Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don’t work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves.

For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.

The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to over 20,000. Today, software and network integrity are synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than one in ten actually needs to be patched. The question is: how can we know which patches will ensure that our sieve doesn’t sink?

This is why more and more companies are turning to Vulnerability Prioritization Technology (VPT). They seek solutions that filter out the flood of false positives generated by legacy tools and poorly-configured solutions and address only those vulnerabilities that directly affect their networks. They’re leaving traditional vulnerability management paradigms behind and shifting to the next generation of VPT solutions.

The Evolution of Vulnerability Management

It’s not news that even the most resource-rich enterprise can’t possibly sort through, prioritize and patch every single vulnerability in their ecosystem. That’s why the shift toward VPT started in the first place.

Initially, Vulnerability Management (VM) focused on scanning and detecting core networks for any vulnerabilities. This was known as Vulnerability Assessment (VA), and the deliverable was a massively long list of vulnerabilities that had little practical value for already overextended IT resources.

To make VA more actionable, the next generation of VM tools included vulnerability prioritization based on each vulnerability’s global CVE scoring. This was further refined by adding another layer of prioritization based on estimations of potential damage, threat context, and, ideally, a correlation with local context to evaluate the potential business impact based on DREAD type models. This more advanced approach is known as Risk-Based Vulnerability Management (RBVM) and was a giant leap forward from VA.

Yet even advanced VM tools implementing RBVM lag behind in sophistication and actionability. These tools can only detect what they know – meaning that misconfigured detection tools frequently result in missed attacks. They cannot evaluate whether security controls are configured to compensate for the severity of a given vulnerability according to its CVE score correlated with local context risk. This still results in bloated patching lists and also means that – just like with early-gen VA tools – patching often ends up at the bottom of the to-do list or is simply ignored by IT teams.

Leveraging Next-Gen VPT

Advanced VPT solutions are the next generation of VM – offering organizations a very different view of their unique cyber risks.

Building on traditional VA detection and more advanced RBVM capabilities, the latest generation of VPT solutions add asset criticality context, environmental context, and multiple, pre-integrated threat intelligence sources. In this way, it effectively augments vulnerability severity data with sophisticated analytics and in-context applicability. These analytical capabilities enable advanced VPT solutions to integrate highly granular threat validation – creating the next generation of capabilities that augment traditional VM: Attack Based Vulnerability Management (ABVM). Read more:https://bit.ly/3s8h5LX

You can also read this:Everything you need to know to create a Vulnerability Assessment Report

Leave a Reply

Your email address will not be published. Required fields are marked *