Search

Stop trying to patch everything and focus on the real organizational risk

Author: Mélanie Pilpré

Vulnerability management has reached a crisis point. With an ever-growing attack surface, enterprises find it impossible to patch everything. A risk-based approach can help prioritize where businesses need to focus on repairing and fixing vulnerabilities. 

In 2023, there were more than 27,000 new vulnerabilities discovered. This is unsurprising considering how rapidly the average enterprise’s network surface is expanding. 

“Vulnerability exploitation has become one of the top initial attack vectors in breaches and compromises over the last few years,” said Stephen Carter, CEO and Co-Founder of Nucleus Security. “It wasn’t even on the radar five or six years ago, and now it’s dominating with a clear, upward trend in mass exploitation of vulnerabilities. This is leaving many organizations struggling to prioritize what to fix first among the hundreds of thousands of vulnerabilities.”

Unresolved Findings continue to grow older. Indeed, ~35% of all unique CVEs are from findings 120 days old, and older. 

What’s stopping these vulnerabilities from being fixed?

Fundamentally, there are five core challenges in vulnerability management:

  • Lack of visibility: 

Most businesses lack a clear view of all their assets, connections, and requirements. In addition, the specter of shadow IT means many organizations run on a lot more software than they realize, making it impossible to track where patches are needed and the severity of the vulnerabilities.

  • Information inconsistency: 

Enterprises receive a barrage of communication on vulnerabilities from vendors, telling them what to do and when. The problem is there is little to no consistency in how the message is delivered, who it might go to, and what format it will take. Much of it is sent out en masse, with little personalization. This puts the onus on companies to understand how it relates to their own setup, adding pressure to already stretched teams.

  • Knowing what to prioritize: 

If companies aren’t sure what’s on their asset list, then knowing what to focus on is near impossible. They also need to consider the threat landscape, how attacks are likely to threaten them, and what that means for the patches they need to implement. It all adds up to making it hard to know where to start.

  • Being able to apply information effectively: 

Getting hold of information that makes sense may be one challenge, but then you need to be able to use it appropriately. There may be a minor vulnerability reported on a mission-critical system. Still, the nature of the software means it will send alarm bells throughout the organization, with resources devoted to fixing it.

  • Lack of resources or expertise:

Not acquiring the right skills hampers organizations’ abilities to operate effectively. From a cyber security perspective, that covers everything from dealing with sophisticated threats to running a comprehensive vulnerability management program. If you have tens or hundreds of devices, you might be able to keep up. However, if you’re a mid to large enterprise with thousands of devices and apps, you simply can’t hire enough people to triage and patch that many vulnerabilities quickly.

A new approach is needed

It’s clear that trying to tackle vulnerability management alone is a thankless and, ultimately, impossible task for companies to accomplish on their own. Trying a hands-on approach to patching everything just won’t work, so businesses need to change their attitude to patching to maintain their defenses. One that provides solutions to those challenges.

It calls for taking an approach that focuses on what and where the risks really are and then automating for scale. Not trying to patch everything or being overwhelmed so that you lose sight of the signals through the noise. A risk-based approach to vulnerability management is about homing in on where the vulnerabilities present a clear and present risk to your organization and prioritizing that fix.

To do this, businesses must combine internal and external data to create a comprehensive risk profile. Internal sources include knowledge of the attack surface, how critical assets are to operations and what an attack using a vulnerability would do to the business. External information comes from threat intelligence and known attacker activity.

Five steps to risk-based vulnerability management

More specifically, there are five steps that we believe businesses should take to implement a risk-based approach to vulnerability management:

  1. Identification – First, you must know what you’re trying to protect. Using available data and, if available, scanners, identify your attack surface and select the scope to be regularly scanned. Multiple data sources can be aggregated to build a clear picture of what’s exposed.
  2. Implication – Once you know what you’ve got, you can see how any attack might impact business operations. This is where you need to determine the importance of your assets to the organization.
  3. Enrichment – You’ve built up a picture of your vulnerabilities with internal data. To understand where you need to prioritize, sources like threat intelligence and attacker activity allow you to see how much of a problem your vulnerabilities really are.
  4. Remediation – Having ranked vulnerabilities by the threat risk, you can start to prioritize your fixes and remediation, not try to solve everything.
  5. Evaluation – Cyber threats are constantly evolving, and vulnerabilities are proliferating. Monitoring and measuring the progress of your vulnerability management program will ensure that new gaps can be assessed and, if necessary, addressed before they are exploited.

As you can see, there is a lot of value to be placed on a risk-based approach to vulnerability management. It’s something that we strive to help our customers implement in their own programs.

According to a recent Forrester Wave report published in August 2022, “Orange offers differential value in its high-quality threat intelligence and incident response services, which are much appreciated by its customers. Clients highlighted that its use of Nucleus for vulnerability management offered superior outcomes for vulnerability prioritization and remediation support, helping to drive better VRM program outcomes.”

Ultimately, a risk-based approach to vulnerability management will help reduce the attack surface and make the organization a more challenging target for bad actors. It will do so without demanding vast amounts of new resources, instead utilizing much of what already exists to redeploy it in a smart, targeted manner.

To support businesses implementing a risk-based vulnerability management approach, Orange Cyberdefense has developed Managed Vulnerability Intelligence [identify]. To find out more, take a look here.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT