Risk-based vulnerability management involves triaging response to vulnerabilities that are on the verge of exploitation and could result in drastic consequences if exploited. This article details the key risk factors to take into account when prioritizing vulnerabilities, and other considerations that ensure the success of risk-based vulnerability management.
Below, we'll cover:
Risk-based vulnerability management is the process of reducing the risk your network faces by constantly assessing vulnerabilities for various risk factors, and prioritizing response to highly-critical vulnerabilities that are imminently exploitable and highly impactful.
A common vulnerability management woe for organizations of all sizes is that there are just too many vulnerabilities to fix; in fact, a whopping 17,447 new security vulnerabilities were disclosed in 2020 alone. With a new vulnerability popping up every six minutes and attackers quickly developing exploits based off of public disclosures, organizations need to be swift in their remediation. But there are too many vulnerabilities, and too little time to address them all.
Even if you can afford to increase your sysadmin to system ratio considerably, it's unrealistic to have every Windows machine updated with the latest patches the day after Patch Tuesday—patching in itself can take a considerable amount of time depending on the number of systems, the number of applications, the type of resources to be patched, the load handling capacity of the patching tool, the organization's patching window, and the testing process associated with patching. Additionally, patching windows for servers are too narrow, and extreme care must be taken when patching servers—one mistake could cause extended downtime and disruption to ongoing business activities.
But here's the catch—not all vulnerabilities pose equal risk. Since threat actors know what works and what doesn't, they tend to exploit only a small subset of vulnerabilities; with this in mind, it makes sense to shift your focus from how many vulnerabilities you have to which vulnerabilities pose an imminent risk. This calls for a risk-based approach to vulnerability management. Unlike traditional vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities and allows you to prioritize the most serious ones.
The success of a risk-based vulnerability management depends on how accurately you identify the risk of vulnerabilities, and how quickly and effectively you can respond to those issues. Below are four key considerations that are instrumental in achieving success with risk-based vulnerability management.
CVSS scores have their own limitations in terms of risk prediction. Out of the 1,081 Common Vulnerabilities and Exposures (CVEs) published by Microsoft in 2020, 1,062 of them had a severity rating of seven or above. However, only a tiny portion of those vulnerabilities were actually used in exploits, and to the contrary, often vulnerabilities with lower scores were found to be widely exploited. Check out our blog for details on why that's the case.
Meanwhile, it's a waste of time and resources to focus on vulnerabilities with high CVSS scores but little to to no risk. From an attacker's perspective, factors that make exploitation more likely include:
ManageEngine Vulnerability Manager Plus is a prioritization-driven threat and vulnerability management solution with built-in patching, offering comprehensive coverage, continual visibility, risk-based assessment, and built-in remediation of vulnerabilities and misconfigurations.
Continuously scan all your endpoints, whether they're at the local office, in a demilitarized zone (DMZ), or located remotely. The scanned data collected across multiple endpoints is consolidated in a web console for centralized management and represented with meaningful context, translating to reliable and timely results.
Detect operating system and third-party vulnerabilities in systems, servers, virtual machines, and laptops, as well as web servers and database servers. Extend your visibility beyond just vulnerabilities, and keep tabs on misconfigurations, risky software, active ports, and more to ensure no threats fly under your radar.
Visualize, analyze, and prioritize your response to exploitable and impactful vulnerabilities based on:
Learn in detail about how these risk factors help prioritize vulnerabilities effectively.
With the built-in patching module automatically correlating patches with corresponding vulnerabilities, you can deliver fast remediation to high-risk vulnerabilities directly. As an additional measure to mitigate risk, you can deploy secure configurations in place of misconfigurations, and uninstall high-risk software directly from the web console.