By Lisa Xu — CEO of NopSec, a risk-based vulnerability management platform.
Security teams know that the threat landscape changes every day. But is your organization ready or even able to respond?
With the rapid rise in vulnerabilities, ever-expanding attack surfaces, and increasingly complex cyber threatscapes, organizations are turning towards risk-based vulnerability management (RBVM) as a critical discipline to help them identify and prioritize their risk and remediation tactics.
Why is RBVM going to be such a critical discipline for organizations? From the security worker skills gap, to digital transformation, to cloud computing, here are some of the ways in which an RBVM program can bring value to your organization.
Rapid Rise in Vulnerabilities
Reacting to the recent rise in cyber vulnerabilities, the U.S. government urged private and public companies late last year to patch cybersecurity vulnerabilities outlined in an order that mandated federal agencies to fix known software flaws. Jen Easterly, CISA director, said the mandate “fundamentally changes” how the federal government manages cybersecurity flaws, adding that “we strongly recommend every network defender view the known vulnerabilities posted at cisa.gov/known-exploited-vulnerabilities and prioritize urgent remediation.”
Business leaders and security practitioners know that the ratio of the number of vulnerabilities to the people who can remediate them is already challenging now and will only worsen as employees continue to work remotely. This COVID-induced trend to remote employment means a less centralized attack surface that’s also harder to account for, and which will further burden vulnerability management teams who are already constrained on their resources.
Ever-Expanding Attack Surface
Open- and closed-source third-party software and other tech stack supply chain factors have greatly expanded the attack surface for many organizations. With increased vulnerabilities and an expanding attack surface, private and public organizations must face the reality that not all vulnerabilities are created equal.
Additionally, the current tsunami of CVEs doesn’t provide the necessary context needed to prioritize remediation efficiently. A cybersecurity defender’s only hope of transitioning from a reactive vulnerability management approach to a proactive one is by adopting RBVM to calm the vulnerability data storm.
Increasingly Complex Cyber Threatscape
With each passing year, the cyber threat landscape becomes more complex. Technologies rapidly evolve, and companies race to keep pace. The result of striving to stay ahead by adopting new technology is varying combinations of IT infrastructures, including on-prem, cloud, and hybrid. Each brings to the table its own unique vulnerabilities that teams must remediate. Only an RBVM approach can make sense of these various environments and provide a clear path to remediation.
Benefits of RBVM
It is clear that an RBVM program can enable your teams to make security decisions that better align with the organization’s risk profile and appetite. There are other benefits related to efficiency, additional security, and improved communication that you should consider, like the following.
Reduced MTTR: Moving to an RBVM approach means implementing technology to perform work for which teams have historically relied on spreadsheets. However, this move away from manual processes will improve efficiency. When priorities are driven by contextual risk-relevant data, the tedious debate of what matters promptly ends, and teams can get down to remediating more vulnerabilities faster.
Better adherence to SLAs: Reducing the average time required to restore a system to full functionality after an incident has an additional benefit. Namely, when teams remediate more and faster, they tend to adhere to the service-level agreements set forth by enterprises better. By meeting their standards and objectives, security teams clearly demonstrate the value of RBVM during compliance audits.
Minimization of breach potential: To protect your sensitive data and infrastructure, security teams have to be right every time, while attackers only have to be right once. Your teams face hundreds of vulnerabilities, and it only takes one mistake to allow a breach—so where they spend their time is paramount.
Trying to remediate every possible vulnerability isn’t the actual battle; knowing which vulnerabilities present the highest risk is. By fixing the most critical threats first, enterprises reduce the chance of being breached and thus save potentially millions of dollars.
Reduction of FTE overhead: Evaluating the ROI for security expenditures is difficult; consequently, many security teams are underfunded and understaffed. When tasks are clearly defined and teams aren’t making risk mountains out of vulnerability molehills, you don’t need as many people to get the job done. Making each FTE more productive will reduce the pressure on your security budget as well.
Reduced labor and overhead translates to immediate bottom-line impact without sacrificing organizational security. When executives understand the labor-saving aspect of an RBVM program, it can make the purchasing decision that much easier.
Accurate risk profile: When your teams can leverage internal and external threat intelligence feeds to gain threat context, RBVM goes beyond the capabilities of a typical vulnerability scanner. The context helps define how exposed your organization truly is to risk. Layer on asset criticality, and you create a complete prioritized view of your risk profile.
With RBVM in place, an organization can be confident that there isn’t some vulnerability flying under the radar presenting a more severe threat than its vulnerability scanner indicates.
RBVM for Growth, Security, and Efficiency
As the number of vulnerabilities that teams must handle increases, as attack surfaces expand, and as infrastructures grow more complex, organizations must apply a risk-based remediation and mitigation strategy.
RBVM is explicitly designed to enable organizations to integrate security-related decisions into their risk management program. By using a common language understood by security teams, IT professionals, executives, and risk managers, communication about the context that affects vulnerability risk scores will promote a cohesive, proactive security approach.
You can’t fix everything at once, and lowering your risk of a catastrophic cyber event should be your priority.