How To Implement Risk-Based Vulnerability Management

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Josh Allen / Last Updated: 10/27/22

Reviewed by: Michael Swanagan, CISSP, CISA, CISM & Rich Selvidge, CISSP

View our: Editorial Process

You can implement a risk-based approach to vulnerability management by completing an asset inventory, conducting a risk assessment, calculating risk weighting, and aligning processes to mitigate risk.

Traditional Vulnerability Management is a broken system that does not effectively reduce the risk for most organizations.

There isn’t just one problem with the traditional approach either; there are multiple.

Firstly, patching on a monthly cycle such as Microsoft’s infamous patch Tuesday leaves a prolonged exposure time when true risk is not visible.

During this time, organizations can only hope that new vulnerabilities are not offering an easy foothold into the network.

Secondly, the traditional approach does not address the contextual risk that each vulnerability represents.

So IT security team members are not prioritizing vulnerabilities effectively or efficiently; potentially overlooking the most critical vulnerabilities, maybe picking the low hanging fruit first.

In this article, we will describe exactly how to take a risk-based approach to manage vulnerabilities and give decision makers a preview into how PurpleSec’s enterprise Risk Management Platform delivers all the key features expected of a next-gen Risk Management solution.

What Is Risk-Based Vulnerability Management?

Risk-based Vulnerability Management is an improvement on traditional vulnerability management because it prioritizes each vulnerability’s risk score using combined inputs that consider the location of each vulnerability enriched vulnerability score metrics.

Risk-based vulnerability management optimizes remediation activities based on the risks that each vulnerability poses to an organization.

Cyber Risk Vs Vulnerabilities

• Security vulnerabilities are exploitable security gaps in an organization’s environment that could allow an attacker unauthorized access to critical systems and data. Vulnerabilities are described by a set of severity metrics that relay the potential impacts should it be exploited.
• Cyber risk is not a one-to-one relationship to a vulnerability’s severity. Cyber risk is a calculation of the potential danger that a vulnerability poses to an organization’s business operations and finances.

How To Calculate Risk

This approach takes the basic risk equation (Risk = Threat * Probability) and uses enriched inputs to calculate the real contextual risk a vulnerability poses to an organization.

Inputs such as CVSS score and vector, [], and the location of a vulnerability within an organization’s IT environment have a big impact on the potential damage that an attacker could do by exploiting it.

Calculating a threat-based risk score allows decision makers to apply limited IT security resources more efficiently and effectively.

Why Should You Switch To Risk-Based Vulnerability Management?

If you aren’t doing a risk-based approach you are taking an arbitrary approach to reducing risk.

Attackers aren’t stupid.

On the other hand, attackers approach their target’s strategically, attacking vulnerabilities that are more likely to provide access to an organization’s critical system and data.

Focus On Risk

Cyber risk poses a threat to organizations because cyber attacks can have a large impact on:

• Financial stability
• Brand image
• Competitive advantage
• Intellectual property (IP) and trade secrets

When implementing a vulnerability management program, businesses need to be able to quantify and qualify where cyber risk exists in their organization and tend to the risk hotspots first and with the most resources.

Risk Reduction Is The Ultimate Goal Of Cyber Security

Cyber security policies, security controls, and activities are ultimately put in place to protect an organization, its business operations, its competitive advantage, growth, and its finance.

However, just as businesses need to approach their revenue generating activities strategically, they also need to be strategic in their approach to cyber security.

Just as strategic placement of an advertisement will increase sales, strategic remediation of vulnerabilities will offer better cyber security, close critical attack surfaces sooner, and ultimately reduce an organization’s risk of suffering a critical cyber breach.

Better Vulnerability Reporting

A risk-based approach to vulnerability management delivers more actionable vulnerability reports rather than a simple list of tasks containing virtually no useful data.

Risk-based vulnerability management also gives an enriched context to each vulnerability to optimize their deployment of Infosec personnel, saving time while having a bigger impact on defensive security, and delivering a better return on security investment (ROSI).

How The Traditional Vulnerability Management Methodology Works

New vulnerabilities are being discovered and disclosed with ever-increasing velocity and volume.

The traditional process of prioritizing cyber risks was developed at a time when both the number of disclosed vulnerabilities and the number of software applications that an organization depends on were far fewer in number.

This increase has overwhelmed IT security teams by flooding them with more vulnerabilities than they have time to remediate.

Because of this, a traditional vulnerability management approach – to remediate all vulnerabilities in an IT environment – has become impossible and it fails at achieving its ultimate goal; reducing risk.

Contrastingly, vulnerability prioritization is the process of deciding which vulnerabilities pose the biggest risk to an organization by calculating a risk score for each one and offers a significant improvement to the traditional approach.

Let’s examine some of the limitations of the traditional approach to vulnerability management that result in a failure to effectively address an organization’s cyber risk objectives:

• Focuses On CVSS Scores
• Places Less Weight On Internal Vulnerabilities Vs External
• Accept Longer Time Frames To Mitigate Vulnerabilities

Focuses On CVSS Scores

The most important metric in a traditional vulnerability management program is the CVSS score and string. The CVSS score quantifies the ultimate severity of a disclosed CVE vulnerability.

The CVSS string relays the contextual information about a vulnerabilities exploitability that was used to calculate the CVSS score and includes:

• Whether the vulnerability can be exploited remotely
• Whether the vulnerability requires user interaction
• Whether the vulnerability is easy or difficult to exploit
• Whether proof-of-concept (POC) exploit code has been published for the vulnerability
• Whether a vulnerability’s exploitation can impact confidentiality, integrity, or availability

Places Less Weight On Internal Vulnerabilities Vs External

Another mistake of a traditional vulnerability management approach is that it over emphasizes the risk of external attack surface and tends to neglect internal network vulnerabilities.

Although this approach may seem to make sense since it seems logical that attackers must first breach an outer attack surface to enter an organization’s internal IT environment, a more careful analysis of this strategy shows its limitations.

The external attack surface is only one step away from having access to an internal network, so one misconfiguration or zero-day could give an attacker direct internal access.

Secondly, the human element is an important factor – phishing attacks are cited as the most common way that attacks gain access to an internal network.

Finally, an organization’s own insiders also pose a significant risk and have direct access to critical internal resources.

These facts all indicate that the simple black and white approach to prioritizing vulnerabilities by their internal/external locality is not an effective way to mitigate cyber risk.

Accept Longer Time Frames To Mitigate Vulnerabilities

Traditional vulnerability management programs only periodically scan an IT environment for vulnerabilities, perhaps once a month, or even as infrequently as once every 6 months or once per year.

This means that vulnerabilities in a traditional approach are afforded a long exposure time when attackers can take advantage of them.

Also, traditional vulnerability management programs are not supported by automated processes that provide IT security teams with enriched context.

Instead they are forced to manually collect their own data and parse it into a rough decision making process that results in a delayed response time to the remediation and a somewhat arbitrary prioritization that is clouded by human error.

How To Implement A Risk-Based Approach To Vulnerability Management

The modern threat environment has evolved and attackers are not prepared with automated tools that can help them identify vulnerabilities and exploit targets much faster.

This requires a vulnerability management program that has more accurate methods for categorizing vulnerabilities according to the actual risk they pose to an organization to keep pace with the evolving threat environment.

Here are the critical initial steps for implementing a risk-based approach to vulnerability management:

• Have Complete Visibility Of Your Environments
• Have A Complete Inventory
• Conduct A Risk Assessment
• Calculate Risk Weighting
• Align Processes To Mitigate Risk

Have Complete Visibility Of Your Environments

You can’t protect what you can’t see, so creating digital visibility is an important step in developing a vulnerability management program and reliably managing risk.

With a full inventory of systems and data, hardware and software, and a network topography in hand, ensure your scanning and other security tools have visibility of all critical assets in the environment.

Have A Complete Inventory

Having complete visibility into an IT environment is crucial for mitigating vulnerabilities and reducing risk.

This complete inventory of all systems and data is a prerequisite for conducting a risk assessment and a risk-based vulnerability management program capable of:

• Prioritizing vulnerabilities
• Optimizing vulnerability management activities
• Reducing the exposure time of critical vulnerabilities.

Conduct A Security Risk Assessment

A full and proper risk assessment of an organization’s IT infrastructure includes the critical consideration of how each asset impacts an organization’s overall business operations.

A security risk assessment should identify which assets are critical for revenue generating activities, identify sensitivity labels for all data, especially data that is protected by regulations or is a component in a cyber-insurance or compliance requirement.

Calculate Risk Weighting

Prioritizing vulnerabilities essentially means calculating a relative risk score for each vulnerability that is more detailed than simply relying on a CVE’s CVSS score.

A contextual risk-based score takes account for each vulnerability’s locality within the IT environment and the criticality of the affected asset to business operations, as well as regulatory and compliance requirements, which assets are potentially impacted by the vulnerability and how those assets are related to an organization’s business operations, and critical assets.

Align Processes To Mitigate Risk

Considering how a traditional vulnerability management program addresses risk in an arbitrary way rather than contextually according to real risk.

Real protection depends on improving vulnerability management programs by taking a more strategic approach.

By conducting a risk assessment and categorizing systems by their business impact, new vulnerability data can be enriched to better visualize the potential impact and vulnerabilities can be assigned a prioritized risk score; delivering a more effective and efficient risk mitigation process.

PurpleSec’s Risk-Based Approach To Vulnerability Management

PurpleSec’s enterprise Risk Management Platform combines next-gen features into continuous vulnerability management solutions automating the scanning of your IT environment and delivering prioritized risk-based vulnerability reports that are contextual to an organization’s unique risk requirements.

Syncs Data From Multiple Sources

Our platform orchestrates data including scans of all internal and external assets and aggregates that with real-time threat intelligence data.

The reporting feature provides a complete picture of risk posture across your entire IT environment allowing managers to address vulnerabilities according to the risk they pose to an organization’s business operations.

Automatically Identifies Gaps

PurpleSec’s platform automates vulnerability management, monitors an organization’s IT security health, and identifies security gaps without manual scanning, manual analysis, or other human interaction.

This capability reduces the need for Infosec teams to conduct repetitive manual activities and instead delivers actionable insight and prioritized vulnerabilities that can be immediately translated into remediation activities and better overall network security.

Uses Real-Time Threat Intelligence

New vulnerabilities are disclosed on a daily basis and so keeping up-to-date with the current threat environment is an incredibly time-consuming task.

PurpleSec’s enterprise Risk Management Platform automatically aggregates real-time threat intelligence and applies it to an organization’s unique inventory of assets.

This means zero-day vulnerabilities can be remediated as soon as they’re reported and organizations are always up to date with a minimized exposure time and attack surface.

Orchestrate & Automate Vulnerability Remediation

Exposure time is the time when an attacker can exploit vulnerabilities that have not been patched.

To stay ahead of attackers, organizations need to speed up the remediation process.

PurpleSec’s platform provides complete IT environment visibility and contextual insight into fixes, exceptions, and vulnerabilities that organizations can immediately use to accelerate their risk reduction.

Wrapping Up

Next-generation risk-based solutions offer more efficient and effective vulnerability management capabilities above and beyond traditional approaches.

Going forward, organizations should look towards a risk-based approach to vulnerability management for prioritized and actionable vulnerability reports and better risk visibility across the entire IT environment.

The additional benefits of a next-gen vulnerability management solution include automated continuous scanning and threat intelligence aggregation that saves time, reduces the chance of human error, and alleviates the burden on IT security teams.

PurpleSec’s enterprise Risk Management Platform delivers all these benefits in a package that is easy to set up and maintain.

Schedule a demo to learn more.