The number of vulnerabilities is growing day by day due to different technologies such Web applications or Cloud Computing, which is increasingly adopted by organizations as well as teleworking, so more assets are exposed and connected to the internet and the attack surface of organizations is getting more and more larger, besides hackers have shifted their focus from high to medium and low CVSS.
Traditional Vulnerability Management is a reactive process that aims to identify and analyze the vulnerabilities of an IT traditional infrastructure that is composed from traditional assets like network, services and it doesn’t show which threats can pose a real risk since they classify vulnerabilities according to CVSS scores, so they can patch some vulnerabilities with a high CVSS score even they don’t have a potential business impact and miss the critical ones, for instance 60% of security breaches involved previously known but still unfixed vulnerabilities. (Ponemon Institute).
Risk Based vulnerability management (RBVM)
Risk-based vulnerability management is a proactive cybersecurity process for remediating vulnerabilities on your entire attack surface by automating and prioritizing remediation based on the full context of the business risk, this strategy doesn’t focus on the consequences of their exploitation but on the probability of its exploitation. This approach provides a dynamic and continuous visibility over all your assets and their vulnerabilities.
RBVM – How does it work?
Risk Based Vulnerability Management (RBVM) approach treats all vulnerabilities based on the risks they pose to each organization using the classic risk calculation formula which considers three major components: Vulnerability, Threat and Asset, this risk will be applied to technical vulnerabilities.
weakness of an asset or group of assets that can be exploited by a threat to compromise the confidentiality, integrity and availability of the data being stored in the asset through unauthorized access or privilege escalation.
The most common types of vulnerabilities that allow hackers to gain access to sensitive data are the software, hardware and network vulnerabilities, there is also a remote code execution (RCE) vulnerability that allows an attacker to take full control of a victim’s infected machine. The CVSS is used to score the severity of vulnerabilities to help organizations properly assess and prioritize them, some other criteria must be defined to score it like RCE (Remote Code Execution) capability.
Event that is likely to disrupt or damage an organization’s operations or business continuity and may compromise the confidentiality, integrity or availability of systems or sensitive data and it will have a negative impact on an asset.
The threat is always made by agents or actors who exploit vulnerabilities and the security gaps of existing assets and can be either intentional or accidental such as employees’ errors or a technical malfunction from internal or external sources.
An asset is any system component that has value to an organization, like data and other components such as software, documents, employees as well as network and infrastructure devices.
Making an inventory and identifying each asset is an important step to define their criticality based on the data that are being hosted and its exposure on the internet since it is essential to assess the risks and define the attack surface, each asset will have to be classified according to its impact on the confidentiality, integrity and availability of information and business context within organization.
It is recommended to adopt the DTAP (Development, Testing, Acceptance and Production) approach to ensure the security of software.
The probability that a threat agent exploits a vulnerability in the specific technical context of the concerned organization, and it is assessed and calculated based on the criticality of the assets, the likelihood of an attack, the severity of the risk as well as the impact on the defined business context of the organization.
The risks need to be scored in order to understand what risks an organization faces and know their severity.
Adopting this approach requires an organization to consider some good practices to ensure its effectiveness considering the 4 key components as defined just before, those best practices include the following ones.
Vulnerability Asset Management
The first key function of RVBM is identifying the assets that are used within the organization and determining their function and criticality regarding the business continuity to define the vulnerabilities they own to prioritize them and define the attack surface of your organization. It is important to deploy a CMDB tool (Configuration Management Database) and ensure that all your asset configurations are done properly to assist greatly your risk-based vulnerability management in identifying the deployed software and managing changes.
Vulnerability identification and prioritization:
After defining the attack surface of your organization, you need to identify the existing security vulnerabilities of your system by using attack vectors such as malware, email through scanning tools, performing a penetration tests and vulnerability sources.
Once the vulnerabilities are known, you need to define the impacted assets and their criticality for the organization in terms of Confidentiality, Integrity, and Availability according to their function, it is essential to define whether the asset affected by the vulnerability is critical to the organization and if it hosts sensitive or personal information.
The vulnerabilities that are identified will be centralized automatically and will be an entry point for the risk-based vulnerability management tool, making the work of the IT teams much easier.
After knowing the vulnerabilities and defining the impacted assets, you need to assess the threats to understand whether the vulnerability exploitation methodology is being widely used or not and evaluate their CVSS score to prioritize those vulnerabilities with a RBVM tool and score the risks depending on their context, taking into consideration the criticality of each asset as well as the severity of the vulnerabilities and the impact of their exploitation on your business operations.
Once the asset mapping is done and the vulnerabilities are prioritized according to their severity level and potential impact, it is necessary to define your remediation plan based on prioritization vulnerabilities and the scoring risks to ensure the continuity of vulnerability identification and prioritization and then automate the workflows of vulnerabilities qualification and remediation actions by connecting the tool with the vulnerability patching tool or the ticketing tool of your organization.
When implementing an RBVM, you must ensure that your security processes are efficient, because if they fail, it will be extremely difficult to implement it.
How Excellium can help you ?
Thanks to our expertise in the field of information security and our partnership with Hackuity, we have put in place a structured and pragmatic approach to assist our clients in the management of their vulnerabilities to centralize, prioritize and remediate your vulnerabilities in automated workflows.
Our approach is based on 5 main phases:
Step2: be sure that the assets are mapping correctly
- Establishing the context of risk-based vulnerability management to define its objectives and the key requirements.
- Checking that the necessary security controls to get the added value of a RBVM approach are well defined and implemented like the mapping and identification of assets.
- The definition of a strategy that allows the identification of vulnerabilities (identify, prioritize and define remediation plans, including the definition of the risk-based vulnerability management process.
- The implementation of the strategy and the integration in a RBVM tool (such as Hackuity, our partner) to ease and optimize the benefit to use this approach.
- Assistance from our Security Governance Information team to evaluate the use of the solution and review the strategy of your Risk Based Vulnerability Management.