COMMENTARY: In 2023, the financial toll of cybercrime in the United States reached a staggering $12.5 billion, setting a new record. This alarming figure underscores the escalating threat posed by cybercriminals, who are becoming increasingly sophisticated and exploiting the growing vulnerabilities of organizations.
The same year witnessed a surge in vulnerabilities, with the National Vulnerability Database (NVD) recording a 17% year-over-year increase. Since its inception 30 years ago, the NVD has cataloged 234,579 CVEs, with half discovered in just the past five years. This accelerating pace of vulnerability discovery, with a new vulnerability emerging approximately every 17 minutes – or 600 new vulnerabilities a week – further strains the already stretched resources of security teams.
Move beyond the patch-it-and-forget-it strategy
In today's complex IT environments, network teams face the daunting task of managing vast, interconnected networks that often operate invisibly. Simultaneously, security teams must safeguard critical data and assets across these sprawling systems. Complicating matters further, security and network teams frequently report to different management chains with distinct priorities, budgets, and goals. This siloed approach creates critical blind spots that attackers can exploit as cyberattacks escalate in frequency, sophistication, and cost.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Within these siloed environments, vulnerability management teams often struggle to achieve a shared understanding of vulnerabilities. This hinders organizations' ability to effectively reduce mean time to detect (MTD) and mean time to remediate (MTTR.). A recent study found that 75% of organizations believe their security posture has been negatively impacted by miscommunication between network and security teams. This statistic underscores the importance of effective communication and collaboration between these teams to mitigate risks and respond to threats efficiently.
The value of risk-based vulnerability management
How can risk-based vulnerability management bridge the gap between an organization's network and security teams? This method of vulnerability management hinges on four key pillars: discovery, prioritization, remediation, and reporting.
Many organizations struggle to integrate these pillars effectively, leading to a fragmented security posture. Some challenges hindering effective vulnerability management include:
- Fragmented attack surface visibility: Proliferation of unintegrated visibility tools, rapidly growing cloud workloads, nonscannable assets, and blind spots caused by time gaps between scans.
- Prioritization challenges: Lack of a framework to prioritize vulnerabilities, manual analysis of critical CVEs, alert fatigue, and excessive false positives.
Risk-based vulnerability management offers a comprehensive approach to addressing cybersecurity challenges by leveraging context-driven automation and actionable threat intelligence. The foundation of effective vulnerability management lies in accurate prioritization, which requires reliable data. While active scanning is a valuable tool for vulnerability discovery, it can leave blind spots in 'unscannable' areas and dynamic cloud environments.
Vulnerability intelligence relies on comprehensive databases of information about known vulnerabilities, including:
- Contextual factors: Operating systems, versions, and other installed applications that impact vulnerability exploitability.
- Impact on CIA values: The potential consequences on confidentiality, integrity, and availability.
- Research and history: NVD listings, vendor bulletins, and the evolution of vulnerabilities over time.
- Remediation and mitigation: Available products that address vulnerabilities.
- Severity ratings: Scores from multiple sources, including NVD, EPSS, scanning vendors, and CVSS.
By analyzing collected data, organizations can identify assets vulnerable to internal and external threats. This lets them prioritize vulnerabilities effectively and allocate resources accordingly.
Standard, commoditized vulnerability risk-scoring products often lack an understanding of network exposure, which can result in a high volume of vulnerabilities being flagged. While these vulnerabilities are real, without exposure, organizations cannot prioritize the vulnerabilities that matter most and teams should remediate first. These legacy products may assign high-risk scores to vulnerabilities that are exploitable in the wild, but are inaccessible to attackers.
A risk-based approach lets organizations implement targeted remediation solutions tailored to their specific environments. They may involve patching vulnerabilities, upgrading software, configuring intrusion prevention systems, or modifying system settings to disable unnecessary services.
By viewing vulnerabilities through multiple lenses—including asset importance, vulnerability severity, threat activity, and network exposure—organizations can prioritize vulnerabilities effectively and target their actions where they have the greatest impact. This proactive approach lets organizations reduce their risk of attacks, protect critical assets, and enhance overall security posture.
Alastair Williams, vice president, worldwide systems engineering, Skybox Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
