Standard Vulnerability Management Isn’t Enough

Jan 23, 2019
Jeff Aboud

Share with Your Network

There are dozens of vulnerability scanners on the market today. Their job is to do exactly what their name implies—scan your environment to find vulnerabilities. In fact, these vulnerability scanners are fantastic at doing just that—finding your vulnerabilities; unfortunately, they’re not able to then prioritize those vulnerabilities for you.

Once you scan your environment to get the seemingly never-ending list of vulnerabilities, you’re probably dumping the results into an Excel spreadsheet, so that you can attempt to make some degree of sense out of all of the noise. The problem is, with no additional context or color, how can you prioritize which of the multitude of vulnerabilities to remediate first to truly protect your organization from cyber risk?

Some attempt to provide a “scanner score” to give you some sense of which ones are considered more critical than others, but the truth is that the majority of those scanner scores are based exclusively, or nearly exclusively, on CVSS scores, so they’re really not adding any additional context or value. As a result, the vulnerability scanner market has become highly commoditized.

What you really need is a solution that doesn’t just scan your environment and dump out a flat CSV file with no additional context. You need something that ingests not only your scan data, but any other relevant security data you have throughout your organization, couples it with real-time threat and exploit intelligence, and then employs machine learning and data science to determine the specific amount of risk each vulnerability poses to your organization and deliver a specific risk score–for every vulnerability, asset, and asset group. The tool should also prioritize your remediation efforts, so that your security and IT teams can focus on remediating the relatively few vulnerabilities that pose the most risk.

A Better Way

Taking a proactive, risk-based approach to vulnerability management will help your security and IT teams maximize their efficiency as well as their effectiveness in reducing overall risk. It will also help them maintain their sanity, since they’ll not only understand which vulnerabilities pose the greatest amount of risk, but they’ll also see that the vast majority of their vulnerabilities actually pose little to no risk at all, so they can brush those aside and instead focus just on what matters most. And when those risk scores then translate into an organization-wide risk score, now your teams have a quantitative metric to measure the effectiveness of their efforts. With that kind of intelligence, you can now make the most of your limited resources.

But Wait, There’s More!—Peer Benchmarking

That sounds pretty amazing, right? But what if you could do even more with your security programs? What if the tool also told you the average risk score for your industry peers, to inform your security decisions and ensure that your security programs keep pace with the rest of the industry? Fortunately, peer benchmarking is available, and it can be an invaluable tool for security teams as well as senior management—whether you need to demonstrate the team’s efficiency or fight for budget, having the context of how your score relates to the industry average adds credibility to your case.

Is There Anything Beyond Proactive?

If you are efficiently prioritizing and proactively managing the vulnerabilities that pose the most risk to your organization, you’re already achieving far more than the vast majority of your colleagues; most of their security programs are still limited to reacting to threats after they’re inside the network. And when they’re assessing vulnerabilities, it’s without the context required to effectively prioritize remediation efforts based on risk. But the next logical step is to actually predict the future risk of vulnerabilities as soon as they’re discovered—and long before an exploit can be built. This gives security teams the foresight needed to remediate high-risk vulnerabilities before adversaries can mount an attack.

Full-Stack Vulnerability Management

But why stop at infrastructure vulnerabilities? The application security strategy for most organizations is still pretty immature, relying on a wide range of application security tools, each with their own set of pros and cons, and none of which actually work together. As a result, five of your teams can end up chasing the same vulnerability, none of whom have enough context to truly understand what’s going on. The result is often a significant amount of wasted effort from teams that have precious little time to dedicate to security. What you need is a tool that can integrate, correlate, and deduplicate the application security data from all of your connected application information sources to provide you with the context required to effectively prioritize application vulnerabilities.

There are certainly a few providers that have some capabilities here, but the real need is to have your application risk management and your vulnerability risk management products fully integrated, so that you can have full visibility and accurate, real-time risk-based vulnerability prioritization across their entire organization—full stack.

To learn more about how to move beyond standard vulnerability management, and begin efficiently prioritizing and proactively managing the vulnerabilities that pose the most risk to your organization, reach out and ask us for a demo of Kenna Security’s solutions.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.