risk-based vulnerability management (RBVM)

What is risk-based vulnerability management (RBVM)?

Risk-based vulnerability management (RBVM) is an approach to identifying and addressing security vulnerabilities in an organization's IT environment that prioritizes remediating vulnerabilities that pose the greatest risk.

In IT, a vulnerability is a flaw in software code or design that could lead to security being compromised, such as an entry point that a hacker could easily breach.

The risk-based approach is an evolution of the vulnerability management programs that have been standard ever since organizations first implemented information technologies.

Those longstanding vulnerability management programs, often called legacy vulnerability management, did not base vulnerability remediation on the risks that a specific vulnerability presented to an organization. Instead, they prioritized remediations according to general risk management information and data on the severity of a vulnerability.

Security experts came to recognize that the legacy approach left organizations excessively exposed to security threats across their technology ecosystems.

As the IT landscape expanded over the past several decades, organizations saw the list of vulnerabilities grow, which left IT and cybersecurity teams with more work than they could practically complete.

To address the problem, security experts developed RBVM based on the principle that the vulnerabilities that present the highest risk to the organization should get attention first and those that pose little or no risk can be addressed when time and resources allow.

Adopting a risk-based approach to vulnerability management requires organizations to know what IT assets they have, understand the risks that each vulnerability poses to the organization and have mechanisms to score and prioritize each risk.

Organizations can use RBVM software to deliver those components. RBVM software helps by doing the following:

• Scans the IT environment, including operating systems, applications and firmware for known vulnerabilities.
• Scores vulnerabilities based on the organization's risk factors.
• Automates remediation.

Risk-based versus conventional vulnerability management

Conventional or legacy vulnerability management tools provided significant security support to organizations but weren't well suited to risk-based strategies.

Such tools scanned an organization's applications, systems and networks to identify weaknesses hackers could exploit, such as open ports, misconfigurations or problematic software code.

Some conventional vulnerability management tools also could help prioritize which vulnerabilities should be fixed first, but they based the prioritization on general data and generic contexts. This led to security blind spots and gaps in the typical organization. That's because conventional vulnerability management did not fully account for an organization's particular risk profile when identifying and listing the vulnerabilities that needed to be addressed.

As a result, IT and security teams often first fixed vulnerabilities that presented low risk to their organizations, while leaving higher-risk vulnerabilities unattended.

In comparison, RBVM tools use artificial intelligence (AI) and machine learning (ML) analytics to understand an organization's IT environment, attack surface and asset criticality, as well as threat actor activity to categorize vulnerabilities by risk to the organization. They then prioritize remediation, starting with those vulnerabilities presenting the highest risk.

Moreover, RBVM tools can assess more of an organization's IT environment, such as internet of things devices and containers, than many older vulnerability management tools can.

How RBVM tools score risks

Legacy approaches to vulnerability management score vulnerabilities based on generic data, typically relying on the Common Vulnerability Scoring System (CVSS), a public framework maintained by the nonprofit Forum of Incident Response and Security Teams, which uses a slew of metrics to calculate scores ranging from zero for the least severe and 10 for the most.

CVSS provides real value for an organization's vulnerability management program.

However, RBVM tools incorporate additional frameworks and information, such as asset criticality and threat actor activities, in addition to the severity of a vulnerability, that enable scores tailored to the individual organization.

The importance of RBVM

The National Institute of Standards and Technology keeps track of known vulnerabilities in its National Vulnerability Database. NIST can add dozens of new Common Vulnerabilities and Exposures to its dashboard on any given day, meaning there are hundreds of new CVEs added every week and thousands every month. NIST listed nearly 250,000 CVEs on its dashboard in spring 2024.

Although NIST categorizes them by severity -- critical, high, medium and low -- that approach doesn't help most organizations focus their remediation efforts. The number of critical vulnerabilities is overwhelming.

This is where RBVM can help. It takes an impossibly high number of vulnerabilities to address, adds context about what those vulnerabilities mean to an individual organization and creates a workable path toward tackling remediations.

RBVM tools analyze vulnerabilities based on the vulnerability's discoverability, exploitability and other threat intelligence to identify those that pose the greatest risk to an organization. They also consider an organization's assets, the probable impact on the organization and other risk factors.

This analysis is what enables RBVM tools to winnow the daunting number of known vulnerabilities down to the ones that an organization must make it a priority to address.

Moreover, these tools use AI and other automation to handle much of the remediation work that IT and security teams previously had to perform manually, thereby speeding up fixes and freeing the teams to handle higher-value tasks.

Benefits of RBVM

RBVM provides significant value, delivering numerous benefits that together add up to a better security posture for the organization. Benefits include the following:

• A focus on what matters most. RBVM enables organizations to address the vulnerabilities that could hurt them the most, ensuring that those are fixed first instead of getting stuck in a backlog of vulnerabilities that merit remediation.
• Faster time to action. Thanks to AI, ML and other automation, RBVM can identify and address the most critical vulnerabilities faster than legacy tools and manual processes.
• More efficient IT and security teams. The intelligence and automation embedded in RBVM tools take over tasks that IT and security teams once handled, enabling those teams more time for higher-value tasks that can't easily be automated.
• Increased visibility. RBVM tools continually scan an organization's IT environment to identify and understand its assets and detect vulnerabilities. Their active scanning capabilities far exceed those of legacy vulnerability management tools, giving organizations visibility into nearly every part of their technology landscape, including cloud environments.
• More agility. The intelligence built into RBVM tools enables the technology to constantly ingest and analyze new data, such as threat intelligence reports, and adjust accordingly, helping organizations as they try to keep pace with the always-changing cybersecurity landscape and the ever-evolving skills of threat actors.