Jul 3, 2022
Last year, the National Institute of Standards and Technology (NIST) reported the number of vulnerabilities logged was a new record. Furthermore, over 50% of these vulnerabilities were classified as either a 'critical' or 'high' severity. Vulnerability exploitation now happens indiscriminately across the modern attack surface —from local and remote endpoints to on-prem and cloud infrastructure to web applications and containers.
Given the above, a check-the-box, compliance-driven vulnerability management program will no longer cut it. As a result, there is a very good reason why the likes of Gartner have Risk-Based Vulnerability Management as item number 2 of their 'Top 10 Security Projects' for 2022.
Firstly let's define what Risk-Based Vulnerability Management is.
Risk-based vulnerability management (RBVM) is a process that reduces vulnerabilities across your attack surface by prioritising remediation based on the risks they pose to your organisation.
Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. Instead, it helps organisations understand vulnerability risks with threat context and insight into potential business impact. It helps you cut through vulnerability overload to focus on the relatively.
For example, your vulnerability scanner may deem that you have Critical Vulnerability. However, with a Risk-Based approach, you quickly learn this vulnerability isn't likely to affect your organisation (e.g., a vulnerability exploiting the payment gateway in your ERP system when you don't use that functionality).
The above may seem obvious; however, remember this isn't an isolated event, recognising organisations are working through hundreds and even thousands of these vulnerabilities. In fact, at the last count the National Institute of Standards and Technology (NIST) reported there were over 10,000. Unfortunately, most Australian Cyber Security teams are often small in stature and stretched thin.
Your organisation will undoubtedly have an extensive list of vulnerabilities to remediate, but it's like a funnel; when all those vulnerabilities go into the top of the funnel, you sift through them by adding contributing factors.
Let’s look at what contributing factors we should consider when prioritising vulnerabilities:
These contributing factors assist your organisation in verifying the question of 'what should I remediate first?' rather than just basing your remediation approach on CVSS. As a result, the actual number of vulnerabilities for focused remediation is greatly reduced.
Using these RBVM optics provides your organisation with a contextualised remediation plan. In addition, it saves you a great deal of time, effort, and money as you go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organisational risk.
Don't try to remediate everything, as this is a battle no organisation will win. Instead, focus on the top 10-15% of exploitable vulnerabilities that pose the most significant risk to your organisation. This risk-based process is made easy by leveraging one of Service Quality's solutions, Ivanti's Neurons for Risk-Based Vulnerability Management (RBVM).
Think of Ivanti Neurons for RBVM as organised chaos. It continuously correlates vulnerability and threat intelligence data from best-of-breed solutions, such as Rapid7, Tenable, Qualys, Snyk, and more, to measure risk, and provide early warning of weaponisation, predict attacks, and prioritise remediation activities relevant to your organisation.
As a result, Ivanti's Neurons for RBVM will allow your organisation to improve its cyber security posture while decreasing the time and effort required with features designed to increase operational efficiency through automation and real-time intelligence. No longer will your Cyber Security analysts be treading water; instead, they will have the correct information to answer that dreaded 'can we be hacked' question often asked by senior management.
Founded in 2007, Service Quality survives on a simple but powerful idea: empower you to do more with your Service Management and Security solutions. With cutting-edge support and award-winning security and service management practices, you can be sure that Service Quality will help maximise your Service Management investment. Today, hundreds of thousands of users rely daily on Service Management and Security solutions designed and implemented by Service Quality to make their work flow.
Written By: Angus Kenny - Director, Enterprise Solutions