Vulnerability management is difficult. A risk-based approach makes it easier.
GET STARTED
learn more
Join us for an on-demand educational series designed to shift your vulnerability management focus to risk, featuring six steps to set up your own program.
sponsored by
COMPLETE THE FORM TO ACCESS THE EDUCATIONAL SERIES
COMPLETE THE FORM TO ACCESS THE EDUCATIONAL SERIES
The Challenge of VM by the Numbers
Research Results
The number of vulnerabilities keeps increasing, but the capacity available to fix those vulnerabilities is finite.
Vuln volume is increasing
part 1: Research Results
VIDEO
The Challenge of VM
COMPLETE THE FORM TO ACCESS THE EDUCATIONAL SERIES
2000
2003
2006
2009
2012
2015
2018
18k
Annually Published CVES
12k
6k
0
There are A LOT of Vulnerabilities
Monthly number of published CVEs from 1999 through 2019
6.1k published per year
18k published per year
1.3k published per year
+
120,000
Published Vulnerabilities
COMPLETE THE FORM TO ACCESS THE EDUCATIONAL SERIES
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
The Challenge of VM by the Numbers
Research Results
The number of vulnerabilities keeps increasing, but the capacity available to fix those vulnerabilities is finite.
Vuln volume is increasing
VIDEO
2000
2003
2006
2009
2012
2015
2018
18k
Annually Published CVES
12k
6k
0
There are A LOT of Vulnerabilities
Monthly number of published CVEs from 1999 through 2019
6.1k published per year
18k published per year
1.3k published per year
+
120,000
Published Vulnerabilities
part 1: Research Results
The Challenge of VM
5% Pose a Risk
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
The Challenge of VM
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
Part 2: The Six Steps of Risk-Based Vulnerability Management
The Challenge of VM by the Numbers
Research Results
The number of vulnerabilities keeps increasing, but the capacity available to fix those vulnerabilities is finite.
Vuln volume is increasing
part 1: Research Results
VIDEO
VIDEO
COMPLETE THE FORM TO ACCESS THE EDUCATIONAL SERIES
The Challenge of VM
2000
2003
2006
2009
2012
2015
2018
18k
Annually Published CVES
12k
6k
0
There are A LOT of Vulnerabilities
Monthly number of published CVEs from 1999 through 2019
6.1k published per year
18k published per year
1.3k published per year
+
120,000
Published Vulnerabilities
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
The Challenge of VM by the Numbers
Research Results
The number of vulnerabilities keeps increasing, but the capacity available to fix those vulnerabilities is finite.
Vuln volume is increasing
VIDEO
2000
2003
2006
2009
2012
2015
2018
18k
Annually Published CVES
12k
6k
0
There are A LOT of Vulnerabilities
Monthly number of published CVEs from 1999 through 2019
6.1k published per year
18k published per year
1.3k published per year
+
120,000
Published Vulnerabilities
part 1: Research Results
The Challenge of VM
5% Pose a Risk
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
Part 2: The Six Steps of Risk-Based Vulnerability Management
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
The Challenge of VM
The Challenge of VM by the Numbers
Research Results
The number of vulnerabilities keeps increasing, but the capacity available to fix those vulnerabilities is finite.
Vuln volume is increasing
part 1: Research Results
VIDEO
The Challenge of VM
2000
2003
2006
2009
2012
2015
2018
18k
Annually Published CVES
12k
6k
0
There are A LOT of Vulnerabilities
Monthly number of published CVEs from 1999 through 2019
6.1k published per year
18k published per year
1.3k published per year
+
120,000
Published Vulnerabilities
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
5% Pose a Risk
Part 2: The Six Steps of Risk-Based Vulnerability Management
The Challenge of VM
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Get Ahead With Risk-Based
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Focus on the 5% that Pose a Risk
Research Results
Our research also revealed that only 5% of vulnerabilities are observed and exploited. And that with the right approach, organizations can address the majority of risk in their environment.
VIDEO
Not ALL Vulns Need Remediating Right Now
Ratio of observed/not observed and exploited/ not exploited vulnerabilities
Not Exploited / Not Observed
Not Exploited / Observed
= 250 CVEs
Exploited / Not Observed
Exploited / Observed
15%
5%
29%
51%
Focus on the 5%
5% Pose a Risk
part 1: Research Results
Prioritize these!
1k
10k
100k
1m
10m
100m
10k
100k
1m
10m
1k
100
10
Avg. monthly closed vulnerabilites
Firms Cannot Fix ALL Vulnerabilities
Average number of observed vs. closed vulnerabilites per month
Avg. monthLy observed vulnerabilites
Vulnerabilities Fixed
in
1
10
You can fix 1 in 10
VIDEO
part 1: Research Results
Get the right team & skill sets
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Part 2: The Six Steps of Risk-Based Vulnerability Management
The Challenge of VM
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
5% Pose a Risk
Get Ahead With Risk-Based
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Get Ahead Using a Risk-Based Approach
Research Results
Firms engaging in a risk-based approach to VM have shown the ability to stay on top of their high-risk vulnerabilities. There are several data-driven measures we’ve seen them use to improve their VM performance.
VIDEO
You Can Get Ahead
Key Performance Measures
20% Increase
10%
0%
10%
20% Decrease
15%
Proportion of Firms
9%
6%
12%
3%
0
Firms CAN Stay on Top of High-Risk Vulns
Comparison of net remdiation capacity for high-risk vulnerabilites among firms
16% of orgs are maintaining
51% of orgs are reducing their high risk vulnerabilities
Average Monthly Change in High-Risk Vulnerabilites
33% of orgs are falling behind
Capacity
Measures the number of vulnerabilities that can be remediated in a given timeframe and net gain or loss.
Efficiency
Measures the precision of remediation. What percentage of remediated vulnerabilities are actually high risk?
Measures the completeness of remediation. What percentage of exploited or “high-risk” vulnerabilities are remediated?
Coverage
Velocity
Measures the speed and progress of remediation.
1
0
0
0
1
Composite performance measure based on the above.
Overall
Get Ahead With Risk-Based
part 1: Research Results
Keeping up
in
2
3
Key Performance Measures
part 1: Research Results
The Challenge of VM
5% Pose a Risk
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Part 2: The Six Steps of Risk-Based Vulnerability Management
VIDEO
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Get Ahead With Risk-Based
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Know Your Vulnerabilities
VIDEO
Get the right team & skill sets
Part 2: The Six Steps of Risk-Based Vulnerability Management
Get The Right Team and Skill Sets
01
Vulnerability management is a team sport. To be a winning team, you’ll need a roster of qualified people with the right capabilities.
Survey Data: Remediation Team Size
1
2
3
4
5
6
7
8
10
12
15
18
20
30
50
5K
100
5%
12%
22%
5%
21%
5%
1%
2%
15%
1%
3%
1%
3%
2%
1%
1%
1%
A Team Sport
Remediation Team Size
“How many participants are involved in the remediation process?”
01
VIDEO
part 1: Research Results
5% Pose a Risk
Get the right team & skill sets
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Part 2: The Six Steps of Risk-Based Vulnerability Management
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Get the right team & skill sets
Part 2: The Six Steps of Risk-Based Vulnerability Management
Get Ahead With Risk-Based
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
VIDEO
Build out your toolkit
part 1: Research Results
Build Out Your Toolkit
02
To do any job the right way, you need proper tools. Vulnerability management is no different. You’ll need the correct toolkit to know your assets and find your vulnerabilities.
Know Your Assets
Find Your Vulnerabilities
Know Your Assets
Asset Management
Perfection is the Enemy of the Good
Internal & External
Discovery Scans
Infrastructure
Vulnerability Scanners
Endpoint Protection
Agents and Cloud
Applications
SAST
DAST
IAST
SCA
Pen Testing
Bug Bounty
Where Are My Vulnerabilities?
Part 2: The Six Steps of Risk-Based Vulnerability Management
02
VIDEO
Part 2: The Six Steps
Know Your Vulnerabilities
Build out your toolkit
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Part 2: The Six Steps of Risk-Based Vulnerability Management
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Build out your toolkit
Part 2: The Six Steps of Risk-Based Vulnerability Management
Get Ahead With Risk-Based
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Know Your Vulnerabilities & the Threat Landscape
03
Since very few vulnerabilities are exploited in the wild it is important to understand what attackers are doing because that determines the likelihood of a vulnerability being exploited.
VIDEO
Useful Intel Sources
4 Key Factors
Useful Intelligence Sources
Open Source Intel Feeds
Intrusion Detection Systems
File-Ordered Malware Analysis APIs
Cloud-Based Honeypots
Local Honeypots
Endpoint Protection Systems
Zero-Day Threat Intel
Social Media (with caveats)
Know Your Vulnerabilities
part 1: Research Results
4 Key Factors for Prioritization
Is there a weaponized exploit?
Is the Vulnerability Useful To An Attacker (RCE)?
How prevalent is the vulnerability?
Part 2: The Six Steps of Risk-Based Vulnerability Management
Are There Active Successful Exploitations "In the Wild"?
03
[CEROS OBJECT]VIDEO
Part 2: The Six Steps
Know Your Vulnerabilities
Build out your toolkit
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Part 2: The Six Steps of Risk-Based Vulnerability Management
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Get Ahead With Risk Based
Part 2: The Six Steps of Risk-Based Vulnerability Management
Get Ahead With Risk-Based
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Understand Your Assets & Risk Tolerance
04
To know your assets and applications is to truly know your risk. That can be a daunting task, so it helps to break it down.
[CEROS OBJECT]VIDEO
When it comes to risk tolerance, ask yourself where you want your remediation to be:
At your industry benchmark
Faster than your peers
Faster than attackers
Know your Assets
Risk Tolerance
Here’s what the metadata you’ve collected can tell you about your assets:
Asset Ownership
x
Asset Function / Business Process
Confidentiality? Integrity? Availability?
Impact and Value
Understand Your Assets
part 1: Research Results
It's All About That Metadata
Impact and Value
Asset Function / Business Process
Asset Ownership
Confidentiality? Integrity? Availability?
Part 2: The Six Steps of Risk-Based Vulnerability Management
04
VIDEO
Part 2: The Six Steps
Know Your Vulnerabilities
Build out your toolkit
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk Based
Part 2: The Six Steps of Risk-Based Vulnerability Management
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Understand Your Assets
Part 2: The Six Steps of Risk-Based Vulnerability Management
Know Your Assets
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Bring It All Together, Measure, and Evaluate
05
Measure and evaluate your data, and come up with a prioritized list of vulnerabilities for remediation — based on risk.
VIDEO
The Science
Comparing VM Approaches
Data Science Framework
We recommend that the data science techniques employed should include machine learning, natural language processing, and predictive modeling to assess, prioritize, and even predict risk.
Data Science
Natural Language Processing
Predictive Modeling
Vulnerability Inference
Logistic Regression
Random Forest
SVM
Comparing VM Approaches
Measure & Evaluate
part 1: Research Results
Part 2: The Six Steps of Risk-Based Vulnerability Management
VIDEO
Part 2: The Six Steps
Know Your Vulnerabilities
Build out your toolkit
05
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
Part 2: The Six Steps of Risk-Based Vulnerability Management
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Measure & Evaluate
Part 2: The Six Steps of Risk-Based Vulnerability Management
Measure and evaluate your data, and come up with a prioritized list of vulnerabilities for remediation — based on risk.
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Remediate, Communicate, and Report
06
Remediation strategies will vary based on the overall risk tolerance of your enterprise, as well as risk tolerance within individual departments.
VIDEO
Decision Matrix
Remediation Strategies
The Effect of Patch Management Tools on Remediation Coverage
Deploying patches using patch management tools results in an almost 20% higher successful close rate on high-risk vulnerabilities.
Remediation Decision Matrix
High Risk — High Effort
High Risk — Medium Effort
High Risk — Low Effort
Medium Risk — High Effort
Medium Risk — Medium Effort
Medium Risk — Low Effort
Low Risk — High Effort
Low Risk — Medium Effort
Low Risk — Low Effort
Remediate & Communicate
part 1: Research Results
Part 2: The Six Steps of Risk-Based Vulnerability Management
FINISH SERIES
Assets covered by a management tool
Coverage (higher is better)
0%
25%
50%
75%
100%
more than 50%
less than 50%
65%
44%
06
VIDEO
Part 2: The Six Steps
Know Your Vulnerabilities
Build out your toolkit
part 1: Research Results
5% Pose a Risk
Know Your Vulnerabilities
The Challenge of VM
Build out your toolkit
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk Based
Part 2: The Six Steps of Risk-Based Vulnerability Management
Build out your toolkit
Know Your Vulnerabilities
Understand Your Assets
Measure & Evaluate
Remediate & Communicate
Get the right team & skill sets
Get Ahead With Risk-Based
5% Pose a Risk
The Challenge of VM
Remediate & Communicate
Part 2: The Six Steps of Risk-Based Vulnerability Management
Congratulations, you have completed the Risk-Based Management Video Series
Request a demo
Download Report Series
We hope that you were able to enjoy a few “aha” moments and take away a number of practical tips. Now that you know more about what it takes to bring your vulnerability management practice to the next level please feel free to contact us to see how we can help get you there.
Contact us
sponsored by
Share with Your Network
contact us
Join us for an on-demand educational series designed to shift your vulnerability management focus to risk, featuring six steps to set up your own program.
Vulnerability management is difficult. A risk-based approach makes it easier.
sponsored by
Share with Your Network
