[BreachExchange] 6 ‘Must Have’ Features for Risk-Based Vulnerability Management

[Destry Winant]

https://securityboulevard.com/2018/11/6-must-have-features-for-risk-based-vulnerability-management/

Vulnerability management typically is an integral part of every
organization’s cybersecurity strategy. However, the traditional
vulnerability management approach has become increasingly ineffective
as organizations’ attack surface continue to grow and evolve. It is no
longer enough to just enumerate vulnerabilities due to unpatched
systems, which is unfortunately the focus of traditional vulnerability
management. This article highlights six key distinguishing features
that transform a traditional vulnerability management program into
risk-based vulnerability management, which enables organizations to
avoid breaches by continuously discovering and monitoring all points
in their attack surface and taking appropriate mitigation steps.

A truly risk-based vulnerability management solution will have the
following key capabilities:

Automatic discovery and inventory of all IT assets, applications and users.
Visibility into all types of assets including BYOD, IoT, cloud and third party.
Comprehensive coverage of attack vectors beyond just unpatched
software (i.e., passwords, encryption levels, ongoing threats, etc.).
Continuous and real-time monitoring of vulnerabilities across all
assets and all attack vectors.
Prioritizing mitigation actions taking into account business context
and business impact of vulnerabilities.
Prescriptive fixes to address the security issues in a manner
integrated with the enterprise workflow.

Armed with a risk-based vulnerability management program encompassing
these six must-have features, organizations can identify, fix and
close vulnerabilities before they can be exploited. To achieve the
above, AI and machine learning should be leveraged to observe and
analyze the volume of data collected from thousands of observations to
create a complete picture.

Capability 1: Automatic Discovery and Inventorying

Do you know how many devices (managed, unmanaged, BYOD, IoT) are
plugged into your environment at any point in time?

Traditional vulnerability management tools do not provide automatic
discovery and inventory of the wide range and scope of IT assets that
typically are at play in your organization. To control your
environment, you need an agile, real-time inventory of all assets:
devices, apps and users.

Risk-based vulnerability management should be easy to deploy and
provide a comprehensive inventory of your existing asset ecosystem
within minutes of first deployment. It then needs to provide automatic
and continuous discovery and inventorying of all applications, users
and IT assets including IoT, cloud, on-premises and mobile on an
ongoing basis.

Capability 2: Visibility for All Types of Assets, including BYOD

How helpful would it be if you had continuous visibility across all
types of your assets?

Traditional vulnerability management tools typically scan
enterprise-owned and managed IT assets such as corporate servers and
laptops, and they leave out all the rest such as unmanaged, BYOD,
cloud-based, IoT and mobile, to name just a few.

Risk-based vulnerability management should be able to discover,
monitor, and scan all types of devices and assets—including BYOD, IoT,
cloud and third party—to automatically and continually predict breach
risk through a single integrated system.

Capability 3: Covering the Multi-Dimensional Attack Surface

Does your vulnerability management solution only look at unpatched
vulnerabilities? How about the risk to your business from 200+ other
attack vectors such as weak or shared passwords, malware, incomplete
encryption and more?

Traditional vulnerability management tools have limited coverage
across the vast and rapidly expanding set of attack vectors. Phishing,
ransomware, misconfigurations and credentials are just some of the
vectors not covered by traditional vulnerability management.

Next-generation vulnerability management needs to monitor and scan for
many other attack vectors such as device/network and application
misconfigurations, risk from weak or no encryption, use of weak
passwords and shared passwords, denial of service, password reuse,
propagation risk, phishing and ransomware, zero-day threats and more.

Capability 4: Continuous and Real-Time Monitoring and Analysis

Is interval-based scanning falling short of expectations? Wouldn’t
automated and continuous scanning and analysis of all assets across
all attack vectors be a better strategy?

Traditional vulnerability management is episodic, with point-in-time
scans that restart only once a previous scan completes. Thus, they are
infrequent and focus on a fraction of your enterprise attack surface,
providing only a point-in-time snapshot of your vulnerabilities.

A next-generation risk-based vulnerability management should offer
continuous and real-time monitoring and analysis of all attack
surfaces, giving you the ability to quickly identify potential breach
risk. New BYOD devices should be discovered and assessed minutes after
they are plugged in to your environment. Breach risk should be
continuously calculated for every device, app and user across your
hyperdimensional attack surface.

Capability 5: Prioritization Based on Business Context and Risk

How do you prioritize your list of actions? What do you tackle first?

Traditional vulnerability management tools only focus on identifying
the severity of the findings and ranking them with a generic low,
medium and high rating (e.g. from CVEs). A key component in
determining business cyber risk is understanding the context around
the role and criticality of each IT asset that has the
vulnerabilities. Without this information, rationalizing mitigation
activities becomes an uphill, often unsurmountable task.

To increase your cyber-resilience, you need to focus your limited
SecOps resources on the potential breaches that may have the most
business impact. Modern, risk-based vulnerability management needs to
provide business risk for each asset by contextualizing information
including role of that asset, the security state of that asset
analyzed over multiple attack vectors, compensating controls already
in place, globally prevalent threats and more. Risk-based
vulnerability management needs to be able to comprehensively assess
the business risk of all assets, presenting a prioritized list of
mitigation actions and prescriptive fixes for each prioritized action.

Capability 6: Prescriptive Fixes

How do you take action on mitigating your security vulnerabilities?

Traditional vulnerability management tools only provide a tactical
list of actions to patch vulnerabilities. These actions often lack
detailed rationale and context.

Risk-based vulnerability management should offer detailed prescriptive
fixes that are actionable and clearly explain why this vulnerability
is risky and how the risk might be reduced by fixing it. This helps
organizations get alignment on fixing most important security issues.