The question of remediating every single vulnerability is moot. Given the massive amounts of vulnerabilities being disclosed every month, it’s logistically and organizationally unfeasible. At the enterprise level, even the largest IT team simply can’t handle all the vulnerabilities out there – nor, in truth do they need to.
The truth is that one of the most important tools for vulnerability management is prioritization; not all vulnerabilities need to be fixed. The real risk posed by a vulnerability comes from a combination of a given vulnerability’s severity, the threats associated with it, the posture of vulnerable assets, and the impact of the change required to fix the vulnerability.
This is a huge paradigm shift for security and IT professionals, who have long held to “find it, fix it” tenets of vulnerability management. But when the finding gets harder and the fixing becomes impossible at scale – the model needs to evolve to a risk-based approach.
Technical Severity: Not the Guiding Light it Used to Be
Once upon a time, it was easier. You could remediate based on CVSS score alone (which were relevant at a time when only 500 vulnerabilities were disclosed every year as opposed to now when 500 vulnerabilities may be disclosed every week), and be reasonably confident that you were maintaining effective security vigilance.
Today, things are different. In 2017, nearly 30% of CVEs were scored High or Critical – which worked out to nearly 60 a week. And many of these vulnerabilities can take an insane amount of time to run down – if that’s even possible.
Vulnerability Management needs to include relying on security teams considering the overall status of the vulnerability within the larger landscape of vulnerabilities; smart prioritization is key.
Zero Days: No Longer a Zero-Sum Game
Zero Day vulnerabilities are high-profile and garner much media and management attention. Yet even the most sensational vulnerabilities are probably not the ones that you should be worrying about first. Many of them aren’t even exploitable yet. In fact, 99% of vulnerabilities exploited are known vulnerabilities.
“Zero-days are sexy and exciting but, let's face it, not as big a deal as they used to be,” noted J.M. Porup, Senior Writer at CSO in a recent article. “…Old-days are often more than sufficient for attackers, of both the criminal and government variety. In many cases attackers who possess zero-day exploits prefer not to use them, resorting to Old-days instead, because using a zero-day exploit against a savvy defender could disclose that zero-day to the defender..”
A Better Approach
The principles of risk management can provide a roadmap to adopting a risk-based approach to vulnerability management. For example, the issues of organizational context – recognizing that every organization is affected to various degrees by numerous factors in its environment – and also organizational objectives – keeping in mind the unique goals of each organization.
These and other principles of risk management are key to establishing a risk-based approach to vulnerability management because they provide insight into the actual risk of each vulnerability. By way of simple example, a critical vulnerability in an outdated OS that runs on one server only is less of an organizational risk that a less severe vulnerability that affects 50% of the desktops in the company.
The core idea here is simply prioritization based on actual threats to business. So, what does this mean for you?
- Don’t ask “how severe is vulnerability X?”. Rather, ask “How serious of a threat is this vulnerability to my business as a whole?”
- Assess which assets are business critical and whose vulnerabilities must be remediated or patched right away.
- Understand the active threats involving the vulnerabilities in question – then evaluate the business impact of patching/upgrading. Will the change make things worse overall, or better?
The Bottom Line
With remediating every single vulnerability a thing of the past, IT and security professionals need to evolve their thinking to approach vulnerability management from a risk perspective. This change puts prioritization – not knee-jerk remediation – at the center. It also recognizes that some vulnerabilities are not worth fixing, whereas some vulnerabilities are worth fixing, but with less urgency. Overall, a risk-based approach to vulnerability management is mission-critical for security-conscious organizations operating in today’s highly-exposed online climate. As security guru and Chief Security Officer of Akamai Technologies Andy Ellis noted in a recent blog post, “The lesson for defenders is to understand both the system you’re defending, and how its defenses work – or don’t – together.”