Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload
According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don’t work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves.
For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.
The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to over 20,000. Today, software and network integrity are synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than one in ten actually needs to be patched. The question is: how can we know which patches will ensure that our sieve doesn’t sink?
This is why more and more companies are turning to Vulnerability Prioritization Technology (VPT). They seek solutions that filter out the flood of false positives generated by legacy tools and poorly-configured solutions and address only those vulnerabilities that directly affect their networks. They’re leaving traditional vulnerability management paradigms behind and shifting to the next generation of VPT solutions.
The Evolution of Vulnerability Management
It’s not news that even the most resource-rich enterprise can’t possibly sort through, prioritize and patch every single vulnerability in their ecosystem. That’s why the shift toward VPT started in the first place.
Initially, Vulnerability Management (VM) focused on scanning and detecting core networks for any vulnerabilities. This was known as Vulnerability Assessment (VA), and the deliverable was a massively long list of vulnerabilities that had little practical value for already overextended IT resources.
To make VA more actionable, the next generation of VM tools included vulnerability prioritization based on each vulnerability’s global CVE scoring. This was further refined by adding another layer of prioritization based on estimations of potential damage, threat context, and, ideally, a correlation with local context to evaluate the potential business impact based on DREAD type models. This more advanced approach is known as Risk Based Vulnerability Management (RBVM) and was a giant leap forward from VA.
Yet even advanced VM tools implementing RBVM lag behind in sophistication and actionability. These tools can only detect what they know – meaning that misconfigured detection tools frequently result in missed attacks. They cannot evaluate whether security controls are configured to compensate for the severity of a given vulnerability according to its CVE score correlated with local context risk. This still results in bloated patching lists and also means that – just like with early-gen VA tools – patching often ends up at the bottom of the to-do list or is simply ignored by IT teams.
Leveraging Next-Gen VPT
Advanced VPT solutions are the next generation of VM – offering organizations a very different view of their unique cyber risks.
Building on traditional VA detection and more advanced RBVM capabilities, the latest generation of VPT solutions adds asset criticality context, environmental context, and multiple, pre-integrated threat intelligence sources. In this way, it effectively augments vulnerability severity data with sophisticated analytics and in-context applicability. These analytical capabilities enable advanced VPT solutions to integrate highly granular threat validation – creating the next generation of capabilities that augment traditional VM: Attack Based Vulnerability Management (ABVM).
ABVM is a game-changer. Because once network stakeholders are able to effectively validate the real-world threats facing their networks, they can test their environments based on actual exposure levels and permeability to attack. According to Gartner, the shift towards ABVM is crucial to better prioritization and assessment of vulnerabilities. It empowers security and risk management leaders to both generate recommendations and apply them directly to their security programs – addressing prioritized findings.
Leveraging ABVM, security stakeholders can identify all undetected attacks, generate data and use cases that enable continuous improvement of detection and response tool configuration, and map out potential end-to-end attack paths with detailed local context. Once these yet unsecured attack paths are clearly mapped out, patching is too because threat validation coupled with a deep understanding of attack paths enables laser-focused patching prioritization. With ABVM, optimizing scarce patching resources to plug only those holes that threaten to sink the sieve becomes straightforward.
The move from traditional score-based VA or RBVM approaches to ABVM can lower patching load by 20%-50% while markedly improving overall security posture. By preventing security drift, ABVM also helps streamline SIEM toolsets – improving tool configuration, eliminating overlap, and identifying missing capabilities.
The Bottom Line
By improving security, reducing costs, refining resource allocation, and strengthening collaboration between teams, ABVM offers a new horizon of productivity and efficacy for security teams. Taking traditional VPT to the next level, ABVM solves chronic vulnerability patching overload, enabling networks to remain afloat even in today’s threat-choked waters.