Risk-based vulnerability management prioritizes threats, budget
Risk-based vulnerability management sounds easy enough: Security teams use levels of risk to manage vulnerabilities. But putting this approach into practice isn't always the easiest proposition.
Vulnerability management is a time-consuming, multistep process. It involves locating vulnerabilities, understanding their impact on the network, calculating their risk level and prioritizing which risks to remediate. And with budget and staff constraints, many organizations fall behind in their security efforts, as reflected in these statistics compiled from several sources:
- Eighty-four percent of companies have high-risk vulnerabilities on their networks, and one in 10 of those vulnerabilities has a publicly available exploit; 26% of companies are still vulnerable to WannaCry, even though its patch was released in 2017 (Source: Positive Technologies, October 2020).
- Fifty percent of vulnerabilities remain unpatched six months after discovery (Source: "State of Software Security" by Veracode, 2020).
- About 80% of attacks in 2020 involved vulnerabilities reported in 2017 or earlier (Source: "Cyber Security Report 2021" by Check Point Software Technologies).
Add the cloud, remote workers and the increasing number and sophistication of cyber attacks into the mix, and vulnerability management challenges become exponentially more difficult.
In this handbook, our experts explain why a risk-based vulnerability management program is your company's best bet for staying protected from threats yesterday, today and tomorrow -- all while using staffing and budget resources effectively.
Begin by exploring five critical steps for implementing a risk-based security strategy to counter vulnerability management challenges. Then, dig into the three-step process of ranking vulnerabilities and prioritizing remediation efforts, complete with a formula and scoring system for assessing rank. Finally, see how the cloud can obscure the vulnerability management process, and learn how to adapt your program to capture a complete picture of on-premises and cloud-based vulnerability environments.