Select your country

Not finding what you are looking for, select your country from our regional selector:


How to improve the effectiveness of vulnerability management

Are you confident that you have an effective vulnerability management strategy? Last year, we discovered more than 26,500 vulnerabilities, as opposed to over 25,000 in 2022 and 19,000 in 2021. The threat landscape continues to grow and diversify. A product in your IT landscape that was safe yesterday could become your biggest risk tomorrow. With limited resources in an ever-expanding digital world, the challenge is not only in finding new vulnerabilities, but in discerning which ones to prioritize.

Imagine you are in charge of defending a medieval city with the enemy lurking in the woods. The city walls have many cracks and breaches. Which ones should you mend first? The answer is not to simply start at one end and work towards the other end, because that leaves the rest of the city vulnerable. Instead, you first need to find and fix the weakest points in your wall – where an attack would hurt the most.

The same strategy applies to your vulnerability management. In a modern organization, a scan often reveals hundreds of thousands of weaknesses that an attacker could exploit. Like the city wall, you need to prioritize the vulnerabilities that pose the highest risk. How? By adding context to each weak point. Instead of relying on raw data, focus on contextualized vulnerability data with threat intelligence as your guide. This will transform reactive chaos into a proactive strategy.

Of the 26,500 vulnerabilities detected in 2023, only 1,114 are known to be exploited. It is not the quantity of vulnerabilities that should alarm us, but the potential damage they can cause.

The challenges of vulnerability management

Managing vulnerabilities may sound straightforward, yet many organizations still have significant cracks in their walls. Why is it so difficult? Several factors make this challenge complex. First, the volume can be overwhelming as new vulnerabilities emerge every day. Due to this huge volume, prioritization is essential. There are several frameworks and score systems to help you with this. Patching itself can also be complex. When is the right time to take a server down for maintenance?

Another common challenge is lack of visibility, often caused by dark spots and undocumented systems. After all, you cannot protect what you don’t see. Simultaneously, IT environments are becoming increasingly complex, with more assets and more dark spots. Due to this expanding attack surface, threat intelligence (keeping up with the latest threats) has become a full-time job. Lastly, organizational culture can be an obstacle as well. Do you have the right processes? Who will coordinate the patch work? And so on.

Common misconceptions about vulnerabilities

Unfortunately, many organizations fall into the trap of the following misconceptions:

  • “We will find too much if we scan everything, so let’s start small”
    Afraid of being overwhelmed, many organizations adopt this approach. However, excluding risks from your scope goes against best practices. It’s like rebuilding one part of your wall while leaving the rest vulnerable and hope for the best. Always prioritize the most critical problems.
  • “We need to patch all vulnerabilities before we scan again”
    In today’s fast-paced world, new vulnerabilities emerge every day. Therefore, you should scan for issues at least once a week and remediate the most critical ones immediately. Do not just go through a static list, it is dynamic and will never be finished, so it is more important to stay up to date.
  • “Automated patching solves all vulnerabilities”
    While automated patching is great, it is not a solution that fixes everything. Some patches fail as a result of download errors, aborted installations, etc. Regular scanning remains essential.
  • “Vulnerabilities are only IT’s problem” 
    Although IT is best placed for fixing vulnerabilities, this responsibility should be shared across the organization. Remember that vulnerabilities can impact anyone in the business.
  • “Windows is more vulnerable, so let’s run Mac and be safe”
    While Windows may have more vulnerabilities, no platform is entirely safe. Every system is susceptible to vulnerabilities and needs to be scanned. In fact, when we look at the actively exploited list of vulnerabilities, Mac’s attack rate is similar to that of Windows.
  • “The high CVSS vulnerabilities should be our highest priority” 
    Using the Common Vulnerability Scoring System (CVSS) is great, but it does not give you the full picture. A more holistic and dynamic approach to vulnerability management is needed to accurately assess and prioritize threats.

Implementing a risk-based approach

Continuous asset discovery and vulnerability scanning is the baseline in vulnerability management. Scan your entire environment, not just parts of it, and repeat this weekly. Visibility is key to avoid dark spots. Once you achieve this visibility, prioritize remediation with a risk-based approach. Adopt a holistic view, using all known factors to make an informed evaluation of the risk and vulnerability of an asset, supported by threat intelligence.

The factors to use are both internal and external. For external, we start with the CVSS score. But this alone is not enough. The type, exploitability and age are also important. The most vital is if the vulnerability is known to be exploited at the moment by any threat actors. These all tell us about the external treat. For internal factors we look at the assets. Is it critical for the business, does it have sensitive data on it? Where it is located in the network also plays a part.

When all these factors are combined, a risk score can be calculated for the vulnerability and the asset it is on. This risk score is dynamic as the threats are changing rapidly. By applying this to all devices and vulnerabilities, we can rank the biggest risks and focus our efforts where they matter most. For example, perhaps it is not CVSS 9.0 that requires our immediate attention, as that vulnerability is on a device that is locked into the network and is not accessible to an adversary. Instead, a server with a CVSS 6.7 vulnerability can be more interesting because that vulnerability is on a web server that can be easily exploited from the Internet.

Vulnerability management is of strategic importance

Unaddressed vulnerabilities can have severe consequences when someone manages to breach your city walls. Therefore, it is crucial to create awareness on all levels and ensure that everyone is on board – from system owners and users all the way up to the board. Recognize that a threat always targets the entire organization, and an intrusion affects the whole business. Be an advocate for change and obtain a high-level overview of risks in your organization. Ultimately, understanding these risks facilitates strategic decisions to enhance your security posture.  

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.