THE PRACTICAL GUIDE TO
RISK-BASED VULNERABILITY MANAGEMENT (RBVM)
All you need to know to implement a risk-based vulnerability management system.
All you need to know to implement a risk-based vulnerability management system.
No matter how vigilant security teams are, there’s no way to eliminate every possible risk to a system. Risk-based vulnerability management (RBVM) is a strategy that prioritizes vulnerabilities according to how much actual risk they pose to an organization. Knowing priorities enables teams to be more efficient, cutting down the number of attacks. Gartner estimates that companies using RBVM incur 80% fewer breaches.
Traditional vulnerability management lets security teams know about every vulnerability on the system, and measures risk only from a theoretical perspective. It doesn’t take into account the changing nature of risk with newly emerging threats, so some serious risks may be overlooked while valuable time is spent on patching areas that might not actually be of interest to attackers.
RBVM, on the other hand, involves a constantly evolving strategy, keeping track of all your connected assets, and monitoring risks in real time. A strong RBVM plan combines a variety of security solutions and ensures that security teams are aligned and up-to-date so they can handle the most pressing risks.
For an accurate perspective of the risks to your assets, you need to be aware of all your assets. Traditional asset management only includes known assets. RBVM requires identification of your entire exposed attack surface; that includes unknown assets, also known as shadow IT.
Threats are always evolving, so your business needs to be ready to adapt too. Rather than solely relying on set frameworks like the Common Vulnerability Scoring System (CVSS), RBVM looks at real world threats. This means constantly keeping up with the latest data about what attackers target and taking measures to address related vulnerabilities first.
Traditional vulnerability management lets you know about serious vulnerabilities, but not about how they will be exploited. Just because an asset is easy to access doesn’t mean it’s valuable to attackers. To understand the actual risk, you need to look at the threat from an attacker’s perspective.
An increasing number of security leaders are seeing the need for RBVM to stay protected. This is due to several factors:
The number of new threats and vulnerabilities is multiplying daily, making it impossible to address all of them. In 2020 alone, 18,341 new flaws were reported. Attempting to keep up with mounting alerts exhausts security teams and causes disruptions to business.
Cloud migration means that more assets are connected and potentially exposed to the internet. However, not everything that’s exposed to the internet is an actual risk. It’s important to identify what attackers in the wild are targeting.
Remote work also adds to the number of connected assets on your network and can weaken security teams’ controls. If they’re unaware of what software remote employees are using, they can’t protect it. That’s why adding a tool to expose unknown assets is key to any RBVM plan.
CVSS scores rank vulnerabilities by their severity, but recently hackers are less frequently going after the high severity vulnerabilities. Instead, they target medium to low severity vulnerabilities as an entryway because these are less likely to be protected. That means priorities of what to patch should change as well.
New threats and an expanding attack surface make risk-based vulnerability management crucial for your business.
When vulnerability management is not risk-based, it’s difficult to prioritize what to patch. You don’t have the latest information, so you may be wasting time patching areas that are not a serious risk, while ignoring those that pose real-world threats. The fact is, 95% of vulnerabilities pose no real risk to an organization.
If your team is spending all its time trying to address every vulnerability, they’re not being efficient. They’ll begin to experience alert fatigue, which leads to oversights.
With RBVM, the first step is getting a complete view of your external attack surface so you can uncover what your current asset management system is missing. Traditional vulnerability management only looks at the vulnerabilities in your known assets. Adding an attack surface management (ASM) solution is the best way to do this.
Rather than looking at threat severity in a theoretical way, RBVM takes a more practical approach, evaluating risks from an outside attacker’s perspective. It evaluates assets based on what attackers would find most valuable and what could do the most damage to the business if exploited.
These factors help you consider what’s more tempting to an attacker and should be prioritized.
RBVM constantly evaluates current threats as they evolve. It prioritizes them based on real-world risk, so security teams immediately see what to focus on. This ensures that the most serious risks are addressed first, while saving teams time on responding to false alarms or patching vulnerabilities that pose little real risk.
RBVM takes a proactive approach, looking at what attackers are likely to target, rather than only mitigating vulnerabilities when breaches are known to have occurred. This makes use of threat intelligence, analyzing common threat actor behavior, so that you can stay one step ahead.
RBVM can be used to gain awareness of all the assets connected to your system, including discovering unknowns. One of the biggest security risks is shadow IT, with one in three breaches resulting from it. Most security teams are only aware of 70% of their internet facing assets. The rest remain unknown and unprotected.
Finding these unknowns is crucial to determining the organization’s true risks. Once they’re uncovered, they can be assessed and patched if necessary.
Many security teams suffer from alert fatigue. They’re bombarded with new threats and vulnerabilities, many of which may be false alarms or low priority. As they struggle to keep up, it’s easy to overlook pressing new issues.
RBVM streamlines the workflow, allowing teams to focus on what’s most important. A good RBVM strategy will identify threats, determine the risks, prioritize them in context, and include a plan for remediation.
RBVM recognizes that threats in the real world are different from what are categorized as serious threats in a traditional vulnerability management system. It’s used to put threats into context, learning from real attackers’ behavior and testing out security controls with tactics like continuous automated red teaming (CART).
Now that you’ve seen the benefits of RBVM, let’s take a look at what you’ll need to do to get started.
RBVM requires integration of a variety of automated security solutions. It can’t be done manually.
Gaining a solid perspective on risk requires the integration of a variety of automated security solutions. It can’t be done manually.
Gaining a solid perspective on risk requires the integration of a variety of automated security solutions. It can’t be done manually.
The first solution you’ll need is ASM so that you can gain a complete view of your attack surface. A good ASM solution will uncover all your unknown assets, so you know what needs to be monitored. Since your attack surface is constantly changing, ASM provides continuous evaluation.
Asset management helps you maintain a record of all the assets on your system, whether they’re connected to the internet or not. This is different from attack surface management because it only takes into account the assets that you know about. It’s generally updated on a periodic, point-in-time basis, while ASM is continuous.
Vulnerability management is used to discover all possible vulnerabilities and rate them according to their severity. It’s best used in combination with ASM so that you can discover unknown assets with vulnerabilities in them.
Patch management involves scanning your system periodically for updates and available patches and applying these so you’re not left vulnerable. It’s important to carry this out on a regular basis and test the patches to ensure that they’re working.
If you have the prerequisites, it’s time to consider how RBVM complements and stands out from other solutions.
As we’ve explained above, vulnerability management finds vulnerabilities at a point in time and scores their risk on a theoretical basis. While vulnerability management is necessary, making it risk-based provides you with an evolving, constantly updated perspective on what’s most vulnerable.
Vulnerability intelligence is detailed information and alerts that you get on vulnerabilities—how long they’ve been around, how severe they are, how they’re being exploited, etc. This is compatible with RBVM; the difference is that RBVM requires constant updates and puts priority on real-time risk.
Threat intelligence involves information about real world threats to gain insights into how hackers are likely to behave. It not only includes information about known exploitations, but also makes predictions based on techniques hackers are using. This helps organizations stay a step ahead. MITRE Att&ck is the most complete knowledge base for gaining this intelligence. A good RBVM program will include this type of information and ensure it’s always up to date.
Application Pen Testing is useful to determine how individual web applications would stand up to an attack. Simulated attacks on the applications test and expose any vulnerabilities. The problem with this kind of testing is that it’s point-in-time. The application may withstand a certain type of attack on that day, but it may be breached by a new type of attack. In contrast, RBVM employs continuous automated testing to ensure systems are always ready.
Implementing RBVM requires a combination of solutions to gain a total, up-to-date view of your system and develop an efficient workflow. Here are the requirements you need to get started.
A top priority of an RBVM solution is an external attacker’s perspective. You won’t get an accurate estimation of risk if you’re coming from a defensive, internal position.
An automated RBVM solution should be easy to deploy. Just by entering a business email address, you should be able to see all the assets connected to your system and gain an analysis of the possible threats.
Because threats are always changing, your solution needs to keep up with that by constantly monitoring for newly added assets and new threats and vulnerabilities.
Manual prioritization of risks is not practical or efficient. It needs to be automated and continuously updated so that teams know what to focus on.
You’ll want to make sure that your new solutions integrate seamlessly with your current and future solutions. An ideal solution can combine insights on your attack surface and threat prioritization to inform your other solutions to make the workflow smoother.
To manage risks effectively, you need to develop an outside-in strategy that keeps you informed of where you stand from day to day. It’s not enough to evaluate your vulnerabilities at a fixed point-in-time.
The best initial step in setting up risk-based vulnerability management is with an ASM solution. This allows you to discover your entire attack surface from an external attacker’s perspective and provides real-time prioritization to threats.
With advanced reconnaissance techniques used by real threat actors, it gives you the power to identify, prioritize, and continuously monitor your most valuable exposed assets and risks so you can stay a step ahead of the attackers.
Are you ready to get a fuller perspective on your attack surface? Get a free evaluation today.
