Not All Vulnerabilities Are Created Alike: Focus on What Matters Most

As the number of security vulnerabilities continues to skyrocket, prioritization is necessary for organizations to effectively reduce their cyber risk.

For more than two years, I’ve explained to security professionals at all levels that the dramatic increase in vulnerabilities discovered each year, coupled with the expanding attack surface from the emergence of modern networks, has created the perfect storm that has buried them in a proverbial pile of vulnerabilities. In fact, I frequently grab their attention by making a sweeping statement: 

“Regardless of your company size, you will never have enough human or financial resources to remediate every vulnerability across your attack surface.”

But this statement is more than just a marketing tagline or cheap ploy for attention. It’s a fact that organizations of all sizes grapple with every single day. Think about it: small companies may only have tens of thousands of vulnerabilities, but they also have a correspondingly small team. In fact, the “team” may consist of one person who manages security on a part-time basis, in addition to other primary responsibilities. On the other end of the spectrum, large enterprises likely have tens of millions of vulnerabilities, outpacing the bandwidth of even a fully-staffed operation of dozens of full-time security analysts spread across multiple teams.

Why legacy methods are no longer sustainable 

To break this open, we really only have to ask ourselves, how many vulnerabilities can a single security analyst handle per day? Per week? Per month? Of course, the answer can vary dramatically for each individual vulnerability, but let’s presume that it takes roughly two hours to fully assess a single vulnerability. I believe that’s a fair estimate, considering the fact that when analysts pull a vulnerability, they have little more than a Common Vulnerabilities and Exposures (CVE) entry to begin with. 

How does one move from an otherwise meaningless CVE ID to a determination of relative importance to the organization? By investigating numerous public sources for information on the characteristics of the vulnerability and how it works, as well as its current and past prevalence. The investigation may even include sources such as social media sites and chatter on the dark web.

At an average rate of two hours per vulnerability, analysts can only reasonably be expected to assess four vulnerabilities a day, or roughly 80 per month. Even the smallest organization discovers more vulnerabilities than that each month. Looking at it through this lens, it’s easy to see how 81 percent of security teams fall behind in their assessments, with no real hope of catching up.

Focus on the few vulns that pose actual risk

While I stand by the big statement that you’ll never be able to fix everything, the good news is that you don’t have to! In fact, odds are that your team is already staffed enough to remediate everything that truly matters. That’s because, according to Tenable Research, only about 20 percent of vulnerabilities ever have an exploit available, and only a fraction of those are actually ever exploited in the wild.

By understanding your vulnerabilities in the context of business risk, your team can use that data to prioritize its efforts, reducing the greatest amount of risk with the least amount of effort. That means going beyond just Common Vulnerability Scoring System (CVSS) base scores to also include contextual elements such as the criticality of affected assets, continuously updated threat and exploit intelligence and predictive technologies to determine which vulnerabilities are most likely to be exploited in the near future. 

Join the elite group of risk-minded security leaders 

According to Tenable Research, only 5.5 percent of organizations are gaining ground in their remediation efforts. By taking a risk-based approach to vulnerability management, you can be one of them. Risk-based VM helps you understand vulnerabilities in the context of business risk, so you can focus on the vulnerabilities and assets that matter most. In turn, organizations can focus their remediation efforts on the vulnerabilities that pose the most immediate risk while deprioritizing those that are unlikely to ever be exploited.

To learn more about concrete steps you can take to upgrade your VM program, download our free guide on How to Implement Risk-Based Vulnerability Management.