What is the Risk-Based Vulnerability Management?

August updates pack from Microsoft included patches for 89 new vulnerabilities in various software developed by the company. The majority of these vulnerabilities have a CVSS rating higher than 7 on a 10-point scale, meaning a high or critical threat level. And that's just in one month and from only one vendor, albeit the largest.

This high number of malicious vulnerabilities poses a challenge for cybersecurity experts to prioritize updates, since it is virtually impossible to deal with all of them at once. First, there simply won’t be enough human resources for this. Second, installation of updates often requires a complete system reboot, which means shutting down important operating processes.

Yet, it is certainly not an option to leave the company's infrastructure unprotected against a potential threat. That's why today we will be talking about a more efficient approach to prioritization of updates, known as Risk-Based Vulnerability Management. It looks not only at vulnerability rating, but also brings in other factors that help to assess the cyber security risks facing a company and prioritize updates accordingly.

Traditional Vulnerability Management is the process of threat detection and assessment, and remediation of vulnerabilities in software and computer systems. This approach involves continuous scanning of IT assets for vulnerabilities. Once a vulnerability is identified, threat assessment and prioritization of updates is generally based on a CVSS vulnerability rating. The principle is quite simple: the higher the rating, the faster the vulnerability needs to be fixed.

Some time ago, this approach could ensure the cyber security of a company. But now, with the ever-increasing number of vulnerabilities rated as high and critical, this prioritization method does not adequately assess the risks that any given vulnerability poses to a company.

This is best illustrated by numbers. The graph below shows the growth dynamics in the number of detected vulnerabilities with a rating from 7.0 to 10.0 on the CVSS scale over the past 25 years. It is vividly seen that over the last decade the growth was rapid: while in 2013 less than 2,000 malicious vulnerabilities were detected, in 2023 their number already reached 16,000.

The second challenge that traditional Vulnerability Management does not know how to tackle is the constant expansion of the company's external assets, in other words various components of the company's digital infrastructure that can be accessed via the Internet and attacked from the outside.

These components are usually associated with multiple external IP addresses, domains, subdomains, open ports, SSL certificates and so on, it is a huge digital estate that needs to be carefully monitored. In the world of today, a large portion of such assets are cloud-based applications and third-party services integrated into the company's infrastructure. It is impossible to control such assets using the same methods and tools as for the company's on-premise infrastructure.

Furthermore, vulnerabilities can be, and most likely will be, discovered in all of these assets. However, not all of them come to the knowledge of the company's cybersecurity providers. The problem is that the traditional Vulnerability Management method does not involve the step of identifying external assets. As a result, cybersecurity providers may remain blind to vulnerabilities in external assets that are an important part of the company's digital infrastructure, simply because they know nothing about them.

Risk-Based Vulnerability Management or RBVM is a more advanced method that addresses both of the above challenges. It is the process of prioritizing the vulnerabilities for fixing based on the risks they pose to a company. It typically involves the following steps:

•            Inventory of assets, both internal and external;

•            Identification of vulnerabilities in external and internal assets;

•            Risk assessment based on the unique features of a certain company;

•            Prioritization based on the assessment results;

•            Remediation of vulnerabilities assigned the highest priority.

The main distinction between RBVM and traditional Vulnerability Management lies in the risk assessment and prioritization of vulnerability remediation according to that assessment. This allows cybersecurity providers to focus on those vulnerabilities that are most critical to business, rather than those with the most intimidating rating.

Consequently, employees of the Information Security Department may allocate resources more efficiently and minimize the exposure to attack in places where it would cause the most damage, while also ensuring compliance with all regulations and requirements.

The inventory of the company's assets as a first step helps cybersecurity providers to identify the unknown external resources. Thus all further steps will encompass both the company's internal infrastructure and external perimeter. As a result, detection of vulnerabilities and assessment of the risks posed by them to a company will be not just under the spotlight, but across all locations critical to business.

After identifying vulnerabilities across all external assets of a company, Risk-Based Vulnerability Management proceeds to assessing the risks posed by each vulnerability. This assessment can rely on several factors. The major ones are as follows:

•            What is the CVSS rating of a vulnerability?

•            How critical is a vulnerable asset to the company's operations?

•            How likely is that this vulnerability will be exploited?

•            How will the vulnerability remediation measures affect business processes?

Let's discuss each factor separately. First of all, it is necessary to assess the CVSS rating — this step is also taken in the classic vulnerability management. And here it is worth noting that RBVM certainly does not diminish the importance of this scale, but supplements it with other parameters for comprehensive risk assessment that takes into account the unique features of a certain company.

The next important factor is the criticality of a vulnerable resource to the company's operations. The idea behind this is simple: if compromising of that asset will lead to interruption of important business processes, leakage of user or employee data, heavy financial losses, and so on, then its vulnerabilities deserve attention in the first place, even with a relatively low CVSS rating.

Not every severe vulnerability has a working exploit. Therefore, for determining the likelihood of vulnerability exploiting, it is worth considering the existence of such exploits, their usability in real attacks, and popularity among attackers. Cybersecurity providers may obtain such information from the aggregators that collect threat intelligence data.

The last factor is the impact of vulnerability remediation steps on business processes. Of course, when making a decision on how urgent the fixing of a particular vulnerability is, it is important to keep in mind potential downtime and whether any systems require restarting for installation of updates.