Author: Mélanie Pilpré
Vulnerability management has reached a crisis point. With an ever-growing attack surface, enterprises find it impossible to patch everything. A risk-based approach can help prioritize where businesses need to focus on repairing and fixing vulnerabilities.
In 2023, there were more than 27,000 new vulnerabilities discovered. This is unsurprising considering how rapidly the average enterprise’s network surface is expanding.
“Vulnerability exploitation has become one of the top initial attack vectors in breaches and compromises over the last few years,” said Stephen Carter, CEO and Co-Founder of Nucleus Security. “It wasn’t even on the radar five or six years ago, and now it’s dominating with a clear, upward trend in mass exploitation of vulnerabilities. This is leaving many organizations struggling to prioritize what to fix first among the hundreds of thousands of vulnerabilities.”
Unresolved Findings continue to grow older. Indeed, ~35% of all unique CVEs are from findings 120 days old, and older.
Fundamentally, there are five core challenges in vulnerability management:
Most businesses lack a clear view of all their assets, connections, and requirements. In addition, the specter of shadow IT means many organizations run on a lot more software than they realize, making it impossible to track where patches are needed and the severity of the vulnerabilities.
Enterprises receive a barrage of communication on vulnerabilities from vendors, telling them what to do and when. The problem is there is little to no consistency in how the message is delivered, who it might go to, and what format it will take. Much of it is sent out en masse, with little personalization. This puts the onus on companies to understand how it relates to their own setup, adding pressure to already stretched teams.
If companies aren’t sure what’s on their asset list, then knowing what to focus on is near impossible. They also need to consider the threat landscape, how attacks are likely to threaten them, and what that means for the patches they need to implement. It all adds up to making it hard to know where to start.
Getting hold of information that makes sense may be one challenge, but then you need to be able to use it appropriately. There may be a minor vulnerability reported on a mission-critical system. Still, the nature of the software means it will send alarm bells throughout the organization, with resources devoted to fixing it.
Not acquiring the right skills hampers organizations’ abilities to operate effectively. From a cyber security perspective, that covers everything from dealing with sophisticated threats to running a comprehensive vulnerability management program. If you have tens or hundreds of devices, you might be able to keep up. However, if you’re a mid to large enterprise with thousands of devices and apps, you simply can’t hire enough people to triage and patch that many vulnerabilities quickly.
It’s clear that trying to tackle vulnerability management alone is a thankless and, ultimately, impossible task for companies to accomplish on their own. Trying a hands-on approach to patching everything just won’t work, so businesses need to change their attitude to patching to maintain their defenses. One that provides solutions to those challenges.
It calls for taking an approach that focuses on what and where the risks really are and then automating for scale. Not trying to patch everything or being overwhelmed so that you lose sight of the signals through the noise. A risk-based approach to vulnerability management is about homing in on where the vulnerabilities present a clear and present risk to your organization and prioritizing that fix.
To do this, businesses must combine internal and external data to create a comprehensive risk profile. Internal sources include knowledge of the attack surface, how critical assets are to operations and what an attack using a vulnerability would do to the business. External information comes from threat intelligence and known attacker activity.
More specifically, there are five steps that we believe businesses should take to implement a risk-based approach to vulnerability management:
As you can see, there is a lot of value to be placed on a risk-based approach to vulnerability management. It’s something that we strive to help our customers implement in their own programs.
According to a recent Forrester Wave report published in August 2022, “Orange offers differential value in its high-quality threat intelligence and incident response services, which are much appreciated by its customers. Clients highlighted that its use of Nucleus for vulnerability management offered superior outcomes for vulnerability prioritization and remediation support, helping to drive better VRM program outcomes.”
Ultimately, a risk-based approach to vulnerability management will help reduce the attack surface and make the organization a more challenging target for bad actors. It will do so without demanding vast amounts of new resources, instead utilizing much of what already exists to redeploy it in a smart, targeted manner.