Vulnerability management woes continue, but there is hope

I remember giving a presentation when I first started working in cybersecurity in 2003 (note: It was called information security back then). I talked about the importance of good security hygiene, focusing on deploying secure system configurations, managing access controls, and performing regular vulnerability scans. 

When it came to the Q&A portion of my presentation, a gentleman in the first row raised his hand. He mentioned that his company was diligent about vulnerability scanning, but then he asked me: “How do you determine which vulnerabilities to prioritize and which ones to ignore?”

I don’t remember exactly how I responded, but I am certain that my answer wasn’t very good.

The vulnerability management dilemma from 2003 remains a big problem to this day. As part of a recent ESG research project on cyber risk management, 340 cybersecurity and IT professionals were asked to identify their organization’s biggest vulnerability management challenge. (Note: I am an ESG employee.)

Here are some of the results:

• 43% of respondents indicate that their biggest vulnerability management challenge is prioritizing which vulnerabilities to remediate. Sound familiar?
• 42% of respondents indicate that their biggest vulnerability management challenge is tracking vulnerability and patch management over time. In other words, many organizations find it difficult to manage processes from vulnerability scanning, to trouble ticketing, to change management, to patching, to incident closure. Oh, and these processes require strong collaboration between security and IT operations personnel. As Bruce Schneier says, “Security is a process, not a product.” In this case, the processes are broken. 
• 42% of respondents indicate that their biggest vulnerability management challenge is patching vulnerabilities in a timely manner. It’s not uncommon for a large enterprise to have thousands or even tens of thousands of vulnerabilities at any time. Little wonder it’s difficult to keep up.
• 41% of respondents indicate that their biggest vulnerability management challenge is tracking the cost and effectiveness of their vulnerability management program. Security budgets continue to rise, but CFOs want some reasonable metrics around what they are getting for their money. Looks like many organizations remain clueless when it comes to vulnerability management ROI. 
• 40% of respondents indicate that their biggest vulnerability management challenge is keeping up with the volume of vulnerabilities. As I mentioned above, thousands to tens of thousands of vulnerabilities. 

By the way, we’ve tried to improve vulnerability management by prioritizing vulnerabilities with high CVSS scores, those with known exploits, or those from mission-critical software vendors. But based upon this data, it looks like we haven’t progressed much in the past 16 years. Given the number of applications, devices, and systems on the network today, many organizations face greater cyber risk today than they did in the early 2000s – simply because of these and other continuing vulnerability management challenges.

Which vulnerabilities should you prioritize?

Fortunately, I finally have an answer to the question posed in 2003.  

Question: “How do you determine which vulnerabilities to prioritize and which ones to ignore?”

Answer: Let data analytics be your guide. In other words, take all your vulnerability scanning data and analyze it across a multitude of parameters, including asset value, known exploits, exploitability, threat actors, CVSS score, similar vulnerability history, etc. This data analysis can be used to calculate risk scores, and these risk scores can help guide organization on which vulnerabilities should be patched immediately, which ones require compensating controls until they can be patched, which ones can be patched on a scheduled basis, and which ones can be ignored. 

Of course, few organizations will have the resources or data science skills to put together the right vulnerability management algorithms on their own, but vendors such as Kenna Security, RiskSense, and Tenable Networks are all over this space. Furthermore, SOAR vendors such as Demisto, Phantom, Resilient, ServiceNow, and Swimlane are working with customers on runbooks to better manage the operational processes. 

After all this time, I’m still convinced that strong cybersecurity hygiene is a critical practice for cyber risk mitigation. I’m glad that we’ve finally made some progress on ways to make this happen.