A 2019 survey by PWC found that 57% of respondents who reported a breach said it was due to a vulnerability for which a patch was available but had not been applied. So why aren’t companies doing better when it comes to vulnerability management?
While vulnerability scanning tools help you identify vulnerabilities, they don’t help with the management of them. Simply knowing about vulnerabilities is not enough, organizations need actionable insights to create an effective mitigation plan.
Scanning tools often identify thousands of issues making it challenging for security teams to manage the risks associated with vulnerabilities efficiently, particularly as they are constantly changing. It’s impossible to address all known vulnerabilities, so prioritization becomes essential.
In order to effectively prioritize and take appropriate actions, organizations must have visibility of:
- The detected vulnerabilities and their potential severity
- The relative criticality of the scanned nodes and related assets to the business
- How long they have been exposed to the vulnerabilities
- Who is dealing with them and by when.
However, scanning is just the start. Once you know where the risks lie, you need to patch the known vulnerabilities in a timely manner, otherwise you’re leaving the business exposed as the respondents in the PWC survey quickly learned. However, in larger organizations this is sometimes easier said than done as the prioritization in these companies is often just based on basic severity/CVSS and doesn’t provide the needed focus for the task.
This is because in most organizations there is a total separation between the technical specialists who focus on CVSS ratings, and information risk management specialists who must map information assets to supporting infrastructure and critical business processes.
In addition, the continuous cycle of scanning and patching must be supported by accurate visibility of changes in the asset baseline. An organization may falsely believe that vulnerabilities have been addressed between one scan and the next, but this may not be the case. In reality, what may have happened is that assets with critical vulnerabilities could simply be offline for the second scan, or otherwise not responding to the scan.
Successfully addressing this risk challenge requires an effective integration of Vulnerability Management with Asset Management and Risk Management, and the good news is that this can be more straightforward than it sounds!
To learn how and why you should take a risk-based approach to vulnerability and asset management, view our on-demand webinar: A Risk-Based Approach to Vulnerability and Asset Management.