We Scan and We Patch, but We Don’t Do Vulnerability Management

Lately, we’ve been flooded with calls about vulnerability management (VM). Many of the calls seem to be from organizations of medium to low security operations maturity, that are just starting with vulnerability management [and that’s OK – a wise mentor once told me always remember that ‘90% of people are not in the top 10 percentile!’” :-)]

Many of them say something similar to we scan and we patch, but we don’t do vulnerability management.” Essentially, they are coming to a realization that I often like to summarize as “VA is easy, but VM is hard.”

Of course, we have a lot of excellent research written on this topic:

The first paper has a lot of juicy and usable VM advice for all levels of security maturity, and this post is a reminder about these great resources. However, I also want to ponder one specific bit.

Imagine the following situation:

You have… …and you can …to get …
1000 vulnerabilities fix all 1000 A WIN [but no organization is in this position, NONE, 0]
1000 vulnerabilities fix any 10 of them Nothing, since your overall risk posture is probably unchanged
1000 vulnerabilities fix any 100 of them Unknown and likely small risk reduction
1000 vulnerabilities fix some 900 of them Significant risk reduction, but very likely at a significant cost
1000 vulnerabilities fix 100 of them that are called CRITICAL (via CVSS, vendor, etc) Some risk reduction, for sure. But often not as much as expected
1000 vulnerabilities fix 100 of them that are of absolute highest risk to this organization I’d argue that there is a decent chance that this delivers the best risk reduction / cost!

Note that in no situation “JUST PATCH FASTER!” is the right advice! IMHO, most organizations should “patch smarter” (which really means “prioritize what to patch better”), because frankly most cannot patch faster.

The tough question is of course: how *EXACTLY* do we rank the vulnerabilities for maximum risk reduction for your particular organization at this time? We have seen many methods come and go, some effective, but onerous, some both ineffective and onerous, and some effective but unrealistic…. while some based on wishful thinking (read: AI) :-)

Past posts on vulnerability management:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: