Risk-based Vulnerability Management (RBVM) is a cybersecurity strategy designed to help organizations limit risk through the strategic prioritization of vulnerability remediation. To accomplish this, organizations use tools to assess existing cybersecurity vulnerabilities and determine the amount of risk each vulnerability poses to business-critical assets.
Today’s defenders are overwhelmed with the job of managing cyber vulnerabilities. In 2020, 17,000 new vulnerabilities were reported — a rate that equals one new vulnerability every six minutes. Attackers waste no time seeking to develop exploits, which means that defenders must be equally nimble and fast to respond.
Yet the sheer number of such vulnerabilities poses huge problems — as does the process of patching. Even if you have an amply provisioned security team, patching and testing can take an extended period of time, depending on the number of systems or applications and the types of resources involved.
The continual avalanche of new vulnerabilities and the sometimes protracted process of repairing them makes it impossible to do IT vulnerability management effectively without an overarching strategy that helps determine precedence. If vulnerability management teams focus on fixing the wrong vulnerabilities first, they may find themselves wasting precious time and effort while exposing their organizations to unnecessary risk.
Vulnerability Management vs Risk Management
Historically, this scenario played out for security teams with alarming frequency. For many years, defenders relied on CVSS scores to help guide their patching prioritization. However, many high-scoring vulnerabilities present little or no possibility of ever being exploited, and therefore pose minimal risk. Nearly all the more than 1,000 vulnerabilities listed in the Common Vulnerabilities and Exposures list published by Microsoft in 2020 had a severity score of seven or higher. Yet only a handful of these vulnerabilities were actually used in exploits.
For a fuller picture to be present — and for effective prioritization to occur — the critical risk context must be included.
How Enterprise Risk-Based Vulnerability Management Works
Risk-based Vulnerability Management (RBVM) is a strategy designed to help ensure that vulnerabilities are prioritized for remediation in a way that reflects the level of risk those vulnerabilities pose to an organization’s most valuable assets.
This process often begins with ensuring visibility exists into everything within a security environment, including applications, data, devices and users. It is impossible to secure what cannot be seen, so organizations need to have visibility into traffic, endpoints and cloud/hybrid environments. Without this visibility, defenders are flying blind.
The next step in the process is scanning and monitoring across attack vectors for assets to help identify any security gaps that exist. Given the vast number of vulnerabilities that continue to emerge, this process should be continuous and include the fullest possible range of attack vectors.
Once those vulnerabilities are identified, the risk context then becomes important. This means understanding the criticality of each asset, the severity of vulnerabilities, the likelihood of exploits, the impact of successful exploits and the existing security controls in place.
Once risk is understood and scored, remediation work can begin in a way that prioritizes addressing the relatively small number of exposures that typically present the gravest risk to critical assets.
When looked at holistically, this managed RBVM process reduces risk through the constant assessment of vulnerabilities for key risk factors and the prioritization of vulnerabilities that are most likely to be exploited while having the most adverse impact.
For most of today’s organizations, the best way to ensure that RBVM or threat-based vulnerability management is executed correctly is through the integration of an advanced risk-based vulnerability management tool that is specifically designed to do the following:
- Identify vulnerabilities in a continuous manner. As mentioned above, visibility into evolving vulnerabilities is critical; you cannot defend against what you cannot see. A continuous view is imperative.
- In addition to continuous identification, such tools must provide the critical risk context by providing risk-based patch management. If you do not understand risk, you cannot prioritize effectively.
- Finally, such tools should also provide the least-effort remediation to ensure that the most dangerous vulnerabilities are addressed quickly.
By following a smart and up-to-date RBVM strategy — and using the right supporting software — organizations can save time and money and better protect their most valuable assets.