Why organizations need risk-based vulnerability management

What is risk-based vulnerability management?

Vulnerability management platforms have evolved significantly over the past several years -- from simplistic network vulnerability scanners to comprehensive suites that integrate vulnerability management information collected from systems and data wherever they reside.

The number of vulnerabilities and potential weaknesses organizations face has led to the rise of risk-based vulnerability management (RBVM) over legacy vulnerability management. RBVM is a method that enables security teams to identify, categorize, prioritize and remediate the most critical vulnerabilities before attackers can take advantage of them.

Traditional vulnerability management lacks the ability to discover all vulnerabilities within an organization, especially as cloud, IoT and other dispersed computing environments proliferate. RBVM offers a more accurate risk assessment picture and increased visibility across all systems and infrastructure.

RBVM programs do this by incorporating the following tools and features:

• Threat intelligence.
• Specialized risk metrics to highlight critical assets, using CVSS.
• Real-time protections.
• Automation.

Components of a modern vulnerability management program

Network scans continue to be at the core of a vulnerability management program. These scans seek out network-connected systems, probe them for known vulnerabilities, and report and prioritize the issues they detect. Ranking vulnerabilities enables security teams to tackle the most pressing and critical issues first.

Every organization should deploy vulnerability scanning in their own data centers and their IaaS environments. Scans are most effective when conducted from multiple perspectives -- in front of and behind network firewalls -- and when they feed back to a central correlation platform.

Vulnerability management programs supplement network scans with web application scans to obtain a deep dive into issues specific to web development, such as SQL injection, cross-site scripting and cross-site request forgery attacks. Depending on who developed and maintained the web app, addressing the results of these scans is often tricky in a cloud environment, such as in the following scenarios:

• Vulnerabilities in applications developed by internal teams may be addressed directly by those teams.
• Vulnerabilities in vendor products hosted by the enterprise in on-premises or IaaS data centers require coordination with the software vendor.
• Vulnerabilities in SaaS products typically can't be addressed by internal teams and might only be addressed by the vendor.

The increasing reliance of businesses on SaaS products not only increases the risk of traditional vulnerabilities, but also raises the possibility of misconfigurations by the enterprise's application administrators. For this reason, major vulnerability management platforms now offer modules that reach into cloud services to analyze policy settings and identify customer-caused vulnerabilities.

Companies ideally should adopt a single vulnerability management platform that addresses network, web app and cloud configuration vulnerabilities in one console. This single-pane-of-glass approach simplifies vulnerability analysis and creates an environment conducive to RBVM.

RBVM and risk responses

Risk management professionals know there are four possible responses to any risk they face: risk avoidance, risk transference, risk mitigation and risk acceptance. These same strategies apply to RBVM programs:

1. Risk avoidance. Enterprises can avoid risks by altering their business activities so the risk is no longer relevant. That could mean shutting down a system, switching to a different software platform or taking other actions that render a vulnerability irrelevant to the company's business.
2. Risk transference. Companies can transfer risks by shifting the burden of addressing those risks to another company. But an organization often can't completely transfer a risk. In the case of a company adopting a SaaS product, the provider's failure to address vulnerabilities could still jeopardize the customer's sensitive data.
3. Risk mitigation. The most common way vulnerability management programs address risks is to mitigate them. Risk mitigation takes actions to reduce the probability and likelihood of a risk, commonly by applying a patch, modifying firewall rules or deploying other security controls. In a risk-based vulnerability management program, enterprises often rank vulnerabilities they detect and mitigate the highest-ranked risks first. This approach derives the greatest possible value from time-consuming risk mitigation efforts. It also informs all future risk mitigation efforts as security teams learn what risks affect their organization the most and how to address them.
4. Risk acceptance. Risks are considered acceptable when cybersecurity leaders determine the costs of applying other risk management strategies outweigh the benefits, and they continue operating as is with full knowledge of the risk. Vulnerability managers commonly use this approach for low-probability, low-impact vulnerabilities that simply don't rise to the level of remediation.

Cybersecurity professionals often find themselves overwhelmed by the sheer volume of reports emanating from different vulnerability scans. Developing a complete picture of their vulnerability environment and adopting a risk-based vulnerability management approach help address this significant undertaking in a way that uses limited vulnerability management resources efficiently and effectively.

Editor's note: This article was written by Mike Chapple in 2020. TechTarget editors revised it in 2024 for accuracy and to improve the reader experience.

Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame.