What is Risk-Based Vulnerability Management (RBVM)?
Risk-Based Vulnerability Management (RBVM) is rapidly becoming the new standard for security programs and it’s quite different from its previous iteration. But how does adding “risk-based” transform Vulnerability Management (VM)? Allow us to explain exactly what RBVM is and how organizations can start to implement it in their organization. After all, our name is Risk Based Security.
Risk-Based Vulnerability Management (RBVM) is the process of prioritizing vulnerabilities for remediation based on asset-contextualized intelligence that identifies the level of risk each vulnerability poses to your organization.
In order to achieve true RBVM, you need to contextualize vulnerability intelligence (VI) to your organization’s assets. This can be challenging, but if you’re using comprehensive, detailed, and timely VI, you’re already steps ahead of those relying solely on CVE/NVD and scanning technologies.
Vulnerability Intelligence: The Essential Guide
Check out this article for a detailed explanation of what comprehensive VI looks like. Read More>>
Why is Risk-Based Vulnerability Management (RBVM) Important?
Prioritization and remediation does not occur in real-time when following legacy Vulnerability Management. Under the previous model, organizations discover and aggregate as many vulnerabilities as they can, and then prioritize them based on their predefined CVSS scores. The problem with this approach is that thousands of high to critical vulnerabilities are queued for remediation, which often overwhelms Security Managers and IT Security Teams, causing them to spend resources reacting to the triage of issues instead of actively fixing them.
Legacy VM dictates that security teams address every high to critical issue, but many “top priority” vulnerabilities end up being irrelevant. CVSS scores are just one of many metrics that communicate risk, and unfortunately they are often treated as static entities. New information influencing the temporal and environmental CVSS scores could, and frequently does, get released after an initial score is calculated. This means that for a vulnerability with a CVSS score of 10.0, newly released details could make it a lot less severe. Conversely, a low-scoring vulnerability could become a lot more impactful. As such, basing prioritization and remediation on static, predefined CVSS base scores hampers the overall effectiveness of your Vulnerability Management Program.
RBVM recognizes that the vulnerability disclosure landscape is volatile, and that prioritization needs to be both manageable and to occur in real-time. To achieve this, RBVM shifts the perspective. Instead of spending all your resources on patching every high-to-critical vulnerability for every asset, why not focus on the vulnerabilities that actually affect your most critical assets first?
How Risk-Based Vulnerability Management (RBVM) Works
You need to adopt a risk-based approach to more accurately assess the level of risk each vulnerability poses. But in order to proactively secure your organization, you need to be able to know five things:
- What is my organization’s attack surface?
- Which assets are essential to my organization?
- Which vulnerabilities pose the most risk to those essential assets?
- Who owns those assets, and do they have the information needed to remediate?
- Am I completely certain that the issue has been resolved?
Risk-Based Vulnerability Management provides answers to those questions through three key functions:
Vulnerability Asset Mapping
Vulnerability Asset Mapping is the process of listing assets (e.g. servers, desktops, mobile devices, and applications) used in your organization so that you can match any vulnerabilities found during vulnerability analysis to them, in order to prioritize them for remediation.
This process helps determine your organization’s attack surface and provides visibility into where your organization might be vulnerable. If done properly, whenever a new vulnerability is identified, you will have a clear idea of which asset is affected and how many machines are running that at-risk asset. More importantly, you will know that without having to rely on slow and disruptive network vulnerability scanning that can only see into a portion of your infrastructure (and is likely missing over 88,000 vulnerabilities)!
Configuration Management Database (CMDB)
Getting to that point of maturity is easier said than done. However, organizations have a tool at their disposal that can greatly assist in the Vulnerability Asset Mapping process: the Configuration Management Database (CMDB).
In theory, the CMDB is the roadmap of your organization’s IT infrastructure. It confirms all the configuration items in your IT infrastructure and includes hardware, software, personnel or documentation. If maintained, a CMDB can greatly assist your RBVM needs by telling you what software is being deployed and notify you of any immediate changes.
If your organization uses a CMDB, start there. That way, when you aggregate vulnerabilities through your VI processes you can focus your attention on the ones that affect documented software. So whenever your team stumbles upon, or is mandated to respond to, a “critical” vulnerability, instead of instinctively reacting to it, you can ask yourself, “wait, is that asset something we actually use?”
If you don’t have a CMDB, it has not been maintained, or where it needs to be updated/rebuilt, capturing the following details is a great opportunity to understand your risk environment:
The most important component of Vulnerability Asset Mapping is knowing which products are being used in the organization. It may sound easy, but it isn’t so simple. This is especially true for large companies that deploy tens of thousands of software and have millions of assets or endpoints.
Adopting a risk-based mindset is especially valuable in the vulnerability asset mapping process. While organizations will rightly want to account for and remediate every at-risk asset, chances are that many will lack the resources to do so. Therefore, teams may want to instead focus on identifying the most critical products that are essential for operation.
That may be a difficult and time-consuming task, but completing it provides great benefits. Not only does it enable you to make better informed risk decisions, but it also reduces the dependency on traditional network scanning – saving you time and money. Scanning may seem like an attractive option, but it often fails to identify large portions of an organization’s infrastructure. To combat this, organizations commonly purchase multiple vulnerability scanners in an attempt to reduce coverage gaps. The scanning process is lengthy, intrusive, and can disrupt systems or cause outages that potentially result in millions of lost revenue.
By building a detailed asset inventory with product information, you can reduce the potential for shutdowns and stop spending resources purchasing multiple vulnerability scanning tools.
Capturing and tracking the versions of your products is the next step in vulnerability asset mapping. Knowing this is vital in RBVM since a vulnerability could be relevant or not depending on which version is in use.
The version in some cases dictates the remediation of a vulnerability. Older versions could require an update to fix, new versions might need a patch, and unsupported versions might have no known solution at all, which may require other forms of mitigation like system hardening or the arduous task of finding a modern replacement.
Perhaps the best thing about actively tracking product versions is that it allows you to save time and resources in the future. Once issues are fixed, by updating your CMDB with the new version you can reduce the possibility of squandering resources responding to false positives or emergency Vulnerability Assessment (VA) reports.
Location is the final piece of vulnerability asset mapping and dictates where your assets are deployed in your organization. Knowing this helps paint a well-informed risk picture for the issues found during vulnerability analysis.
During vulnerability analysis, you ask yourself, “now that I know this affects me, how bad can it be?” Location can provide a deeper insight into the answer. The level of attention a vulnerability demands can sometimes be derived from knowing where those affected assets are being used.
If a vulnerability with a CVSS score of 10.0 only affects a low-risk device, in context to the organization, is it actually a critical issue? What if similarly scored vulnerabilities only affected non-internet connecting devices, or affected assets that have extremely low privilege access or house no sensitive data?
You wouldn’t have the data needed to make that conclusions if operating under at traditional VM model. This is one of many reasons as to why RBVM exists and how it differentiates itself from its predecessor.
Risk-Based Vulnerability Prioritization
Risk-Based Vulnerability Prioritization is the process of designating vulnerabilities for remediation based on their impact to the organization and likelihood of being exploited.
Prioritization has historically been a major challenge for organizations, for two main reasons:
- Organizations relying on incomplete vulnerability intelligence are not aware of all known risks.
- Common vulnerability prioritization processes are based on one-dimensional metrics that fail to address risk in real-time.
It is important to be aware of all the vulnerabilities that affect you, but it also is important to ensure that prioritization is actionable. If you attempt to remediate every high-to-critical issue without context, your IT teams will likely be sent VA reports containing thousands of vulnerabilities. The only thing that such VA reports achieve is conflict between Security Managers and IT teams.
RBVM accounts for this by providing methods that greatly reduce the number of vulnerabilities down to a serviceable level.
Above is a breakdown of actionable vulnerabilities, by availability and ease of exploitation disclosed in the later half of 2021. Here at Risk Based Security, we call this the risk-based vulnerability prioritization graph. By segmenting the thousands, or tens of thousands of vulnerabilities previously mass-labeled for prioritization into key groups, Security Managers can provide IT teams a much-needed simplified list for remediation.
Those groups are:
- Remotely exploitable
- Exploit public
Vulnerabilities that fit into this group can be exploited over a network regardless of having prior access. The attacker does not have to be on-site.
If a vulnerability has a public exploit, it means that attackers have the information needed to create a method to exploit the vulnerability without additional research.
Vulnerabilities in this group have known solutions and details on how to remediate them.
Any vulnerability that falls into any one of these groups may be serious, but depending on the timeframe, hundreds or even thousands of vulnerabilities fall into all three. For the majority of organizations, those remotely exploitable vulnerabilities that have a public exploit and a mitigating solution should be the focus for remediation efforts.
However, if your organization isn’t working with comprehensive vulnerability intelligence, or strictly relies on scanning technology for vulnerability discovery, you may not even be able to identify those vulnerabilities, let alone fix them in a timely fashion. CVE/NVD often omits important exploit and solution information, forcing users to perform arduous research. Considering strict patching cycles, analysts may not be able to find all necessary details to categorize remotely exploitable vulnerabilities that have public exploits and a solution.
Simplifying VA Reports with Asset-Contextualized Intelligence
Once you are able to identify and categorize vulnerabilities with those stipulations, you need to contextualize them to your assets. To do this, calculating an Asset Risk Score is integral in performing risk-based prioritization.
Asset Risk Score
An Asset Risk Score is a numerical value that represents the asset’s overall importance to the organization based on use, type of data stored, likelihood of being exploited, and its exposure to vulnerabilities.
An Asset Risk Score provides data-driven values, allowing you to surface assets that pose the most risk and are essential to daily operations. To calculate this, you need the following information:
- Asset Value – Information about the security impact of the asset and the data classifications
- Threat Likelihood – Information about associated vendor incidents, the effects, and other threat scores
- Vulnerability Exposure – The number of vulnerabilities for associated products and the related scores
This process can be complex and requires an understanding of your own network infrastructure. But once Asset Risk Scores have been assigned, your Security Managers can get a clear picture of which assets demand the most attention. This is how you can simplify your Vulnerability Assessment reports. Once you have a list of all vulnerabilities that are remotely exploitable, have a public exploit, and have a known solution, you can then filter it to those that impact your identified critical assets. This can make remediation a much more manageable task.
Vulnerability Remediation is the process of patching, fixing, or mitigating vulnerabilities that affect your organization’s assets.
This is the final function of Risk-Based Vulnerability Management. Vulnerabilities will continue to be a threat until they are effectively dealt with. The good new is that, if you’re working with high-quality vulnerability intelligence, most of the hard work has already been done by this point. If your VI is comprehensive and actionable, your IT teams should have all the details needed to resolve the vulnerabilities flagged for remediation.
RBVM is extremely difficult to implement if any of your security processes are broken, because it is dependent on every function that precedes it. Failure in discovery will cripple your vulnerability research and analysis. That oversight will then affect how you implement your VI, which will have a detrimental effect on vulnerability asset mapping. Without identifying critical assets you cannot simplify prioritization to serviceable levels. Vulnerability intelligence, in combination with the functions discussed in this article, is critical to the risk-based portion of RBVM.
However, a remining challenge unique to vulnerability remediation is tracking owners and ensuring that issues have been fixed. In large organizations with millions of endpoints and thousands of personnel, it is a task in itself to find out who is actually responsible for a vulnerable asset. It is an even bigger challenge to monitor progress, since patching is often outside the scope of the security teams that research and prioritize vulnerabilities. Organizations need a security platform that enables true risk-based vulnerability management while coordinating and tracking remediation tasks.
Enable Risk-Based Vulnerability Management with the Risk Based Security Platform
Power real-time prioritization and remediation decisions with the only source of comprehensive vulnerability and supply-chain intelligence.
The Risk Based Security Platform is built on VulnDB, the most comprehensive, timely and actionable source of vulnerability intelligence available. It tracks over 268,000 vulnerabilities, including IT, OT, IoT, and open source libraries and dependencies.
The Platform is the only risk-based vulnerability management tool that provides scanless, real-time vulnerability intelligence with vendor and product risk ratings. With this data, your team can reveal the vulnerabilities that apply to your organization, prioritize what impacts your assets and products, and coordinate remediation.
Gain visibility into the overall security posture of your organization with advanced dashboards that draw attention to the latest vulnerability disclosures and data breach events that impact you. The Risk Based Security Platform can automate risk prioritization by capturing the criticality of various assets in your environment, allowing your team to focus on the most important issues while assigning and tracking remediation tasks.
Make Risk-Based Vulnerability Management the core of your vulnerability management program today, with the Risk Based Security Platform.