability has both had an exploit released/ exploited in the wild (directly, through malware, or some other means), we can focus our efforts on these as they pose the most significant danger and we reach the small number of vulnerabilities for prioritisation for our remediation efforts.

‍

These contributing factors assist your organisation in verifying the question of 'what should I remediate first?' rather than just basing your remediation approach on CVSS. As a result, the actual number of vulnerabilities for focused remediation is greatly reduced.

Using these RBVM optics provides your organisation with a contextualised remediation plan. In addition, it saves you a great deal of time, effort, and money as you go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organisational risk. 

‍

How Can Service Quality Help?

‍

Don't try to remediate everything, as this is a battle no organisation will win. Instead, focus on the top 10-15% of exploitable vulnerabilities that pose the most significant risk to your organisation. This risk-based process is made easy by leveraging one of Service Quality's solutions, Ivanti's Neurons for Risk-Based Vulnerability Management (RBVM).

Think of Ivanti Neurons for RBVM as organised chaos. It continuously correlates vulnerability and threat intelligence data from best-of-breed solutions, such as Rapid7, Tenable, Qualys, Snyk, and more, to measure risk, and provide early warning of weaponisation, predict attacks, and prioritise remediation activities relevant to your organisation.

As a result, Ivanti's Neurons for RBVM will allow your organisation to improve its cyber security posture while decreasing the time and effort required with features designed to increase operational efficiency through automation and real-time intelligence. No longer will your Cyber Security analysts be treading water; instead, they will have the correct information to answer that dreaded 'can we be hacked' question often asked by senior management.

‍

About Service Quality‍

‍

Founded in 2007, Service Quality survives on a simple but powerful idea: empower you to do more with your Service Management and Security solutions. With cutting-edge support and award-winning security and service management practices, you can be sure that Service Quality will help maximise your Service Management investment. Today, hundreds of thousands of users rely daily on Service Management and Security solutions designed and implemented by Service Quality to make their work flow.

‍

Written By: Angus Kenny - Director, Enterprise Solutions

‍

References:

1. https://www.gartner.com/smarterwithgartner/gartner-top-security-projects-for-2020-2021
2. https://www.netspi.com/blog/executive/vulnerability-management/4-risk-based-vulnerability-management-realities/
3. https://nucleussec.com/blog/risk-based-vulnerability-management
4. https://outpost24.com/blog/Risk-Based-Vulnerability-Management-starting-with-the-why
5. https://www.securitymagazine.com/articles/94602-record-number-of-critical-and-high-severity-vulnerabilities-were-logged-to-the-nist-nvd-in-2020