The Practitioner’s Guide to Vulnerability Management: Implementing a Risk-Based Approach

A scalable, high-quality vulnerability management program (VMP) accounts for volatility and exploitability by first focusing on issues that affect critical assets, rather than attempting to patch top-down.

June 6, 2022
What’s ahead

In this article we…

  • Define what vulnerability management is, and why it’s important
  • Describe the vulnerability management lifecycle, how it works, and the shortcomings of legacy approaches
  • Explain vulnerability management best practices

The amount of software being introduced into the market is increasing exponentially, and so too are the number of vulnerabilities. By taking advantage of flaws contained in products, threat actors can infiltrate an organization’s system, stealing sensitive data or causing damage to the network. A robust vulnerability management (VM) program enables organizations to identify assets that may be affected by critical, or highly exploitable vulnerabilities—enabling them to better prioritize and remediate risk.

What is vulnerability management?

Vulnerability management is the process of determining the level of risk each vulnerability poses, prioritizing them, and then remediating them based on asset-contextualized intelligence. To do this, the vulnerability management process takes the vulnerability intelligence an organization uses and builds upon it, performing the following functions:

  1. Identify deployed assets and then collect known vulnerabilities affecting them.
  2. Map those vulnerabilities to deployed assets used by the organization.
  3. Prioritize issues based on asset criticality, exploitability, severity, threat likelihood, and other factors.
  4. Remediate identified issues, or mitigate them via security controls or system hardening.

The importance of vulnerability management

If your organization does not have a vulnerability management program, or relies on a legacy approach such as vulnerability scanning, your prioritization and remediation processes will not occur in real-time. To proactively address risk, you need a solution that enables a risk-based approach.

Non-contextualized vulnerability data is overwhelming. According to Risk Based Security, a Flashpoint company, there are over 289,000 known vulnerabilities with the public source being unaware of over 93,000 of them, as of this publishing. In addition, tens of thousands of vulnerabilities are newly disclosed each year. As such, there are too many vulnerabilities for organizations to monitor and track in-house. Despite this, organizations still often try to aggregate and triage every issue, resulting in wasted resources.

Traditional remediation programs don’t consider the inherent volatility in the vulnerability disclosure landscape, and they often neglect key factors such as exploitability. A quality VMP addresses this by first focusing on the issues that affect the organization’s critical assets, rather than attempting to patch top-down.

This is what Gartner has to say about risk-based vulnerability management:

“Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.”

Gartner

Understanding the vulnerability management lifecycle

A risk-based approach enables organizations to more accurately assess the level of risk a vulnerability poses. To accomplish this, the vulnerability management lifecycle involves the following stages:

  1. Reveal
  2. Prioritize
  3. Remediation
  4. Verify

Surface your assets and reveal the vulnerabilities affecting them

The first step of the vulnerability management life cycle is revealing the vulnerabilities affecting your organization’s deployed assets. Assets can include servers, desktops, mobile devices, applications, and more. Identifying them leads into prioritization, which then enables your security teams to map vulnerabilities to any affected assets.

The purpose of this stage is to understand your attack surface, while also providing visibility into where your organization may be at-risk. Therefore, having comprehensive, detailed, and timely vulnerability intelligence is vital for this stage’s success. Public vulnerability intelligence sources like CVE/NVD fail to report over 93,000 vulnerabilities, meaning that if you’re relying on it, you are likely unaware of many unreported and highly exploitable issues affecting your assets.

Prioritizing vulnerabilities

Vulnerability prioritization takes place once organizations have identified at-risk assets and aggregated the known vulnerabilities affecting them. Then out of those vulnerabilities, based on their impact and likelihood of being exploited, organizations decide which of them they will focus their efforts to remediate.

To prioritize better, organizations should use asset risk scores to contextualize risk. An asset risk score is a numerical value that shows the overall importance of that asset to the organization based on its use and data being stored. It also considers the likelihood of that asset being compromised and its exposure to vulnerabilities.

Without doing this, security teams will likely experience the following problems:

1. Being overwhelmed by the amount of new vulnerabilities

Last year, nearly 30,000 vulnerabilities were newly disclosed and of those, 42.7% (12,794) had CVSSv2 scores between 6.0 – 10.0. This means that over the course of the year, security teams would have had to triage thousands of vulnerabilities—which is simply too many to patch within a year. Most vulnerability management frameworks dictate that organizations should address high-to-critical issues within 15 – 30 calendar days of initial detection, and with limited resources, this is nearly impossible without using a risk-based approach.

Recommended: CISA’s BOD 22-01: Vulnerability Management for Federal Agencies | Flashpoint

2. Lacking visibility of exploitable vulnerabilities

Prioritization based solely on CVSS scores fails to account for exploitability. CVSSv2 and CVSSv3 do not factor exploitability in their scoring, meaning that highly rated issues are not guaranteed to be actively used by threat actors. Sometimes the vulnerabilities that are being weaponized have ‘moderate’ or even ‘low’ CVSSv2 scores. Tunneling only on high-to-critical issues will likely create a gap in visibility and your VMP will need to prepare for this.

Vulnerability remediation

During the vulnerability remediation stage security teams patch, fix, or mitigate the vulnerabilities affecting the organization’s assets. Depending on the quality of your vulnerability intelligence feeds, remediation should be relatively straightforward. Most of the issues that usually slow down remediation stem from unactionable data, but if a vulnerability manager is already aware of which specific products are affected, which versions are vulnerable, and the location of where the asset is deployed, then the only remaining task is keeping track of owners and getting feedback.

Detect and Remediate Vulnerabilities Faster with Flashpoint and Risk Based Security

This recording will showcase how a joint solution from Flashpoint and RBS will prioritize and automate the actions needed to remediate potential threats.

Verify (getting feedback)

Large organizations have thousands of employees and millions of endpoints, so it is often a challenge finding out who is responsible for a particular asset. Monitoring progress and getting feedback can be difficult since patching is often done by security teams and not by those who prioritize vulnerabilities. However, Flashpoint’s suite of products can help organizations during their vulnerability remediation tracking tasks while also enabling a true risk-based vulnerability management program.

Vulnerability management best practices

Organizations can implement a risk-based approach to vulnerability management by following these best practices:

  • Use comprehensive vulnerability intelligence. Most vulnerability management tools source their findings from CVE/NVD, which fails to report nearly one-third of all known vulnerabilities. In addition, the public source often omits vulnerability metadata such as exploitability and solution information. Using an independently researched vulnerability intelligence solution gives security teams all the details they need to research potential issues.
  • Create a Configuration Management Database (CMDB). A CMDB captures all the configuration items in your network—including hardware, software, personnel, and documentation. It can be extremely useful for listing and categorizing deployed assets, facilitates asset risk scoring, and provides long-term benefits if maintained.
  • Assign asset risk scores. Asset risk scores are data-driven and communicate which assets, if compromised, pose the most risk. Assigning values to specific assets enables organizations to map vulnerabilities to them, and gives them a clear picture of which ones require immediate attention. This will help make prioritization workloads more manageable and save future resources.
  • Prioritize vulnerabilities not only on severity, but also on exploitability and threat likelihood. Organizations can reduce thousands of high-to-critical vulnerabilities down to a serviceable level by filtering them based on actionable severity and threat likelihood.

    Actionable severity sorts vulnerabilities into the following groups: remotely exploitable, known public exploit, and available solution. Remediating vulnerabilities that meet all three criteria first will best protect the organization as they progress through their workload, while maximizing resources.

    In addition, paying attention to deep and dark web (DDW) chatter and illicit communities can improve your prioritization process. Whenever threat actors are actively discussing a vulnerability and how to exploit it, you need to be aware and address it.

Recommended: Log4j Chatter: What Threat Actors Are Sharing About the Log4Shell Vulnerability

  • Update your CMDB. Whenever vulnerabilities are remediated, update your CMDB with new information regarding versions, location, and etc. It may be a time-consuming task, but consistently maintaining your CMDB will be useful. The version of a product can dictate the remediation. Ensuring that details are current will save time triaging and will make remediation easier. It also reduces the possibility of wasting resources reacting to false positives or emergency vulnerability assessment reports.

Manage vulnerabilities with Flashpoint

Thousands of vulnerabilities are identified every year, and the exploitation of them has dramatically increased. Organizations have even less time than before to respond to critical issues. To better protect your network, enterprises need to proactively manage risk in a timely manner. Sign up for a free trial and see how quality intelligence empowers a vulnerability risk management program, allowing your security teams to prioritize and remediate what really matters.