Recent major breaches in the news involved vulnerabilities that had patches available. If you’re not familiar with vulnerability management, you might be wondering “If patches were available, why weren’t they fixed”?
The problem is that in many organizations, there are so many vulnerabilities with varying degrees of risk that it’s impossible to fix them all. Organizations are also struggling with a cybersecurity skills gap where the resources needed to fix all of these vulnerabilities are constrained. This means there are too many things that need to be fixed and not enough people to fix them. This results in a never-ending story of more vulnerabilities and more breaches in the news.
So what can organizations do?
When resources are scarce, they should be invested wisely. In terms of vulnerability management, resources can be allocated based on risk—have people fix the vulnerabilities that are most likely to be exploited and cause the most damage. One way to do this is by prioritizing vulnerability remediation based on 0 to 10 risk scores like CVSS. Fix all of the 10 scores, move on to the 9 scores, then 8, and so on. This approach works well on smaller networks, but you can run into problems on larger networks that may have thousands of vulnerabilities with a risk score of 10, requiring further prioritization or leading to frustrating questions like “Which 10 is the most 10?”
Other more granular approaches exist for vulnerability prioritization that can be especially useful on large networks. For example, the Tripwire Risk Score uses a granular score that ranges from 0 to 50,000 and beyond to more precisely rank vulnerabilities for remediation. The Tripwire Risk Score uses an algorithm based on three factors:
- The skill required to exploit the vulnerability;
- The privilege gained upon successful exploitation; and
- The age of the vulnerability.
Sure, these things can be easy to fix. But when there are so many, it can be a case of death by a thousand cuts. Attacks and breaches can and will occur. By using advanced risk scoring that takes into account the likelihood and impact of a successful breach, organizations can be more effective in spending their limited resources to reduce risk in measurable ways.