What is Vulnerability Remediation? Here’s a Primer
Share with Your Network
Vulnerability remediation is the patching or fixing of cybersecurity weaknesses that are detected in enterprise assets, networks and applications. Formerly a manual process, vulnerability remediation today is more automated, with advanced data science, threat intelligence, and predictive algorithms helping to determine which vulnerabilities should be remediated first.
Taking a risk-based approach helps IT and DevOps remediation teams work more efficiently, optimize finite resources, and target the vulnerabilities that pose the biggest threat to the organization.
Why is vulnerability remediation important?
Effective and efficient vulnerability remediation has never been more important. As the volume of data increases and IT infrastructures become more and more intricate and complex, vulnerabilities are mounting. According to the National Vulnerability Database, the number of Common Vulnerabilities and Exploits (CVEs) observed in devices, networks and applications has tripled since 2016. Hackers are seizing on the opportunity presented by the soaring number of these weak spots.
This is why vulnerability remediation is so important. Remediating vulnerabilities helps reduce the risk of breaches, denial of service attacks, and interruptions in operations caused by ransomware or other threats. Minimizing your attack surface and overall exposure is paramount in today’s environment, especially since remote work is here to stay, according to Gartner, a fact that creates an even more complicated and layered environment to manage.
Vulnerability remediation and compliance
Vulnerability remediation is not only beneficial—it’s often mandated by various government regulations and industry standards. For instance, the Payment Card Industry (PCI) Data Security Standard (DSS) expressly requires that businesses handling any kind of credit card payment information maintain a vulnerability monitoring and remediation program. These requirements acknowledge not just the importance of preventing data breaches but ensuring continuity of operations—critical for any business, but especially so for healthcare, financial services, utilities and other critical infrastructure operations.
It’s little wonder why companies of all sizes and across industries are putting a stronger focus on strengthening and streamlining their vulnerability remediation efforts.
What are the challenges of vulnerability remediation?
The average enterprise has millions of vulnerabilities, and there is simply no way to remediate them all. The good news is that organizations don’t have to remediate all or even most, because just 2% to 4% of vulnerabilities pose a real threat to any given organization. While this revelation sheds positive light on a seemingly dire situation, it also poses the essential challenge of vulnerability remediation. Addressing this challenge involves asking critical questions, such as:
- How can you determine which vulnerabilities are likely to be exploited by hackers and malware?
- How can you efficiently remediate those vulnerabilities?
- What tools are available to help you prioritize vulnerabilities so you can remediate them based on your resources and your organization’s tolerance for risk?
- How do you set realistic remediation deadlines?
The traditional “everything is a risk” approach that many teams still employ today entails working through as many of these vulnerabilities as possible. And these teams—usually IT and DevOps professionals responsible for the assets and applications where vulnerabilities are found—often find that their risk profile doesn’t improve over time. This approach is simply not workable, especially when the number of published CVEs continues to rise. In fact, even well-resourced enterprises can remediate only 1 out of every 10 vulnerabilities found by scanners.
For years, organizations attempted to guide vulnerability remediation by assigning Common Vulnerability Scoring System (CVSS) scores to vulnerabilities detected by scanning platforms. Then they used spreadsheets to keep track of remediation efforts. But as mentioned above, an explosion in the number of vulnerabilities and exploits rendered this old, largely manual process inadequate, leaving enterprises always behind the curve. And recent data reveals that the CVSS-based scoring system will often over-assign high risk scores, leaving companies remediating everything above a certain score still drowning in vulnerabilities.
Eventually, this “spray and pray” approach leaves teams with a long to-do list and little progress to show for their efforts. All too frequently, friction emerges between Security teams, who uncover and prioritize risks, and the IT and DevOps teams who are tasked with remediation. Each team feels held hostage in this inefficient and ineffective cycle. This is especially true for the IT teams responsible for the reliability and uptime of the applications and services within the company’s ecosystem, which further strains working relationships between teams.
Finally, when priorities are unclear, execution is equally as muddied. Service level agreements (SLAs) outlining remediation deadlines can be difficult to meet in an environment where every vulnerability is a priority. SLAs are often defined by educated guesswork and standardized timeframes of 30, 60, or 90 days that rarely reflect the actual risk that vulnerabilities pose to an organization, not to mention that organization’s tolerance for cyber risk.
Keys to achieving effective vulnerability remediation
To work effectively—and to reduce cyber risk—remediation teams need a way to understand which vulnerabilities pose the greatest risk to their infrastructure. Risk-based vulnerability management (RBVM) helps achieve this. Unlike other vulnerability management approaches, RBVM bases vulnerability prioritization on granular internal and external threat and vulnerability data combined with a company’s own risk tolerance. The most advanced risk-based solutions streamline remediation by using leading-edge technology to automate the process of evaluating the relative risk of vulnerabilities using real-time threat intelligence, predictive algorithms, and advanced data science.
Following are some best practices to consider when establishing your vulnerability remediation environment.
- Reduce effort and increase effectiveness. Finding a vulnerability management solution that creates a self-service environment for remediation teams will reduce the amount of time and resources dedicated to remediation. Leading solutions combine remediation intelligence with rich vulnerability and threat context to create “top fix lists” that eliminate guesswork and ensure that IT and DevOps teams understand what to fix, why they should fix it, and how to fix it. Based on a survey from late 2019, organizations that leveraged a modern RBVM platform reported at least a 25% reduction in remediation time. In fact, one large retail enterprise reported a 75% reduction in time spent on remediation.
- Determine your remediation process. Most organizations employ a mix of three common remediation tactics based on the nature of their own threat landscape, attack surface, and tolerance to risk.
- Automated patches. This is baseline protection provided through automatic updates to popular platforms, such as Google Chrome or Microsoft Windows.
- Patch management tools. A variety of tools, such as Microsoft’s System Center Configuration Manager(SCCM), are available to help manage patches and help keep entire classes of assets up to date.
- Manual updates. Complex and time-consuming, manual updates are sometimes necessary but also can involve a series of cascading dependencies and considerations.
- Implement key performance measures. Metrics help understand how a vulnerability remediation program is performing. With the right tools, these are easily tracked and reported:
- Coverage. Measures the completeness of remediation, or the percentage of exploited or high-risk vulns that have been fixed.
- Efficiency. Measures the precision of remediation, such as the percentage of all remediated vulnerabilities that are actually high risk.
- Velocity. Measures the speed and progress of remediation.
- Capacity. Measures the number of vulns that can be remediated in a given timeframe and calculates the net gain or loss.
- Overall. A composite performance measure based on the above.
Learn more about coverage and efficiency by listening to this clip from the Security Science podcast.
- Deploy intuitive communication and reporting tools. Tools like risk scores and meters help simplify and clarify the prioritization process, easing the friction between Security and IT by aligning everyone around the same priorities. Simple, clearly defined risk scores also help with reporting progress to C-level execs, board members and compliance auditors.
- Set SLAs you can meet. A 2019 analysis underlined the importance of deadlines, particularly when it comes to SLAs. In fact, defined SLAs help reduce the number of surviving vulnerabilities by 15%. A modern, risk-based vulnerability management approach also empowers teams to create tailored, achievable SLAs to better manage and execute their remediation efforts. Advanced solutions let teams create risk-based SLAs that are informed by real-world threat and exploit data, peer usage data, and the organization’s unique tolerance for risk. While organizations can certainly design and implement their own risk-based SLAs, the most advanced VM solutions offer this data-driven capability today.
To learn more about vulnerability remediation and how Kenna can help put a stronger focus on strengthening and streamlining your vulnerability remediation efforts request a demo today.