Implement a Risk-Based Approach to Vulnerability Management

A vulnerability is only as bad as the threat exploiting it and the impact on the organization. Security and risk management leaders should rate vulnerabilities on the basis of risk in order to improve vulnerability management program effectiveness.

Key Challenges

• A small number of vulnerabilities represent a disproportionately large risk to the organization, but few organizations can identify the most serious vulnerabilities.
• Organizations are confronted with the large number of vulnerabilities that are discovered by a vulnerability assessment, but have little guidance on how to reduce the risk of breaches.
• Organizations often lack a common framework and approach to vulnerability prioritization and treatment, which leads to disparate security levels across the business departments.
• Vulnerability rating schemes that don’t take into account what threat actors are leveraging in the wild can cause organizations to address less risky issues first.
• The awareness of a risk-based approach and risk analysis tools for vulnerability management is at a nascent stage. Therefore, attacks like ransomware continue to cause significant damage.

Recommendations

Security and risk management leaders responsible for vulnerability management should:

• Implement a vulnerability management program that includes discovery, prioritization and then treatment.
• Implement a risk-based approach that correlates asset value, the severity of vulnerabilities and threat actor activity via the use of threat intelligence and analytics to calculate a realistic risk rating. This approach will significantly reduce the risk of being breached when it is used to prioritize remediation activity.
• Augment their VA tools with TVM tools for better prioritization if the existing tooling does not assist with the effective methodology for real risk reduction.
• Use a risk-based approach to employ mitigating controls, such as intrusion prevention system (IPS), when unable to patch vulnerabilities to reduce the attack surface and prevent vulnerabilities from being exploited.

Strategic Planning Assumptions

By 2022, approximately 30% of enterprises will adopt a risk-based approach to vulnerability management.

By 2022, organizations that use the risk-based vulnerability management method will suffer 80% less breaches.

Introduction

A vulnerability is only as dangerous as the threat exploiting it. A vulnerability when viewed in isolation using the traditional method of treatment based on critical/high/medium/low ratings is flawed for three primary reasons:

• Threat actors pay no attention to the scoring of a vulnerability and regularly exploit lower-ranked vulnerabilities.
• The sheer volume of vulnerabilities that organizations have to deal with makes it impractical to try to remediate all critical/high vulnerabilities.
• Not all vulnerabilities have patches or can’t be patched for valid reasons, like breaking overall application functionality. This traditional method has also caused significant friction between security and IT operations teams. The two teams often have competing deliverables (security vs. uptime), and this process is compounded by the uncontrollable x-factor of threat actors.

The traditional approach of risk reduction to reduce the numbers can only be an effective means of preventing breaches if organizations’ first focus is eliminating the imminent risks that can cause most significant impact on the business. Prioritizing treatment of vulnerabilities commonly targeted by exploit kits, malware, ransomware and threat actors, while also considering asset criticality and external exposure, will focus remediation on the elimination of imminent risks. This approach will result in a reduced attack surface and will provide “breathing room” for additional patch installation.

Gartner receives frequent inquiries from clients who are challenged with how to successfully treat all vulnerabilities identified during vulnerability assessment activities. There is often a gap between the discovery of vulnerabilities and the ability and resources available within IT operations to treat these within the time frame when attackers operate. The data show (see Figure 1) that, on average, if you can’t patch or apply compensating controls in under two weeks, you are at risk of a serious breach. Threat actors know this and leverage this fact.

Figure 1. Average Time to Exploit From Time of Disclosure

Source: Gartner (August 2018)

Much of this problem has got to do with the fact a vulnerability assessment (VA) yields a large amount of vulnerabilities describing various severity risk weightings based on static parameters like the Common Vulnerability Scoring System (CVSS).¹ However, the CVSS base score (see Note 1) is not a complete measurement of pragmatic risk, as it does not take into account the “x-factor” of threat actor behaviors.

Many organizations follow a general philosophy of partial remediation (critical and high), with vulnerability and patch management policies focused on remediating and patching a percentage of vulnerabilities in a given time frame. This can include, for example, “remediate 90% of critical severity vulnerabilities within four weeks of discovery” or “apply patches from vendors on a monthly basis.” This reduces vulnerability management to a pure metrics exercise where risk is expressed as a numerical value that can be reduced. This method is similar to taking a pain killer just before driving off of a cliff. This approach does little to reduce risk in real terms, as attackers do not focus on vulnerability severity necessarily, but rather on what works. Also, they have the first-mover advantage.

Analysis

Implement Vulnerability Management as a Program That Involves Discovery, Prioritization and Then Treatment

The problem of figuring out what vulnerabilities and what systems to remediate first remains a critical challenge for organizations. Nearly all Gartner inquiries in the past several years focused on VM, at least mentioning the challenge of vulnerability prioritization in some form. Essentially, the ideal way to prioritize vulnerabilities for remediation and mitigation is based on risk to this particular organization in this particular time frame (and, if possible, in the near future).

Don’t Bring Superstition to a Fact Fight

First and foremost, stop focusing on the high-profile threats in the media and instead focus on the root causes. Most threats have a strong correlation with vulnerabilities and their exploitation. Achieving risk reduction with vulnerability management requires an understanding of how to make this process better on operational and tactical levels in order to achieve the objective of creating a VM program on a strategic level. In other words, reduce the most amount of risk of a security incident with the limited resources that you have. It is not possible for an organization (at any security maturity level) to achieve zero vulnerabilities. Thus, it is imperative that you focus your limited resources on the vulnerabilities that matter the most to the organization without overlooking other insignificant vulnerabilities. The ignored vulnerabilities may be insignificant today but can be a material risk in the future.

Figure 2 describes this iterative process, which is critical to achieving better outcomes for any vulnerability management program. The key reasoning behind this is that vulnerabilities, and their exploitation by attackers, are driving the threat landscape. In addition, most malicious activity is also coming from already-known vulnerabilities and not zero-day vulnerabilities.

Figure 2. Risk-Based Vulnerability Management Workflow

Source: Gartner (August 2018)

This methodology is an iterative model that has three primary components:

1. Assessment — This can be performed in many ways, such as active scanning, passive scanning, using agents or using APIs. The goal is to assess the organizational assets to understand the state of the software, firmware and configuration of these assets.
2. Prioritization — Take the VA report and work through where these vulnerabilities intersect with the prevailing threat landscape as well as other compliance mandates. This calculates the risk associated with a particular vulnerability or asset.
3. Compensation — Patching is of course an ideal outcome, but it is not always possible or feasible.

However, patches might not be available, can’t be applied without affecting other applications/functionality or can’t be applied in the same time scale as threat actors are operating (like genuine zero days). Therefore, a range of options must be leveraged here. Technologies like IPS, WAF, segmentation and strong authentication are all excellent, mature examples of compensating controls that help deal with vulnerabilities and their exploitation. Other things, like enhanced monitoring and analytics (such as UEBA), can also help compensate for other shortcomings in your environment.

Additionally, with this method, security teams can take more co-ownership of this process. Historically, security teams have run assessments, but the last mile of resolution is almost always another part of IT. For example, the QA testing and installation of security patches is a slow process that involves multiple parts of the IT organization. Having a range of compensating controls, including ones that security teams own/run, significantly increases the chance to have some level of threat prevention as well as better detection and response capabilities.

Figure 3 below shows why compensating controls are a mandatory inclusion in vulnerability management. The data shows that hundreds of times a year, weaponized exploits are used in the wild on the same day that the vulnerability is released. If you cannot patch this sheer volume of vulnerabilities (Gartner sees no organization doing this at this scale in our inquiries in the previous years), then this is why having a range of compensating controls is critical.

In a lot of cases, organizations don’t have to procure a new technology. They have a number of these controls already, but are not taking the simple next step of leveraging the security controls to quickly implement blocking for vulnerabilities that are being exploited. Take a technology like IPS, for example. Gartner sees few organizations that take the results of assessments and then tune this technology to align with the vulnerabilities they have that are “being exploited in the wild.”

Figure 3. This Is a Bigger Issue Than Zero Day

Source: Gartner (August 2018)

Figure 4 shows that the organizations should focus their remediation/mitigation efforts on the convergence of the three concentric circles — asset, threat and vulnerability — which represent the risk to the organization. This will also change over time, and there needs to be a revisiting/iterative process here. This method at a high level will help you in prioritizing the vulnerabilities according to the risk a vulnerability poses to the organization/business.

Figure 4. Calculation of Associated Risk

Source: Gartner (August 2018)

To understand the underlying factors that are important for realigning your VM program, we need to look at the trends of vulnerabilities and their exploits over a period of time.

In Figure 5, we asked a simple, binary question: “How many vulnerabilities go on to be recorded as publicly exploited in the wild, regardless of their severity rating?” This clearly shows that, on average, about one-eighth (or 12.5%) of the vulnerabilities have gone on to be exploited in the wild during the entire past decade. Another point to note is that the number of exploited vulnerabilities over the decade is actually flat — it’s not getting worse. This is despite the number of breaches increasing, the number of threats appearing and attention in the media sometimes reaching fever pitch. In short, more threats are leveraging the same small set of vulnerabilities. With the increase in the number of vulnerabilities being discovered in a year, there is no or negligible change in the number of vulnerabilities getting exploited. This data point is a critical place to start for vulnerability management. By reducing this risk, you will have more resources (and processes should you actually see one) to deal with genuinely new threats leveraging things like zero days.

Figure 5. Number of Vulnerabilities Exploited During the Past Decade

Source: Gartner (August 2018)

Zero Day, a Problem or Not?

Organizations often give more attention to the zero days vulnerabilities than they deserve when you look at the perception versus reality. Is it a risk to your organization? Of course it is, but zero days today are not leveraged threat actors to anywhere near the same extent that existing and known vulnerabilities are. Essentially, zero days have also been conflated in terms of actual risk to organizations. Are zero days real? Absolutely. Are they the biggest issue for most organizations and governments? No.

Figure 6 shows that, on average, vulnerabilities that were exploited at day zero (aka with no knowledge of the vendor or no prior remediation being available) have made up about 0.4% of the total vulnerabilities each year during the past decade. To view this another way, this is like worrying about being attacked by a great white shark at the beach, but not worrying about the drive to get there. Clearly, driving presents considerably more risk than the former. In essence, the amount spent on trying to prevent zero days is out of kilter with the actual risks they pose, when compared with the massive numbers of breaches and infections that come from known vulnerabilities being repeatedly exploited.

Still, if you are of a particular value to a target, zero days are indeed a reality for your organization, and you should engage in some detailed threat modelling to deeply understand the impact of a zero day. Risk-based vulnerability management (RBVM) is of value here.

Figure 6. Zero Days — Still Not the Problem

Source: Gartner (August 2018)

The Vulnerability Landscape

Below are some of the highlights of the vulnerability landscape as it stands today:

• A significantly smaller number of vulnerabilities go on to become the biggest risk to an organization. This has not changed in a decade.
• A genuine zero day is still rare and makes up a very small percentage of overall vulnerabilities, but they receive a higher profile than the true risk they present to most organizations.
• The OWASP top 10 vulnerabilities, often ranked medium, made up about 40% of all vulnerabilities in the last decade. They also tend to be very easy to exploit and are effective ways to have a lot of data exfiltrated from your organization.
• The average time from a vulnerability being disclosed to it being exploited is dropping every year. In the last few years, you had about two weeks or less to have compensating controls or a patch before a vulnerability made it into the red zone of being exploited in the wild. This is a key metric to be planning for in your vulnerability management program.
• Nation states are increasingly becoming active within the commercial sector.
• Regular zero day and other advanced attacks are still a problem, but tend to be for a very small number of organizations, such as government agencies, large cloud providers and some critical infrastructure providers.

Taking a Risk-Based Approach, Correlate Asset Value, Severity of Vulnerabilities and Threat Actor

Traditionally, organizations have been reducing risk in principal (academically) using operational metrics, such as the decreasing trend of vulnerabilities across different vulnerability assessment cycles on the basis of severity (often focusing on just critical or high score obtained by the VA tool). However, decreasing the number of vulnerabilities in your environment only tangentially correlates to whether the organizations are safe from the most imminent threats, which are prevailing or active in the wild.

“Don’t take a VA approach to vulnerability management, rather a risk-based approach.”

A risk-based approach to prioritizing the vulnerability remediation focuses efforts on the vulnerabilities for which there are imminent threats prevailing in the wild. Therefore, Gartner recommends that the threat-centric model for tackling risk, in the context of vulnerability management (see Figure 7) is the best pragmatic use of your time and effort.

Eliminating or compensating for vulnerabilities exploited by imminent threats should be the first phase for remediation. Once this class of vulnerabilities is treated, there is a greater window to remediate and mitigate vulnerabilities with a lower probability of being exploited. Gradual risk reduction can then be executed based on standard vulnerability management processes and policies.

Figure 7. Threat-Centric Vulnerability Prioritization as Part of Risk-Based Vulnerability Management

Source: Gartner (August 2018)

This risk-based methodology of vulnerability management is also related to Gartner’s continuous adaptive risk and trust assessment (CARTA) model. The CARTA strategic approach recognizes that risk and trust are not static, and not solely determined by one-time gating mechanisms. Digital risk and digital trust are dynamic and vary over time based on context. Thus, risk is calculated for vulnerability management on a continuous basis to calculate the risk exposure of an organization. For example, a vulnerability may not be a significant risk today, but it can materialize into a severe risk to an organization overnight. If a continuous risk assessment is not deployed, the organization will miss addressing the risk, resulting in fatal consequences.

A risk-based approach to vulnerability management applies many imperatives of CARTA, such as:

• Replace one-time security gates with adaptive, context-aware security platforms.
• Continuously discover, monitor, assess and prioritize risk and trust — reactively and proactively.
• Perform risk and trust assessments early in digital business initiatives, including development.
• Instrument for comprehensive, full-stack visibility, including sensitive data handling.
• Use analytics, AI, automation and orchestration to detect faster and risk-prioritize responses.
• Architect security as an integrated, adaptive and programmable system, rather than in silos.
• Put continuous risk visibility, decisions and ownership into business units and product owners.

Use Tools to Automate Vulnerability Treatment Prioritization

Gathering, fusing and curating the threat and vulnerability intelligence to compile a vulnerability remediation prioritization catalog can be a labor-intensive process if done manually — a key reason few have ever attempted this, let alone completed it. Vulnerability assessment solutions will often be able to provide reporting on whether a public exploit is available, such as Metasploit or ExploitDB, and have also begun providing more granular data on vulnerabilities being targeted in the wild. TVM tools primarily, but also some BAS solutions that are focusing on vulnerabilities used by threats, also provide a significantly enhanced threat context for vulnerabilities.

The value of these solutions is that they will provide intelligence based on:

• Consolidation of reports from various scanners/tools (for example, VA tools, configuration assessment and application security testing)
• Actual vulnerabilities discovered in your environment
• Removal of false positives
• Threat intelligence
• Curated data from various sources
• Asset exposure
• Asset criticality
• Attack path analysis/simulation

These tools provide the intelligence to save operational costs and hassles by prioritizing the vulnerabilities according to the risk-based methodology on the basis of combination or one of these approaches:

• Data science/data analytics by curating data from various sources and correlating with the vulnerability assessment telemetry and threat intelligence along with the asset criticality information. This helps in calculating the risk theoretically in an ideal situation.
• Attack path analysis by performing a simulation attack without any agent installation, with the help of a network model created from the artifacts that calculates the asset exposure also to determine the intensity of impregnation using vulnerabilities in cascaded fashion. This helps to find risk in a practical scenario.
• Bidirectional integration with IT operations tools, such as IT service management or ticket management tools, to support vulnerability tracking across different departments, as well as revalidation of the vulnerabilities. Integrating one tool with a consolidated result will act as a single interface for the integrations with IT operations and/or security tools (such as ticket management, IDPS and WAF).

TVM products are similar to application vulnerability correlation (AVC) products in the application security testing market. Both products provide workflow and process management capabilities aimed at speeding vulnerability assessment and remediation processes. However, while AVC products are focused on vulnerabilities created and discovered within the software development life cycle, TVM products focus on vulnerabilities and configuration errors in the operations environment (servers and networking devices, for example). Thus, they serve different constituencies and buyers and, individually, provide an incomplete view of overall risk.

Gartner predicts that, by 2020, stand-alone markets for AVC and TVM will effectively merge, with vendors delivering products and services providing a view of risk presented both by applications and supporting infrastructure.

Along with TVM tools, these capabilities can also be rendered using some VA tools in the market. Below are some representative vendors in the respective markets rendering risk-based methodology prioritization.

TVM vendors:

• Brinqa
• Core Security
• Kenna Security
• NopSec
• RiskSense
• Risk Based Security
• RedSeal
• Skybox Security

Vulnerability assessment vendors:

• Beyond Trust BeyondInsight
• Qualys Threat Protect
• Rapid7 InsightVM

Security and risk management leaders focusing on threat and vulnerability management should:

• Use integrated and/or add-on capabilities of the VA vendor to test the capabilities and understand the benefits when using one of the tools that offer the TVM capabilities.
• Use a stand-alone TVM tool if you are using a multiple scanner approach and in a federated IT environment.

In addition, SOAR tools allow for consistently reproducible processes to be partially or wholly automated, and can have use cases created that help execute on the closed loop nature of risk-based vulnerability management. For example, they can take this prioritized list of vulnerabilities and then go off and orchestrate compensating controls like IDPS, WAF and firewalls.

Use a Risk-Based Approach to Employ Mitigating Controls to Reduce the Attack Surface When You Are Unable to Patch Vulnerabilities

Any vulnerability will be treated by one of the following treatment methods:

• Remediation — Applying the primary control on the vulnerability (for example, patch, upgrade and configuration changes).
• Mitigation — When primary actions (patching) is not feasible, apply compensatory controls to reduce the attack surface to prevent, detect or respond to the attack (for example, IPS, WAF, EPP and two-factor authentication). Other methods like enhanced monitoring and analytics (such as UEBA) can also be considered as other compensating controls.
• Accept — When the cost-benefit ratio is very high for putting a control or remediation and mitigation in place, and both are not possible in such a case, the business accepts the risk by documenting it. Alternatively, the cost of implementing the control/mitigation is more expensive than the risk posed by the exploitation of that vulnerability on that asset in your organization. The accepted risks should also be fed into IT risk management tools, which can show the true picture of enterprise risk.

Not all vulnerabilities have remediation available from the vendor. Although small in number, zero days do occur and need to be accounted for. Some systems:

• May have a runtime in your environment that’s longer than the vendor’s willingness to supply security patches (for example, Windows XP still being used in operational technology).
• May not be in a position to pay for support for patches for some technologies. Finally, mission-critical systems that run your digital business cannot simply be made unavailable on an uncontrolled schedule.
• May be reluctant to patching as it may break the application/system or cause availability concerns.

Therefore, it is imperative to have a strategy to deal with these realities, as they pose significant risk to the organization and can’t be overlooked. To reiterate, attackers primarily focus on the small number of vulnerabilities that can be reliably exploited at the lowest (or free) cost to achieve their outcomes.

Multiple methods can help mitigate this issue, including application whitelisting and identity, access and privileged user monitoring.

Table 1 summarizes common mitigation methods that can be applied to protect multiple servers and devices. The implementation of a well-placed mitigation measure at a network control point is a preferable solution to forcing unachievable goals of patching 100% of all vulnerable systems. A defense-in-depth strategy starts from the perimeter and can extend onto the vulnerable system/application.

Table 1. Applicability of Various Protection Approaches

Source: Gartner (August 2018)