6 ‘Must Have’ Features for Risk-Based Vulnerability Management

Vulnerability management typically is an integral part of every organization’s cybersecurity strategy. However, the traditional vulnerability management approach has become increasingly ineffective as organizations’ attack surface continue to grow and evolve. It is no longer enough to just enumerate vulnerabilities due to unpatched systems, which is unfortunately the focus of traditional vulnerability management. This article highlights six key distinguishing features that transform a traditional vulnerability management program into risk-based vulnerability management, which enables organizations to avoid breaches by continuously discovering and monitoring all points in their attack surface and taking appropriate mitigation steps.

A truly risk-based vulnerability management solution will have the following key capabilities:

  1. Automatic discovery and inventory of all IT assets, applications and users.
  2. Visibility into all types of assets including BYOD, IoT, cloud and third party.
  3. Comprehensive coverage of attack vectors beyond just unpatched software (i.e., passwords, encryption levels, ongoing threats, etc.).
  4. Continuous and real-time monitoring of vulnerabilities across all assets and all attack vectors.
  5. Prioritizing mitigation actions taking into account business context and business impact of vulnerabilities.
  6. Prescriptive fixes to address the security issues in a manner integrated with the enterprise workflow.

Armed with a risk-based vulnerability management program encompassing these six must-have features, organizations can identify, fix and close vulnerabilities before they can be exploited. To achieve the above, AI and machine learning should be leveraged to observe and analyze the volume of data collected from thousands of observations to create a complete picture.

Capability 1: Automatic Discovery and Inventorying

Do you know how many devices (managed, unmanaged, BYOD, IoT) are plugged into your environment at any point in time?

Traditional vulnerability management tools do not provide automatic discovery and inventory of the wide range and scope of IT assets that typically are at play in your organization. To control your environment, you need an agile, real-time inventory of all assets: devices, apps and users.

Risk-based vulnerability management should be easy to deploy and provide a comprehensive inventory of your existing asset ecosystem within minutes of first deployment. It then needs to provide automatic and continuous discovery and inventorying of all applications, users and IT assets including IoT, cloud, on-premises and mobile on an ongoing basis.

Capability 2: Visibility for All Types of Assets, including BYOD

How helpful would it be if you had continuous visibility across all types of your assets?

Traditional vulnerability management tools typically scan enterprise-owned and managed IT assets such as corporate servers and laptops, and they leave out all the rest such as unmanaged, BYOD, cloud-based, IoT and mobile, to name just a few.

Risk-based vulnerability management should be able to discover, monitor, and scan all types of devices and assets—including BYOD, IoT, cloud and third party—to automatically and continually predict breach risk through a single integrated system.

Capability 3: Covering the Multi-Dimensional Attack Surface

Does your vulnerability management solution only look at unpatched vulnerabilities? How about the risk to your business from 200+ other attack vectors such as weak or shared passwords, malware, incomplete encryption and more?

Traditional vulnerability management tools have limited coverage across the vast and rapidly expanding set of attack vectors. Phishing, ransomware, misconfigurations and credentials are just some of the vectors not covered by traditional vulnerability management.

Next-generation vulnerability management needs to monitor and scan for many other attack vectors such as device/network and application misconfigurations, risk from weak or no encryption, use of weak passwords and shared passwords, denial of service, password reuse, propagation risk, phishing and ransomware, zero-day threats and more.

Capability 4: Continuous and Real-Time Monitoring and Analysis

Is interval-based scanning falling short of expectations? Wouldn’t automated and continuous scanning and analysis of all assets across all attack vectors be a better strategy?

Traditional vulnerability management is episodic, with point-in-time scans that restart only once a previous scan completes. Thus, they are infrequent and focus on a fraction of your enterprise attack surface, providing only a point-in-time snapshot of your vulnerabilities.

A next-generation risk-based vulnerability management should offer continuous and real-time monitoring and analysis of all attack surfaces, giving you the ability to quickly identify potential breach risk. New BYOD devices should be discovered and assessed minutes after they are plugged in to your environment. Breach risk should be continuously calculated for every device, app and user across your hyperdimensional attack surface.

Capability 5: Prioritization Based on Business Context and Risk

How do you prioritize your list of actions? What do you tackle first?

Traditional vulnerability management tools only focus on identifying the severity of the findings and ranking them with a generic low, medium and high rating (e.g. from CVEs). A key component in determining business cyber risk is understanding the context around the role and criticality of each IT asset that has the vulnerabilities. Without this information, rationalizing mitigation activities becomes an uphill, often unsurmountable task.

To increase your cyber-resilience, you need to focus your limited SecOps resources on the potential breaches that may have the most business impact. Modern, risk-based vulnerability management needs to provide business risk for each asset by contextualizing information including role of that asset, the security state of that asset analyzed over multiple attack vectors, compensating controls already in place, globally prevalent threats and more. Risk-based vulnerability management needs to be able to comprehensively assess the business risk of all assets, presenting a prioritized list of mitigation actions and prescriptive fixes for each prioritized action.

Capability 6: Prescriptive Fixes

How do you take action on mitigating your security vulnerabilities?

Traditional vulnerability management tools only provide a tactical list of actions to patch vulnerabilities. These actions often lack detailed rationale and context.

Risk-based vulnerability management should offer detailed prescriptive fixes that are actionable and clearly explain why this vulnerability is risky and how the risk might be reduced by fixing it. This helps organizations get alignment on fixing most important security issues.

Manoj Asani

Avatar photo

Manoj Asani

Manoj leads Product Management and Design at Balbix. Prior to Balbix, Manoj ran Product Management for the Application Security (Fortify) portfolio at Hewlett Packard Enterprise. He brings 15+ years of technology experience in various roles including Product Management, Strategy/Operations & Engineering at Brocade, Booz & Company, Cisco and Force10. Manoj has a Bachelors and a Masters degree in Computer Science from Gujarat University and the University of Southern California, and an MBA from the Columbia Business School.

manoj-asani has 1 posts and counting.See all posts by manoj-asani