The battle for information security has been escalating for a long time, but the recent explosion in remote work has taken the struggle to a whole new level. IT and security teams already overwhelmed by a constant flood of incoming data, cloud technologies and stringent compliance regulations are facing new challenges, from remote workers using their own devices and networks to increasing sophisticated phishing attacks and other scams to the insider threat posed by disgruntled and careless users. The stakes have never been higher. A single breach can lead to steep fines from regulators, expensive downtime and recovery processes, costly litigation, and long-lasting damage to the organization’s reputation and revenue.
Many organizations have adopted a Scope – Classification – Impact model, in which they assess which assets (users, devices, data, etc.) were affected in an incident; what type of incident it was (such as a phishing attack or a ransomware infection); and the business consequences (such as downtime of key systems or loss of sensitive data). This approach is a good first step, but it has important limitation. In particular, even if you take steps to ensure the same problem won’t happen again, you’re still vulnerable to every threat you have yet to face, including zero-day exploits. Instead of being stuck in fire-fighting mode, you need to get out in front and prevent as many incidents as possible from happening in the first place.
Risk-Based Vulnerability Management
Today’s complex IT environments and rapidly evolving threat landscape demands comprehensive, risk-based vulnerability management. By proactively identifying and mitigating software vulnerabilities on a regular basis, organizations can reduce their risk of security incidents and compliance failures.
In a perfect world, organizations would patch all their vulnerabilities. But in reality, IT teams have limited budgets and only 24 hours in the day, so organizations have to be more strategic. By taking a risk-based approach to vulnerability management, they can effectively balance risks against costs.
Consider that the NIST National Vulnerability Database (NVD) has recorded more than 110,000 vulnerabilities since 1999, including the 17,308 added in 2019 and 5,500+ entered in the first quarter of 2020. However, about 7% of those vulnerabilities have an exploit available, and even fewer have actually been leveraged by attackers. In other words, the vast majority of the vulnerabilities pose only a theoretical risk, so organizations are wise to pick and choose which ones to spend their limited time and money on.
Risk Measurement and Prioritization
A good way to get clear, objective insight into the risks your organization faces is to sort them along two key dimensions: likelihood and impact. Clearly, you need to worry more about a security threat that is highly likely and will cause a lot of damage for your business than a threat that is unlikely to materialize and would have little impact.
The goal is to know:
- Which systems are vulnerable and in what ways
- What data is located on each system
- How likely it is that each vulnerability will result in data loss
- The business consequences of losing that data
- The business consequences of the system being unavailable
For example, the following table illustrates how one organization might measure and prioritize risks:
|<$10K||$10K to $100K||>$100K|
|Almost certain (99%+)||Medium||Medium||High|
|Almost impossible (<1%)||Low||Low||Low|
Of course, these categories and ranges would need to be customized to fit the unique needs of another organization. Moreover, each range and resulting bucket (low, medium and high) needs to be fairly broad so you don’t end up with an unreasonable number of them; as a result, two very different risks can end up being assigned to the same bucket. For instance, according to the table above, the following two risks are both considered “medium”:
- Risk A: Likelihood of 2% and impact of $150K
- Risk B: Likelihood of 20% and impact $1M
Therefore, while the broad buckets are useful, it’s also essential to have the details about likelihood and impact. Indeed, having a clear, objective analysis of your risks enables you to develop a sound plan for which risks you will address in what order, and which risks you will choose to accept and not act upon. Some risks can be fully remediated (eliminated), while others might only be mitigated, for example, through workarounds or the use of technologies. Whenever possible, these strategies should be incorporated into formal security practices or reusable approaches, rather than one-off fixes.
Obstacles to Effective Vulnerability Management
There are many obstacles to measuring risk reliably and exactly. For instance, organizations often lack complete visibility into their technology assets, and the total number of vulnerabilities can be too high to manage to effectively. Specific challenges include:
- Cost overruns — Remediating or mitigating a risk is not always an exact science, so it can be difficult to budget accurately.
- Unexpected delays — Similarly, addressing a risk can take much longer than initially expected. Moreover, more urgent priorities can demand the attention of the teams involved in the mitigation effort, delaying the resolution.
- Lack of cooperation — Security teams frequently have limited success in getting the help they need from IT operations and DevOps.
- Lack of tools — Organizations are limited by the software they have, so important risks might go undetected or be too difficult to mitigate.
- Human error — Mistakes are inevitable, and all we can do is to be prepared.
Three Mistakes to Avoid
As you implement a risk-based vulnerability management process, be sure to avoid these common missteps:
- Mistaking hope for strategy — Decision makers sometimes refuse to take action based on the flawed reasoning that because a particular risk has caused any damage yet, it won’t do so in the future.
- Not using the tools you have — Don’t miss the chance to detect a vulnerability or mitigate a risk because you haven’t implemented a tool properly or used to its full potential.
- Being penny wise but pound foolish — While organizations can choose not to address certain risks, that should always be an informed choice. Don’t neglect a high-priority vulnerability just because it might be inconvenient to dedicate resources to it.
A risk-based approach to vulnerability management enables IT and security teams to focus on the most important vulnerabilities facing the organization and prevent the most business damage. Risk calculations and risk tolerance will vary depending on your company’s unique IT infrastructure, data and vulnerabilities at a particular point in time. Remember that since both your IT environment and the risk landscape are constantly changing, you need to repeat the risk measurement, prioritization and mitigation process on a regular basis. By making vulnerability management a part of your core security practices, you can better protect your data and your business.