Risk-based vulnerability management

Risk-based vulnerability management involves triaging response to vulnerabilities that are on the verge of exploitation and could result in drastic consequences if exploited. This article details the key risk factors to take into account when prioritizing vulnerabilities, and other considerations that ensure the success of risk-based vulnerability management.

Risk-based vulnerability management - ManageEngine Vulnerability Manager Plus

Below, we'll cover:

What is risk-based vulnerability management?

Risk-based vulnerability management is the process of reducing the risk your network faces by constantly assessing vulnerabilities for various risk factors, and prioritizing response to highly-critical vulnerabilities that are imminently exploitable and highly impactful.

The need for risk-based vulnerability management

A common vulnerability management woe for organizations of all sizes is that there are just too many vulnerabilities to fix; in fact, a whopping 17,447 new security vulnerabilities were disclosed in 2020 alone. With a new vulnerability popping up every six minutes and attackers quickly developing exploits based off of public disclosures, organizations need to be swift in their remediation. But there are too many vulnerabilities, and too little time to address them all.

Even if you can afford to increase your sysadmin to system ratio considerably, it's unrealistic to have every Windows machine updated with the latest patches the day after Patch Tuesday—patching in itself can take a considerable amount of time depending on the number of systems, the number of applications, the type of resources to be patched, the load handling capacity of the patching tool, the organization's patching window, and the testing process associated with patching. Additionally, patching windows for servers are too narrow, and extreme care must be taken when patching servers—one mistake could cause extended downtime and disruption to ongoing business activities.

But here's the catch—not all vulnerabilities pose equal risk. Since threat actors know what works and what doesn't, they tend to exploit only a small subset of vulnerabilities; with this in mind, it makes sense to shift your focus from how many vulnerabilities you have to which vulnerabilities pose an imminent risk. This calls for a risk-based approach to vulnerability management. Unlike traditional vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities and allows you to prioritize the most serious ones.

What are the top four considerations for successful risk-based vulnerability management?

The success of a risk-based vulnerability management depends on how accurately you identify the risk of vulnerabilities, and how quickly and effectively you can respond to those issues. Below are four key considerations that are instrumental in achieving success with risk-based vulnerability management.

  • Monthly or quarterly scanning for compliance's sake doesn't cut it, since infrequent scans can introduce blind spots. Your endpoints, wherever they are, should be monitored continuously for known and emerging vulnerabilities. After all, you can't secure what you can't see.
  • Extend your scope of coverage beyond just vulnerabilities. If vulnerabilities are the entryway, misconfigurations and other security loopholes pave the way for lateral movement within the network.
  • Understand the real risk of vulnerabilities. Performing a vulnerability assessment that relies on CVSS scores alone is limited. For risk-based vulnerability management to pay off, organizations should utilize multiple risk factors in conjunction with CVSS scores to understand their exploitability and impact, and prioritize response. The next section will detail the key risk factors to consider while prioritizing vulnerabilities.
  • It's all futile if the prioritized vulnerabilities aren't remediated in a timely fashion. Traditionally, organizations employ dedicated tools for patching and vulnerability management operated by different teams; this results in a siloed, inefficient workflow, and makes the process of remediating risk slow and complex. An integrated patch and vulnerability management solution provides every team working on a task with unified visibility and better tracking from detection to closure—all from a central location. This also eliminates the need for redundant scans, as a single scan will fetch all the vulnerability and patch information and automatically correlate it, helping to accomplish direct, swift remediation.

What are the key risk factors to consider from the attackers' perspective?

CVSS scores have their own limitations in terms of risk prediction. Out of the 1,081 Common Vulnerabilities and Exposures (CVEs) published by Microsoft in 2020, 1,062 of them had a severity rating of seven or above. However, only a tiny portion of those vulnerabilities were actually used in exploits, and to the contrary, often vulnerabilities with lower scores were found to be widely exploited. Check out our blog for details on why that's the case.

Meanwhile, it's a waste of time and resources to focus on vulnerabilities with high CVSS scores but little to to no risk. From an attacker's perspective, factors that make exploitation more likely include:

  • The public availability of proof of concept for a vulnerability and technical feasibility of an exploit.
  • The type of impact they can unleash upon exploitation, preferably remote code execution.

ManageEngine's risk-based vulnerability management

ManageEngine Vulnerability Manager Plus is a prioritization-driven threat and vulnerability management solution with built-in patching, offering comprehensive coverage, continual visibility, risk-based assessment, and built-in remediation of vulnerabilities and misconfigurations.

Continuous scanning

Continuously scan all your endpoints, whether they're at the local office, in a demilitarized zone (DMZ), or located remotely. The scanned data collected across multiple endpoints is consolidated in a web console for centralized management and represented with meaningful context, translating to reliable and timely results.

Comprehensive coverage

Detect operating system and third-party vulnerabilities in systems, servers, virtual machines, and laptops, as well as web servers and database servers. Extend your visibility beyond just vulnerabilities, and keep tabs on misconfigurations, risky software, active ports, and more to ensure no threats fly under your radar.

Risk-based assessment

Visualize, analyze, and prioritize your response to exploitable and impactful vulnerabilities based on:

  • CVSS scores and severity ratings.
  • The availability of exploits.
  • A security news feed that's continually updated with articles on vulnerabilities that attackers are discussing, experimenting with, or using, and current exploits circulating in the wild.
  • Vulnerability age.
  • Affected asset count.
  • A drilled-down view of assets displaying whether web servers, databases, or content management systems are installed on them, along with vulnerabilities on those installations.
  • CVE impact type.
  • Patch availability.
  • A dedicated view to swiftly pinpoint zero-day and publicly disclosed vulnerabilities.

Learn in detail about how these risk factors help prioritize vulnerabilities effectively.

Built-in remediation

With the built-in patching module automatically correlating patches with corresponding vulnerabilities, you can deliver fast remediation to high-risk vulnerabilities directly. As an additional measure to mitigate risk, you can deploy secure configurations in place of misconfigurations, and uninstall high-risk software directly from the web console.

Triage response to high-risk vulnerabilities while patching the rest on an automated basis

Get a personalized demoTry for free

More resources related to risk-based vulnerability management

essential-ebook-cover

7 essential vulnerability management questions answered

Learn more
cpc-top-banner

5 benefits of integrated patch and vulnerability management

Learn more

6 top risk factors to triage vulnerabilities effectively

Learn more