Stephen Roostan, VP EMEA at Kenna Security, makes the case for risk-based vulnerability management as the future of cyber security.
Today’s security and IT teams are under relentless and constant pressure to monitor, track and fix vulnerabilities and protect the organisation from any potential cyber attack. This represents a Herculean task that can typically involve the close management of around 80,000 assets in large enterprises; assets such as laptops, servers, routers and internet-connected printers and other endpoint devices that potentially harbour around 40 million vulnerabilities. However, only around 2% to 5% of all these organisational vulnerabilities represent a legitimate threat to the IT environment.
Until now, organisations have typically had to utilise a ‘divide and conquer’ approach to prioritising which vulnerabilities to patch. Using a mix of gut feel and vulnerability scoring assessments to determine how best to deploy precious resources and address those vulnerabilities predicted as most likely to compromise enterprise security or put regulatory compliance at risk.
However, the rise of risk-based vulnerability management (RBVM) is changing the rules of the game. Making it much easier for organisations to dramatically improve their security stance by identifying – and remediating – the small subset of vulnerabilities that are most prone to exploitation by cyber attackers.
Risk-based vulnerability management: a revolutionary approach
As many organisations have discovered, basic free tools like the Common Vulnerability Scoring System (CVSS) have significant limitations that make it difficult to cope with the sheer volume of vulnerabilities that are now part and parcel of today’s cyber landscape.
According to 451 Research, organisations using CVSS v3 that have 2 million vulnerabilities could find that 660,000 of these are classified as critical. Without any understanding of the exact relative risk these vulnerabilities pose to an individual organisation, prioritising which to address first requires some significant heavy lifting by security analysts to determine where remediation needs to be focused first.
In other words, they need to apply some clever thinking to evaluate all 660,000 of the vulnerabilities identified by the CVSS scan to profile the specific risk each one poses to the organisation by determining how sensitive each vulnerable asset is; if the asset is exposed externally; and if there is a known exploit code associated with that vulnerability.
By contrast, today’s RBVM platforms make it much easier and faster for security and IT teams to assess and predict which vulnerabilities pose a real threat – based on actual risk to the organisation.
Going beyond CVSS
Today’s highly adaptive RBVM platforms make it possible for enterprises to apply meaningful metrics to evaluate their specific exposure to potential risk factors, sorting the ‘wheat from the chaff’ to rapidly prioritise remediation actions.
Utilising predictive data science modelling and real-time threat intelligence feeds, RBVM platforms enable security teams to gauge exactly how critical each threat is to the organisation’s real-world specific environment. Unlike CVSS tools that blanket-score high volumes of vulnerabilities as ‘high risk’, RBVM solutions provide the evidence-based guidance intelligence teams need to identify only those most critical vulnerabilities that represent a true risk to the enterprise stack.
As digital models and new ways of working proliferate, vulnerability and threat management are fast moving up the enterprise agenda. Because, as organisations have found, digital transformation spawns ever greater infrastructure complexity that makes keeping track of assets and prioritising remediation workloads an almost impossible task. RBVM provides an answer to effectively managing environments based on vulnerability risk management principles that allow IT and security teams to move away from an ‘everything at risk’ approach.
The benefits of moving to an RBVM platform
The benefits of moving to an RBVM platform for IT and security organisations are significant. The ability to identify with confidence what to fix first – and what patches can be applied over time – represents a win-win for both teams. Eliminating the traditional frictions that can often exist between IT and security teams, everyone now understands what represents a priority and what does not – and why.
Security teams no longer have to generate extended patch lists for IT teams to complete, confident that they are taking the right actions to protect the enterprise. Meanwhile, IT teams know that they are now focused on a clearly defined set of cyber security concerns that can be remediated without adversely impacting application or web services availability.
As a result, organisations are at last able to unify how security and IT teams can work hand-in-glove across multiple business units. Because these teams are able to spend less time chasing ‘headline’ vulnerabilities that actually don’t pose a particular threat to their organisation, everyone is able to prioritise remediating those vulnerabilities that actually represent the greatest risk. Once teams stop playing catch up, as far as cyber threats are concerned, they are able to leverage their new-found efficiencies to focus instead on other strategic projects.
Finally, alongside enabling improved collaboration between security and IT teams, today’s advanced RBVM solutions also enable these teams to clearly communicate to senior board members and governance exactly how they are lowering risk for the organisation as a whole – and supporting enhanced risk-intelligent decision-making going forward in the context of the enterprise and its IT infrastructure.