Considering Implementing Risk-Based Vulnerability Management? Start Here

Jul 16, 2020
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

When TechValidate surveyed Kenna Security customers last year, one IT Security engineer observed that his organization’s Qualys vulnerability reports “were 12,000 pages long for 50 servers.”

Twelve thousand pages of vulns. For just 50 servers.

His question was simple: “How does that help?”

Well, it doesn’t. And at a time when the number of published vulnerabilities has tripled since 2016, the traditional methods of vulnerability management have failed to keep pace. You can’t rely on scanner reports and spreadsheets anymore. Nor can you fall back on that old habit of patching anything above a certain threshold, such as a Common Vulnerability Scoring System (CVSS) score of 7 or higher. And there’s no sense chasing vulnerabilities that make headlines if they aren’t likely to be exploited in your environment.

Yet too many organizations are still doing some or all of these things, in the process treating every vulnerability that shows up as a risk, even if it isn’t much of one. So Security teams present IT with thousands of so-called “critical vulnerabilities,” leaving them to waste precious cycles patching vulns that may not be much of a risk, if any, to the organization. Over time, the impossible pressure to fix everything drives up costs, erodes the working relationship between IT, Security and DevOps, and leads to enormous and persistent waste of resources that could and should be put toward more strategic tasks.

A better approach is for Security teams to shift their focus away from old-school, manual prioritization to concentrating on the vulnerabilities that matter most to their unique environment. A true risk-based vulnerability management (RBVM) approach aligns teams around identifying and remediating the vulns that are most likely to be exploited. It applies modern solutions to a modern problem, with the most advanced RBVM solutions making use of updated threat intelligence, automated risk analysis, predictive modeling, data science, natural language processing and more. With an RBVM environment:

  • Security teams can start measuring real risk and how best to reduce it.
  • Executive teams gain a clear understanding of the company’s security posture.
  • IT and DevOps work more efficiently and strategically.

Implementing RBVM: A Practical Guide

Now, a new white paper walks you through the steps and best practices you need to take a far more efficient and effective approach to vulnerability management—by focusing on the vulnerabilities that matter most. “How to Implement Risk-Based Vulnerability Management Now: A Practical Guide” details six key steps that will have you managing vulnerabilities better by focusing on risk.

Informed by actual data and experience with implementing RBVM solutions in some of the world’s most demanding customer environments, this practical guide is filled with recommendations on the various tools you’ll need to mount a comprehensive RBVM program, including pro tips and insights from experts in the field. Consider it your roadmap to getting started on developing a modern approach to vulnerability management. It prescribes specific steps to follow so you can lay the proper groundwork for an RBVM environment, and then explains how to build on that foundation to ultimately get to the point where you’re managing the right level of risk for your business.

From examining assets and assessing your own organization’s tolerance for risk, to asking the right questions that will help you determine the relative risk a vuln poses to your environment—it’s all here. And it’s available now.

Download your complimentary copy today. And get started on moving toward what leading analysts say is the future of vulnerability management.  

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.