Risk-Based Vulnerability Management or RBVM is the practice of assessing, prioritizing, and remediating vulnerabilities according to the risk they pose to the organization. As attack surfaces expand and the volume of assets – both hardware and software – grows exponentially, traditional approaches to vulnerability management cannot keep pace with the scale of the challenge. Simply put, there are far more vulnerabilities than resources to fix them. By applying a risk-based approach, organizations can optimize available resources and align teams around policies and Service Level Agreements (SLAs) to manage vulnerabilities more effectively.
This article will explore the essential elements of risk-based vulnerability management and how to implement a successful risk-based program.
Risk-Based Vulnerability Management vs Traditional Vulnerability Management
One way to understand the difference between traditional and risk-based vulnerability management is to think of traditional risk management as the activities to detect and respond to vulnerabilities, while risk-based vulnerability management is the strategy for prioritizing, managing, and governing a vulnerability management program aligned with the risk tolerance and often competing objectives of the organization. That is a loaded statement, though, so let’s break it down.
Vulnerability management describes a set of ongoing activities to identify assets, detect and respond to vulnerabilities, and protect against cyber exposure. It includes inventorying assets, testing to find vulnerabilities among those assets, and practices to investigate and remediate those findings. It also includes policies and controls to safeguard and mitigate the impact of malicious attacks.
Part of the challenge is that the volume and complexity of IT assets have exploded. Organizations need to defend dispersed assets against diverse threats often using disjointed tools to detect vulnerabilities across everything from traditional networks to cloud infrastructures, web applications to mobile and internet of thing (IoT) devices, and more.
Complexity not only adds to the number of assets under management and tools required for testing. It also creates hundreds of thousands of vulnerability findings for teams that already have more than they can handle. This is where traditional vulnerability management has fallen short. When teams are already overwhelmed, just detecting more vulnerabilities is not productive. It is paralyzing.
Risk-based vulnerability management breaks this paralysis. By calculating risk and applying risk-based principles to vulnerability management, organizations can cut through the complexity to prioritize remediation efforts based on impact and provide visibility into risk posture for governance and decision support. So, what are these risk-based principles?
RBVM Fundamentals: Understanding Risk Management Principles
Risk management weighs the probability and impact of adverse events across the organization to inform the judicious allocation of resources to mitigate and minimize exposure.
It can be tempting to fall into a narrow view of risk. For example, if you are responsible for vulnerability management and all vulnerabilities pose a potential threat, you might advocate for resources to address as many vulnerabilities as possible. However, while cyber exposure is key and a growing risk factor, it is only one of many types of risk spanning everything from operational risk to financial and strategic risk. Risks that can factor into a broader risk management strategy include:
There are many other potential risk factors organizations might consider from the impact of policy and political factors to natural disasters. Risk-based principles identify key risk factors, assess the risk tolerance of the organization, and apply this to inform decisions and align the organization.
Often, risk factors are interconnected leading to tradeoffs and competition for resources. An example of this is the frequent friction between security teams and development. On one hand, security is responsible for mitigating security and operational risks. On the other hand, development is responsible for mitigating competitive and strategic risks. These are different objectives, but they compete for the same resources to achieve them. This can lead to conflicts when organizations are not aligned around a well-defined – and ideally well-documented and managed – risk-based approach.
A risk-based approach would assess the relative security, operational, strategic, and competitive risks as well as mitigation efforts to determine the best allocation of resources to meet the needs of the organization. Without this, decisions on if, when, and how to address vulnerabilities and security risks are often ad hoc or underinformed. For many organizations opportunity and competitive risks outweigh security risk – if not explicitly then at least in practice. In a survey of over 450 companies, 66% responded “shipping fast takes priority over shipping secure.” This highlights the need for risk-based vulnerability management to evaluate and prioritize vulnerabilities based on risk and empower security teams with influence and governance to manage risk more effectively.
How Risk-Based Vulnerability Management Works
Risk-Based Vulnerability Management aggregates vulnerabilities across detection sources and calculates risk to prioritize – and ideally automate – remediation workflows. It can also provide visualizations showing risk across assets and business units and provide risk-based SLAs for governance. There are four essential capabilities for an effective risk-based vulnerability management program:
1. Unify visibility into vulnerabilities.
As the table above shows, IT assets are numerous and diverse, and security teams rely on a multitude of tools to identify vulnerabilities. Security teams don’t just need to prioritize vulnerable open-source dependencies discovered by a Software Comparison Analysis (SCA) tool. They need to prioritize those findings relative to cloud misconfigurations, vulnerable ports, unpatched software, exposed endpoints, and more. The first step in enacting a risk-based approach is to gain holistic visibility into the vulnerabilities that need to be prioritized and managed.
Most teams don’t have a coverage challenge but a complexity challenge. Despite the many platforms, no one tool meets the diverse and evolving vulnerability scanning and detection needs of an organization. This often leaves teams struggling to manage findings across multiple tools by manually downloading and aggregating findings in spreadsheets to correlate and prioritize. However, modern risk-based vulnerability management solutions eliminate this challenge. A dedicated RBVM solution should act as a hub aggregating findings across sources to create unified visibility into vulnerabilities.
2. Prioritize vulnerabilities based on risk.
The next challenge is assessing the relative risk of vulnerabilities. Organizations can face hundreds of thousands to millions of vulnerabilities. Risk-based vulnerability management makes the massive quantities of vulnerabilities manageable by distilling them down into those that pose the greatest risk to the organization and require action.
Most vulnerability scanners assess the technical severity of findings, typically applying a Common Vulnerability Scoring System (CVSS) score to a finding or based on the criticality of publicly disclosed Common Vulnerabilities and Exposures (CVEs). However, prioritizing vulnerabilities just on technical severity ignores threat intelligence, business context, and asset impact to assess the specific risk a vulnerability poses to the organization. RBVM applies risk-scoring algorithms configured to the organization to calculate risk and enable risk-based prioritization.
The risk-score algorithm should use available intelligence to calculate severity across different categories of vulnerabilities and measure impact in a transparent, explainable, and configurable manner. There is a balance between precision and practicality. If there are too many variables, risk scores can be overly complex, difficult to manage, and opaque when trying to configure and improve accuracy. On the other end of the spectrum, too few variables may not provide the flexibility to manage different categories of findings – for example, vulnerabilities disclosed by a bug bounty without a CVE – or account for critical asset attributes.
ArmorCode’s adaptive risk scoring is an example of a risk-scoring algorithm that strikes the balance between precision and practicality to assess the relative risk of different categories of vulnerabilities in a transparent manner with user-managed variables. The algorithm combines technical severity with exploit and threat intelligence as applicable to calculate a finding score. This finding score is then factored against an asset score determined by user-managed tags (and/or ingested from an asset management system) with risk weightings. Security teams have full visibility into each variable with the ability to manage variables to refine the risk score.
Ultimately, the goal of risk scoring is not a precise score but an accurate assessment for prioritization and remediation management. An accurate risk score makes it easy to answer tactical questions like, “With the resources available, what should we do first?” It is also essential for organizations looking to mature to a risk-based approach focused on outcomes and up-level the conversation to strategic questions like, “How long is acceptable for high-risk vulnerabilities to persist in production?” Answering this question builds alignment across the organization and empowers security teams. Instead of antagonistic competition for resources, teams can collaborate to meet defined business and risk tolerance priorities.
3. Manage risk through effective and efficient remediation
Prioritization is essential. However, it does not translate into value until remediation occurs and risk posture improves. RBVM needs to be highly practical and facilitate the remediation of vulnerabilities and exposures. There are two ways RBVM optimizes remediation. First, is through the effectiveness of remediation efforts by ensuring teams are focused on the vulnerabilities that pose the greatest risk. The second is through the efficiency of remediation efforts by minimizing the manual steps and time to achieve the most impact. In tandem, effective and efficient risk-based remediation makes it possible for organizations to reduce security and operational risk and confidently innovate, compete, and grow.
The effectiveness of remediation efforts is closely tied to effective Risk Scoring and prioritization. Risk Score drives vulnerability triaging. When it comes to efficiency, an RBVM solution is a highly valuable resource to minimize the manual steps between vulnerability identification and remediation. With a platform solution like ArmorCode, security teams can create risk-based runbooks to automate remediation workflows and generate tickets assigned to asset owners with predefined SLAs. When a vulnerability is found, the RBVM solution ingests the finding, calculates its risk, and based on that Risk Score, can trigger a remediation action and notify the asset owner.
By unifying visibility across findings and assets, RBVM can also help teams correlate and group findings and diagnose root causes of risk. Root causes may be pervasive and high-risk vulnerable components like log4j, a particularly weak asset, or individuals requiring more attention and assistance to improve remediation performance. These insights help security teams focus their efforts – and the efforts of the teams they collaborate with – on efficient risk reduction.
4. Measure, Manage, and Mature
Risk-based vulnerability management is not a static event but a dynamic process. Vulnerabilities are constantly discovered and disclosed, and maturing a risk-based vulnerability management practice is a journey. Here are some ways you can apply data to improve the performance of your risk-based practice:
- Map and visualize risk across the organization: In addition to assessing and prioritizing risk at an individual vulnerability level, RBVM can help assess cyber exposure across the organization based on the aggregate risk impact of vulnerabilities at the asset, team, business unit, or other hierarchy level. Teams can assess the risk posture based on the weakest link (i.e., highest-risk vulnerability) or a broader assessment based on the volume and risk impact of findings.
- Report to leadership, boards, and regulators: A risk-based vulnerability management practice facilitates identifying where risk exists and what is being done about it. RBVM solutions help report on assets under management, testing, and detection practices to discover vulnerabilities, and remediation practices and performance.
- Align the organization around outcome-driven metrics: Outcome-driven metrics tie security activities to risk-based practices and organizational priorities. Key metrics should align with the organization’s risk appetite. For example, instead of reporting on the number of vulnerabilities found and remediated, reporting on SLA compliance – what percentage of high-risk vulnerabilities were patched within the acceptable window of exposure – lets the organization proactively manage the risk impacts. If a breach happens within the SLA window, that falls within the risk tolerance which may need to be adjusted. If a breach happens outside the SLA window, then resources and performance are not meeting the needs. Organizations should also track and document exceptions so those 66% that prioritize speed over security can explicitly approve and understand the security risk impact of those decisions.
- Build a comprehensive risk-based cybersecurity practice: As expansive as vulnerability management is, it does not cover the ever-expanding breadth of cyber risk exposure. In addition to patching vulnerabilities, CISOs, and security teams are responsible for application security and the integrity of the software supply chain. It doesn’t make sense to apply a risk-based approach to one but not the others. Similarly, it makes little sense to manage these risks across discrete platforms. Bringing all cyber risk – vulnerability management, application security, and software supply chain security – under a complete risk-based governance platform can create clarity out of the complexity and simplify cyber risk management.
These four essential capabilities – unified visibility into vulnerabilities, risk-based prioritization, effective and efficient remediation, and governance – will help you evolve vulnerability management from a tactical activity-based practice to a strategic risk-based one.
How to Implement a Successful Risk-Based Vulnerability Management Program
Implementing a successful risk-based vulnerability management program involves more than committing to a process or selecting the right technology. As in most cases, success comes down to navigating the people, process, and technology aspects of an effective program.
To start, do you have the right people with the right skills, support, and resources to manage an effective risk-based process? You can define and document a mature risk assessment and management process complete with SLAs; however, if it does not account for knowledge gaps or the workloads of the people who ultimately address vulnerabilities and exposures, then you will not achieve the desired outcomes. Similarly, while technology is necessary and can automate processes and offload lower-value tasks, the successful implementation and adoption of technology requires effective change management and prerequisite expertise to make technologies fit into workflows and practices.
Given the cybersecurity talent gap and the imbalanced ratio between security and development teams, however, establishing processes and leveraging technologies to scale the effectiveness of people is necessary to keep pace with the challenge of cyber exposure. For many organizations, this is a strategic need to manage risk and ensure compliance without creating bottlenecks that slow the pace of business and innovation. RBVM breaks the paralysis of vulnerability overload by focusing teams on the smaller quantity of findings that matter.
And finally, technology makes this process possible for the people challenged to manage and execute it. At one level, you can’t fix what you can’t find. Organizations have a myriad of vulnerability detection tools – often with overlaps in capabilities and different teams using different tools. The challenge is often not one of coverage but complexity. Manually aggregating and correlating vulnerabilities, assessing risk, triaging, identifying asset owners, assigning tickets, and tracking SLAs and adherence is not scalable and ties up high-skilled and scarce security professionals. An RBVM solution like ArmorCode makes security investments 10X more effective by empowering security professionals to automate these processes and govern a risk-based program that transforms vulnerability management from the practice of finding vulnerabilities to proactively managing risks and lowering cyber exposure.
In conclusion, implementing a successful risk-based vulnerability management program is a multifaceted endeavor that hinges on the synergy of people, processes, and technology. Adopting and maturing a risk-based approach will equip you to proactively minimize your cyber exposure and fortify your expanding attack surface against an ever-evolving threat landscape.