THANK YOU FOR SUBSCRIBING
Managing Vulnerabilities to Mitigate Risks
Aleksandar Radosavljevi, Global Chief Information Security Officer, Stada Group [Fwb: Saz]
We are all witnessing that the number of cyberattacks is increasing and this trend will unfortunately also continue in the future. In the past few decades, the organizations keep significantly investing in their cyber security programs, introducing modern security technologies. However, most of those cyber security programs struggle to address one area, although being very important pillar of basic cybersecurity hygiene: Vulnerability Management. Vulnerability Management is a continuous process of identifying, assessing, reporting on, managing, and remediating cyber vulnerabilities. All it takes is one vulnerability which could be exploited to cause the data breach. This emphasize how critical it is to handle vulnerabilities.
Some of today’s organization environments have millions of vulnerabilities. Trying to patch all of them is almost impossible, and this is where most of organizations fail as they have in majority of cases limited resource capacity. Regardless, organizations will try to patch everything, as they believe that even a single vulnerability could have the potential to result in major business impact for the organization.
Trying to treat all vulnerabilities is not constructive and does not bring organizations anywhere, as not every single vulnerability could be treated the same, it is simply overwhelming. Additionally, vulnerability management requires most organizations to use one or multiple tools to address the vulnerabilities. This is introducing a lot of operational overhead and frustration to IT operation’s teams. And in most of the situations Security and IT operation’s teams disagree over which vulnerabilities to tackle first.
In order to triage the risks organizations mostly rely on the Common Vulnerability Scoring System (CVSS) for vulnerabilities listed in the National Vulnerability Database. But focusing purely on CVE scores does not reduce the overhead. In reality only somewhere between 3 and 5 percent CVE’s are exploitable. Some data scientists could even predict which vulnerabilities are most likely to be potentially exploited.
The most important aspect to vulnerability management prioritization is the context surrounding each vulnerability and its unique position within an IT environment
Therefore, we need to change the approach above and as a first step to remediate the riskiest vulnerabilities first. This approach is called risk-based vulnerability and it is based on prioritization. The most important aspect to vulnerability management prioritization is the context surrounding each vulnerability and its unique position within an IT environment. This includes:
- How important the asset is? Is it a Crown Jewel? Is it publicly exposed or customer-facing?
- What is the state of security controls protecting the asset?
- Does the asset hold financial, personal identifiable information, or other organizational sensitive information?
- Does the vulnerability exist within a regulated environment?
- How many users could a successful exploit impact?
- Are exploits actively targeting your industry?
Most of the modern vulnerability management solutions support the above approach and help customers to prioritize the handling of vulnerabilities. The organization should develop the roadmap regarding which contextual information could work the best for their environments and gradually implementing more to bring the maturity to the next level. Of course, CVSS must be also taken into consideration when configuring those vulnerability management solutions. The result of following risk-based vulnerability management prioritization approach significantly reduces the number of vulnerabilities which should be addressed achieving approximately 50% remediation coverage and still address every high-risk vulnerability.
The outcome is that risk-based vulnerability management prioritization approach aligns Information Security and IT operation’s teams around the common goals, reducing the operational overhead and significantly reducing the risk exposure.