Recently released Security Navigator report data shows that companies still have 215 days to patch reported vulnerabilities. It usually takes six months or more to patch even critical vulnerabilities.
Good vulnerability management is not about being fast enough to patch all potential compromises. It’s about using vulnerability prioritization to focus on real risks, remediate the most critical flaws, and maximize your company’s attack surface reduction. Correlate and automate corporate data and threat intelligence is needed. This is essential to allow internal teams to focus on remediation work. The right technology can take the form of a global vulnerability intelligence platform. Such platforms use risk scores to help prioritize vulnerabilities and help businesses focus on their actual organizational risks.
getting started
Before establishing an effective vulnerability management program, keep these three facts in mind.
1. The number of vulnerabilities discovered is increasing year by year. With an average of 50 new vulnerabilities being discovered every day, it’s easy to see why patching them all is impossible.
2. Only a few vulnerabilities are being actively exploited, posing a very high risk for all organizations.About 6% of all vulnerabilities are actually exploited[43]: We need to lighten the load and focus on the real risks.
3. Both the business risk and the severity of the vulnerability must be considered, as the same vulnerability can have very different impacts on the business and the infrastructure of two different companies. Based on these facts, I understand that patching every vulnerability does not make sense.Instead, they should focus on what poses real risk based on the threat landscape and organizational context
The concept of risk-based vulnerability management
The aim is to focus on the most important assets and those that are at high risk of being targeted by attackers. There are two circumstances to consider when approaching a risk-based vulnerability management program.
internal environment
A client’s landscape represents its internal environment. As enterprise networks grow and diversify, so does the attack surface. The attack surface represents all components of an information system that hackers can reach. A clear and up-to-date understanding of your information system and attack surface is the first step. It’s also important to consider the business context. In fact, businesses may be more targeted in some industries because they own certain data and documents (intellectual property, classified defenses, etc.). A final important factor to consider is the unique context of each individual company. The aim is to categorize the assets according to importance and highlight the most important ones. For example, assets that, if not available, would seriously disrupt business continuity, or sensitive assets that, if accessible, would expose the organization to multiple legal liability.
External environment
The threat landscape represents the external environment. This data is not accessible from the internal network. Organizations must have the human and financial resources to locate and manage this information. Alternatively, this activity can be outsourced to experts who monitor the threat landscape on behalf of the organization.
Knowing which vulnerabilities are being actively exploited is imperative as they represent a higher risk to the enterprise. These actively exploited vulnerabilities can be tracked thanks to threat intelligence capabilities combined with vulnerability data. For the most efficient results, we recommend increasing and correlating your threat intelligence sources. Understanding attacker activity is also important as it helps predict potential threats. For example, information about new zero-day attacks or new ransomware attacks can be processed in a timely manner to prevent security incidents.
A combined understanding of both environments helps organizations define real risks and more efficiently identify where preventive and remedial actions need to be deployed. You don’t have to apply hundreds of patches, but choosing 10 of them can significantly reduce your organization’s attack surface.
Five Key Steps to Implementing a Risk-Based Vulnerability Management Program
- Identity: Identify all your assets and discover your attack surface. A discovery scan helps you get an initial overview. It then initiates regular scans in your internal and external environments and shares the results with your vulnerability intelligence platform.
- Contextualization: Configure business context and asset criticality in your vulnerability intelligence platform. Scan results are contextualized with specific risk scoring per asset.
- concentrated: Scan results should be enriched with additional sources provided by the vulnerability intelligence platform. This includes threat intelligence and attacker activity to help you consider and prioritize the threat landscape.
- repair: Thanks to the risk scoring given to each vulnerability, it can be matched against threat intelligence criteria such as ‘easily exploitable’, ‘exploited in the wild’, or ‘widely exploited’. Prioritizing targeted remediation is much easier.
- evaluation: Monitor and measure the progress of your vulnerability management program with KPIs and customized dashboards and reports. It’s a continuous improvement process!
This is the trench story found in the 2023 Security Navigator report. Vulnerabilities and other interesting content such as malware analysis and cyber-extortion, as well as numerous facts and figures on the security landscape are presented in the full report. The 120+ page report is available for free download from his website at Orange Cyber defense. Worth a visit.
Note: This informative story was expertly crafted by Melanie Pilpre, Product Manager at Orange Cyberdefense.
