What is Vulnerability Management Prioritization?

Vulnerability management prioritization is one of the most important aspect of a modern vulnerability management program. Prioritization is vital because the average enterprise harbors millions of cyber vulnerabilities, but even the most well-resourced teams can only remediate about 10% of them. 

This blog explains how vulnerability management prioritization determines the efficiency and effectiveness of Security and IT operations teams.

• Why is vulnerability management prioritization critical?
• Meaningful prioritization is key
• CVSS strengths and shortcomings
  
• Scanner score strengths and weaknesses
• Context is vital to vulnerability management prioritization
• Vulnerability management prioritization: Why ‘good enough’ isn’t

Why is vulnerability management prioritization critical?

Vulnerability management prioritization is a critical element of a vulnerability management program. Because the typical enterprise harbors millions of cyber vulnerabilities across laptops, servers, and internet-connected devices like printers and routers, it’s impossible for even the most well-resourced team to remediate every vulnerability. 

In fact, the average organization can expect to patch only 1 in 10 of all vulnerabilities within its environment. This is what makes vulnerability management prioritization so essential. 

Meaningful prioritization is key

The effectiveness of a vulnerability management program is directly tied to its ability to focus on the vulnerabilities that pose the greatest risk to a specific organization. Anything less is too general to be useful to overworked IT and AppDev remediation teams, and will leave them wasting time remediating low- or no-risk vulnerabilities. 

Most organizations today prioritize vulnerabilities based on two approaches: They either rely on the Common Vulnerability Scoring System (CVSS) to determine which vulnerabilities to remediate first, or they accept the prioritization provided by their vulnerability scanning solution. The two approaches often overlap, because many scanners primarily rely on CVSS scores to determine prioritization.

CVSS strengths and shortcomings

Most organizations prioritize vulnerabilities based on CVSS scores, with spreadsheets as their tool of choice for managing vulnerability remediation. CVSS scores, which rank the severity of cyber vulnerabilities on a scale of 1 to 10 (with 10 being most severe), are popular because they’re easy to understand. Most Security and IT teams focus on vulnerabilities with CVSS scores of 7 or higher. Vulnerabilities scored at that level end up on the remediation spreadsheet, usually prioritized by score, with those near 10 making the top of the list.

Though CVSS is simple, it has several disadvantages. First, as scoring systems go, CVSS is static. Once vulnerabilities are cataloged and assigned a CVE (Common Vulnerabilities and Exposures) number, they typically receive a CVSS score in the National Vulnerability Database within a few weeks, before any exploits are written against them. This means they are scored based on the initial assessment of their potential to be exploited, and then rarely—if ever—updated. But vulnerabilities are dynamic, and their risk profile often changes over time as exploits are published against them and those exploits are used in the wild. Static scores don’t accommodate those changes.

CVSS scores also lack context. In other words, they don’t reflect factors like the prevalence of the vulnerability in actual network environments, the volume of exploits, the importance of the asset they affect, or any other contextual information required for the security analyst to truly understand the level of risk.

Scanner score strengths and weaknesses

Scanner tools that offer scoring and prioritization make their case based on convenience: They produce both scan results and vulnerability prioritization in a single solution. But many scanning solutions simply repackage the CVSS score, often making them appear proprietary by changing the scale (e.g., 1-5 instead of 1-10). 

These scanner scores, and their resulting prioritization, are just as static and lacking in context as CVSS scores alone.

Context is vital to vulnerability management prioritization

For effective vulnerability management prioritization, it’s important for vulnerability management tools to factor in more than simply whether a CVE has been exploited or how rapidly those exploits are occurring. A modern vulnerability management solution also weighs the context surrounding each vulnerability and its unique place within an IT environment. For instance, it answers a host of questions, including:

• How prominent in your environment is the asset (server, device or network) where the vulnerability is present? Is it internet- or customer-facing?
• Does the asset hold financial or other sensitive information?
• Does the vulnerability exist within a regulated environment?
• How many users could a successful exploit impact?
• Are exploits actively targeting your industry?

Without the aid of a modern vulnerability management prioritization solution, it would be impossible to answer all these questions to properly assess the risk that every vulnerability poses to your unique environment. The right platform, however, handles all these tasks automatically. In fact, the most advanced modern vulnerability management solutions integrate comprehensive vulnerability intel with extensive real-world threat intelligence, apply advanced data science driven by supervised machine learning and automated risk analysis, customized risk metrics that aid in tracking and reporting risk reduction progress, and even remediation service level agreements (SLAs) based on the risk a vulnerability poses to your environment weighed against your own organization’s tolerance for risk.

Vulnerability management prioritization: Why ‘good enough’ isn’t

When it comes to vulnerability management prioritization, “good enough” solutions like CVSS and scanner-based prioritization will leave you chasing vulnerabilities that don’t pose a risk to your environment, preventing Security and IT teams from spending time on more valuable initiatives.

Both CVSS and scanner-based prioritization result in so much noise—vulnerabilities listed as “critical” that actually don’t pose any measurable risk—that the real-world cost of using those approaches can far outweigh the expense of investing in a solution that prioritizes vulnerabilities based on risk. 

In one real-world test across three prioritization approaches working from the same data set, CVSS2 determined that the organization needed to remediate 17,279 vulnerabilities to achieve 50% remediation coverage. A well-known scanner solution prioritized 15,214 vulnerabilities as “critical.” Finally, a risk-based vulnerability management solution determined that just 627 vulnerabilities needed to be patched to achieve 50% remediation coverage and still address every high-risk vulnerability.  Which vulnerability management prioritization list would you rather work from? 

The truth is, risk-based vulnerability management prioritization aligns Security and remediation teams around a common objective—reducing risk—and in turn eliminates the friction that so often occurs when Security hands IT a list of thousands of so-called “critical” vulnerabilities to patch with little to no insight on why they must be patched.

Check out the Security Science podcast, Why Vulnerability Scores Can’t Be Looked At In A Vaccum, for more insights into how vulnerability management prioritization works, and how it’s evolving.