What is risk-based vulnerability management?

Risk-based vulnerability management (VM) is the identification, prioritization and remediation of cyber-based vulnerabilities based on the relative risk they pose to a specific organization. 

Vulnerability management has been something of a moving target within the complex world of cybersecurity. It began with organizations scanning their systems against a database of known vulnerabilities, misconfigurations and code flaws that posed risks of vulnerability to attack.

Among the limits to this initial approach, however, were several factors:

• One-off or intermittent scans were incomplete and slow to catch rapidly evolving threats.
• In practicality, not all software patches, for example, could be applied without posing intolerable disruption and cost to an enterprise.
• Not all vulnerabilities are equally exploited in the actual world.
• A one-size-fits-all identification of vulnerability does not fit with the unique business profile, asset mix, nexus of brand value, risk tolerance, regulatory and compliance requirements and systems configurations of any particular organization.
• Adequate remediation approaches vary widely depending upon both an organization’s distinct IT and cyber systems and its asset and risk profile.

In response, cybersecurity providers have developed an array of approaches that provide more continuous, customized, specifically risk-based vulnerability management products. 

These risk-based tools are typically provided either as modules within a major security vendor’s larger platform or as a more narrowly focused suite of capabilities from a more specialized provider. Gartner has forecast that the rapidly growing market for risk-based vulnerability management tools will reach $639 million by 2023.

To fully understand the key steps your organization needs to take to manage vulnerabilities, you should understand the difference between a vulnerability, a threat and a risk. 

A vulnerability is defined by the International Organization for Standardization (ISO 27002) as “a weakness of an asset or group of assets that can be exploited by one or more threats.”  

As the vendor Splunk notes: “First, a vulnerability exposes your organization to threats. A threat is a malicious or negative event that takes advantage of a vulnerability. Finally, the risk is the potential for loss and damage when the threat does occur.”

The 7 most common types of vulnerabilities

Cybersecurity vendor Crowdstrike has identified the 7 most common types of vulnerabilities:

1. Misconfigurations: With many applications requiring manual configuration, and the proliferation of cloud-based processes, misconfiguration is the most commonly found vulnerability in both areas.
2. Unsecured APIs: By connecting outside information and complementary application sources via public IP addresses, poorly secured APIs present a frequent point of unauthorized access.
3. Outdated or unpatched software: This common vulnerability is especially problematic given the impracticality of potential updates and patches in many configurations.
4. Zero-day vulnerabilities: By definition, a vulnerability that’s unknown is a challenge to counter.
5. Weak or stolen user credentials: This pedestrian vulnerability presents a nearly open door to unauthorized entry and is all too commonly exploited.
6. Access control or unauthorized access: Poor management practices give too many users more access than needed, longer than needed: The “principle of least privilege (PoLP)” should prevail.
7. Misunderstanding the “shared responsibility model” (i.e., runtime threats): Many organizations miss the cracks between their cloud providers’ responsibility for infrastructure and their own responsibility for the rest.

Vulnerabilities not included in one scanner’s database may get overlooked. That has led organizations to use multiple vulnerability scanners. 

Modern, risk-based VM must be highly automated not only to manage the incorporation of data from multiple, continuous scans, but also to assess and prioritize recommended steps and priorities in responding to an organization’s risk-based prioritization of vulnerabilities and levels of remediation.

“Vulnerabilities are the tip of the spear; the problem is that there can be thousands of spears and you need to know which are the ones that are going to provide the deadly blow,” said Eric Kedrosky, CISO of Sonrai Security. “That is why risk in context is so critical.” 

The scope and scale of this processing has led to the use of machine learning (ML) in many steps of the process, from information intake and risk scoring, to recommended priorities and approaches for remediation, to ongoing reporting.

“Vulnerability management is the process of identifying, prioritizing and remediating vulnerabilities in software,” said Jeremy Linden, Senior Director of Product Management at Asimily. “These vulnerabilities can be found in various parts of a system, from low-level device firmware to the operating system, all the way through to software applications running on the device.”

Vulnerability management, then, is more than being able to run vulnerability scans against your environment. It also includes patch management and IT asset management. The goal of VM is to rapidly address vulnerabilities in the environment through remediation, mitigation or removal. VM also addresses misconfiguration or code issues which could allow an attacker to exploit an environment, as well as flaws or holes in device firmware, operating systems and applications running on a wide range of devices.

When infrastructure was all on-premises, it might have been acceptable to institute daily scans. But in the era of the cloud, a whole new level of depth and breadth is needed. Vulnerability management is now a continuous process of identifying, assessing, reporting on and managing vulnerabilities across cloud identities, workloads, platform configurations and infrastructure. Typically, a security team will use a cloud security platform to detect vulnerabilities, misconfigurations and other cloud risks. A strong cloud security vulnerability management program analyzes risk in context to address the vulnerabilities that matter the most as quickly as possible. 

The vulnerability management process lifecycle

VM can be broken into a series of steps, most of which are automated within modern risk-based tools.

1. Conduct an asset inventory

Begin by understanding the scope of your systems and software. Asset and software inventories are acquired through discovery efforts. They enable the organization to set configuration baselines and to know the extent of what they are supposed to be protecting. Note that some scans only deal with on-premises resources. Make sure all cloud assets are included — the ever-growing web of identities and their permissions allows for infinite potential pathways to danger in the cloud. 

“Companies need complete visibility into each and every identity, human and non-human, and the permissions each has to access data, applications, servers and systems,” said Brendan Hannigan, CEO of Sonrai Security. “Recent industry research indicates that 80 percent of U.S. companies have suffered at least one cloud security breach over the past 18 months.”

2. Scan for vulnerabilities

This includes scanning for specific new high-priority threats as well as remedial baseline scanning. It should be a frequently deployed or continuous process.

3. Report on found vulnerabilities

Deliver a report showing the currently exploitable vulnerabilities affecting the environment.

4. Prioritize remediation and identify workarounds

If there are a great many vulnerabilities to address, use a combination of threat severity and criticality to establish priorities. In some cases, patches may not be available or feasible to apply. In those situations, the vulnerability may be mitigated through workarounds such as network or configuration changes that reduce or eliminate an attacker’s ability to exploit the vulnerability.

5. Deploy remediations

The process of remediating can address service configurations, patches, port blacklisting and other operational tasks. Remediating vulnerabilities should be automated, but with oversight to ensure all actions are appropriate. As with all changes in environment, remediations can cause unforeseen system behaviors. Therefore, this process should be done only after a peer-review and change-control meeting. 

“Develop a patch planning process that assesses the risk of vulnerabilities to prioritize, and focus on those that pose the greatest risk to your environment,” said Brad Wolf, senior vice president, IT operations at NeoSystems. “Implement the patches or configuration changes in accordance with change control, and then perform a follow-up scan to ensure the vulnerability has been resolved. There may be times when vulnerabilities cannot be resolved, in which case a mitigation and risk acceptance process should be defined and include a periodic review of accepted risks.” 

6. Validate remediations

Many forget that they need to rescan environments after remediation. Sometimes remediation actions might not effectively resolve the issue as intended. A new scan will tell the tale.

7. Report on resolved vulnerabilities

Deliver an after-action report on the vulnerabilities which have been removed (and validated) within the environment.

The above steps should not be limited to a once-per-month basis, as is currently common among traditional on-prem vulnerability management tools. They should be done on an ongoing basis with automated, risk-based tools.

10 best practices for risk-based vulnerability management in 2023

This list of best practices includes cited recommendations from Gartner and several vendors:

1. Align vulnerability management to risk appetite. Every organization has an upper limit on the speed with which it can patch or compensate for vulnerabilities. This is determined by the business’s appetite for operational risk, its IT operational capacity/capabilities and its ability to absorb disruption when attempting to remediate vulnerable technology platforms. Security leaders can align vulnerability management practices to their organization’s needs and requirements by assessing specific use cases, assessing the organization’s operational risk appetite for particular risks or on a risk-by-risk basis, and determining remediation abilities and limitations. (Gartner)
2. Prioritize vulnerabilities based on risk. Organizations need to implement multifaceted, risk-based vulnerability prioritization, based on factors such as the severity of the vulnerability, current exploitation activity, business criticality and exposure of the affected system. (Gartner)
3. Combine compensating controls and remediation solutions. By combining compensating controls that can do virtual patching — like intrusion detection and prevention systems and web application firewalls with remediation solutions like patch management tools — you can reduce your attack surface more effectively with less operational impact on the organization. Newer technologies like breach and attack simulation (BAS) tools also provide insight into how your existing security technologies are configured and whether they are capable of defending against a range of threats like ransomware. Often, it’s simply not possible to patch a system if, for example, the vendor has not yet provided a patch, the system is no longer supported or for other reasons like software compatibility. Highly regulated industries also have mandates that can restrict your ability to perform functions like patching. (Gartner)
4. Use technologies to automate vulnerability analysis. Improve remediation windows and efficiency by using technologies that can automate vulnerability analysis. Review your existing vulnerability assessment solutions and make sure they support newer types of assets such as cloud, containers and cyber-physical systems in your environment. If not, augment or replace the solution. (Gartner)
5. Use comprehensive vulnerability intelligence. Most vulnerability management tools source their findings from CVE/NVD, which fails to report nearly one-third of all known vulnerabilities. In addition, this public source often omits vulnerability metadata such as exploitability and solution information. Use an independently researched vulnerability intelligence solution to give your security teams all the details they need to research potential issues. (Flashpoint) 
6. Create a configuration management database (CMDB). A CMDB captures all the configuration items in your network — including hardware, software, personnel and documentation. It can be extremely useful for listing and categorizing deployed assets. It facilitates asset risk scoring, and provides long-term benefits if maintained. (Flashpoint)
7. Assign asset risk scores. Asset risk scores are data-driven and communicate which assets pose the most risk if compromised. Assigning values to specific assets enables you to map vulnerabilities to them, and gives you a clear picture of which ones require immediate attention. This will help make prioritization workloads more manageable and save future resources. (Flashpoint)
8. Continually gather and analyze data across your entire attack surface. Go beyond traditional IT and include all of your endpoints, cloud environments, mobile devices, web apps, containers, IoT, IIoT and OT. (Tenable)
9. Use reports and analytics to communicate your program’s successes and gaps to your key stakeholders. Role-specific insights will help you communicate technical data in a way that everyone understands, regardless of cybersecurity expertise. For example, when talking about security with your executives, align those reports with company goals and objectives. (Tenable)
10. Use analytics and data to determine how well your teams inventory assets and collect assessment information. Don’t forget to include success metrics to determine how well your team successfully remediates prioritized vulnerabilities, including processes used and time to remediate. (Tenable)