Managing cyber vulnerabilities is a lot like plugging cracks in a dam that is always on the verge of collapsing. As soon as you identify and fill one gap, another is forming. Fall behind and those gaps will begin accumulating faster and faster, placing increasing stress on your environment until you're overwhelmed and left simply hoping for the best.
This is an all-too-familiar scenario for too many IT teams, who are forced to play a frantic game of "vulnerability whac-a-mole." Few teams have the time, the people or the right tools to patch every vulnerability quickly enough.
Yet they do have one thing in their arsenal that can make the difference between success and failure when it comes to protecting business-critical assets: The ability to prioritize properly.
Unfortunately, far too many VM teams are prioritizing optimally -- and some are not even aware of the best approach to take.
Why you cannot manage vulnerabilities effectively without smart prioritization
Patching vulnerabilities is extremely time-consuming. You have to identify, test, deploy, verify and prepare for downtime. Given the scope of that commitment, it is absolutely critical to determine which vulnerabilities present the most pressing risk to your most valuable assets.
Only then can you deploy your limited resources effectively.
Here's what we mean: CVSS scoring can tell you the severity of a particular vulnerability. Yet that alone is not enough. It's far too narrow a metric to provide a clear picture of risk. Instead, organizations need to understand not only where vulnerabilities lie and how severe they are, but also how likely they are to be exploited and the level of risk they present to the crown jewel assets within an organization.
A vulnerability that can easily be exploited -- but cannot jeopardize critical assets -- should not take precedence over a difficult to exploit vulnerability that puts your sensitive assets at great risk.
By the same token, a vulnerability that has no known adversaries using it -- and may not be exploitable in the wild -- should not take precedence over one that is tied to adversaries, is known to be exploitable and presents significant asset risk.
You need to marshal your resources to address the gaps that leave you most exposed so you can spend time, money and effort in the areas that place your enterprise at greatest risk.
In other words, you need smart prioritization.
A laser-like focus on the vulnerabilities that truly matter
The vast majority of vulnerabilities will never be exploited. Wasting time and effort chasing down vulnerabilities that don't pose any risk is one of the biggest resource drains your security teams will face. Relying on products with CVSS or other static scoring methods isn't just a time waster -- it actually makes your organization considerably less safe.
So what's the answer? A pinpoint focus on the exposures that can be exploited and a keen understanding of the risk that such exposures present. Vulnerabilities need to be assessed according to their relation to key assets and the risk they pose to such assets.
It's crucial to understand how a vulnerability can be exploited so you can develop a full picture of the assets you're protecting and the best order in which to prioritize the vulnerabilities that threaten them.
Unfortunately, far too many organizations fail to live up to this standard -- primarily because they still operate under an outdated conception of what effective vulnerability management truly means. Episodic scanning and severity score-based patching is simply no longer enough.
What about vulnerability management platforms that incorporate threat intelligence and risk scores?
Some VM platforms have moved beyond over-reliance on CVSS, using threat intelligence, configuration management and data science to calculate vulnerability risk scores.
These tools stretch beyond severity scoring and provide more insight into how business-critical assets need to be protected.
However, while such solutions take a step in the right direction, ultimately they do not travel far enough to provide truly optimal protection for crown jewel assets.
Why? Because they lack key attack-centric context and the ability to understand the relationship between different network hosts that exist on attack paths. Instead of providing essential “risk to” context, they are limited to “risk on.”
Such solutions also typically fail to consider all types of exposures that extend the attack surface -- everything from exploitable vulnerabilities and misconfigured servers to poorly managed credentials.
Remediation guidance is also often limited and missing context.
Finally, many of these products are hamstrung by calculating risk based on external threat intelligence with minimal (or even zero) correlation to critical assets.
Ultimately, organizations must develop more comprehensive vulnerability management strategies that emphasize continuous visibility and identification of security gaps, pinpoint prioritization and key attack-centric context.
Choosing the right software is an important first step in this direction. But what kind of platform is best suited to help VM teams achieve their objectives?
Characteristics of effective vulnerability management tools
It's well understood that VM teams are overstretched -- and the Covid-19 pandemic has placed an even greater burden on them. However, the right automated tool can help provide deep visibility into the emerging threat landscape and help prioritize optimally.
Here are some of the key characteristics to look for when evaluating software:
It eliminates almost all of the risk to business-sensitive systems by focusing on the one-percent of exposures that are exploitable.
It does not rely solely on CVSS scoring or other static methods that provide only one small piece of the puzzle.
It provides “risk to” rather than “risk on” context.
The right tool will not only continuously identify vulnerabilities and consider all types of exposures, it will also show you exactly how those vulnerabilities could be exploited, giving you key attack-centric context.
An optimally effective tool considers all types of exposures that create attack paths and extend the attack surface and provides full, context-sensitive least-effort remediation guidance.
Ultimately, the most effective tool is one that continuously identifies new exposures and attack vectors, offers pinpoint prioritization of the cyber risks affecting business-sensitive systems and offers least-effort remediation.
The takeaway
Proper vulnerability management has never been easy -- but you can ease that burden dramatically by deploying the right tools and using the right approach. Not only will your VM team no longer be sent on unproductive whack-a-mole hunts, your organization will have the right structure in place to provide your crown jewel assets with the best possible protection.
Gus Evangelakos, Director of North American Field Engineering, XM Cyber