Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management. It leverages full visibility into a technology stack to target the riskiest vulnerabilities, enabling companies to adhere to designated SLA’s, respond to threats rapidly, and have meaningful discussions about organizational risk tolerance.
Got that? Let’s unpack it.
To understand what modern vulnerability is, let’s first talk about what it is not.
The typical enterprise environment contains millions of vulnerabilities. Trying to patch all of them just isn’t feasible, and most organizations only have the capacity to patch one out of every ten vulnerabilities.
Nevertheless, companies will try to patch everything, because they believe (erroneously) that any single vulnerability has the potential to result in major consequences for the company.
The result is a lot like treading water: You never really get anywhere. When everything seems like a risk, the scale of a problem like vulnerability management is simply overwhelming.
Frustration and friction are the natural result of trying to tackle a near impossible problem. Security and IT teams frequently disagree over which vulnerabilities to tackle first.
If they do use a system to triage risk, companies rely on the Common Vulnerability Scoring System (CVSS) for vulnerabilities listed in the National Vulnerability Database. But CVE scores aren’t meant for that purpose.
In a traditional vulnerability management system, nobody is using clear, undisputed data that gives certainty into which actions matter. Modern vulnerability management programs make order from this chaos.
Developing a modern vulnerability management program isn’t like flipping a switch. It’s an evolution, with several steps along the way.
The beginner system
In reality, just a tiny fraction of the more than 500,000 CVEs (as of June 2020) are ever weaponized by hackers – somewhere between 3 and 5 percent.
Data science makes it possible to predict which vulnerabilities are the most likely to be weaponized and exploited. Kenna Security uses a data set that contains approximately 15 billion observed security events annually and decades of enterprise IT logs to determine what factors make some vulnerabilities likelier targets than others. These factors – and there are dozens – can include which operating systems the vulnerabilities are found on, which software developers made a particular program, and whether security researchers are experimenting with the vulnerability in real-time.
The first step is to remediate the riskiest vulnerabilities first. This is the risk-based vulnerability management stage. At this point, companies are simply using their resources more effectively by fixing vulnerabilities most likely to be exploited. There are fewer instances of fixes in which a vulnerability with a low likelihood of being exploited is patched, and fewer incidents in which security teams fail to patch vulnerabilities with a high likelihood of exploitation.
Data-driven approach to vulnerability management
Once an organization has identified and remediated vulnerabilities that have flashing red warning lights, the next steps are to lower the organization’s overall risk profile, and to use vulnerability management success to drive operational change.
Kenna.VM assesses internal security environments by pairing data from any available commercial scanner with real time threat and exploit information from 15 threat intelligence feeds that monitor attacker activity in real-time. The data is leveraged with a dynamic scoring method that benchmarks risk for the entire organization.
With this data and the score, security analysts finally have the full visibility they need to truly understand their overall level of risk and therefore effectively evaluate the next best remediation choice that will drive down the organization’s overall risk score, along with a selection of options that will consistently drive down overall risk.
Imagine, for example, two parts of the same enterprise network. One is public-facing and contains sensitive financial information about customers and vendors. The other is an internal system that doesn’t face the public. The public-facing system is home to a moderate vulnerability, and the internal network houses a DEFCON-3 level risk. Despite the disparity in risk scores these two individual vulnerabilities have, it’s possible that the organization may lower its overall risk by patching the moderate risk on the public facing sector of the network.
Kenna’s data science allows organizations to compare the overall risk reduction of several actions, based on the context of the network itself among other variables.
Driving operational change
Over time, organizations can consistently drive down overall risk. But one question remains: How much is enough?
In other words, what is an acceptable level of risk? The answer can’t be zero, that’s impossible. And at a certain point, smart executives will realize some diminishing returns. Continuing to devote significant resources to vulnerability management yields smaller and smaller benefits.
To answer the question of what an acceptable level of risk is, we should look outside the organization itself for comparison.
In January 2020 alone, the National Vulnerability Database added more than 1,800 new entries. Now, we know that just a tiny fraction of those 1,800 are high-risk vulnerabilities. We also know from research conducted in conjunction with the Cyentia Institute that about only about one-third of high risk vulnerabilities are patched within a month. And that two-thirds of organizations either end the month with more high risk vulnerabilities than they started, or are just treading water.
This data can provide important benchmarks for internal operations. Companies can set internal SLAs that compare their vulnerability management to industry peers, or to the speed at which attackers work. The result is an orderly approach to vulnerability management that sets reasonable and realistic expectations that are communicable up and down the ranks, from the C-suite to the technicians.
Modern Vulnerability Management
The hallmarks of a modern vulnerability management program are a consistent, systematic approach to ongoing, discovered risk within the enterprise environment. It’s a data-driven approach that helps companies align their security goals with the actions they can take.
When vulnerability management programs mature, IT teams and security teams stop butting heads and start focusing on shared tasks. They do this with confidence that they have full visibility into their technology stacks and that their actions are evidence-based, not guesswork.
The path to modern vulnerability management is a path to sanity.
Looking for a deep dive into modern vulnerability management? Checkout our webinar Unlock The Next Level of VM: Modern Vulnerability Management