With each new cloud application or third-party SaaS account, the external attack surface of pretty much every organization keeps growing day after day, every day. It becomes wider and more vulnerable. Gartner recognized attack surface expansion as the number one security trend of the year back in 2022.
The only way to deal with this is to manage the vulnerabilities that comprise the attack surface. But it’s impossible to patch or mitigate them all at once, though. This is why security professionals came up with something called risk-based vulnerability management.
Risk-based vulnerability management is a cybersecurity process that prioritizes and addresses the most critical vulnerabilities according to the risk they pose to an organization.
As a process, it has certain stages:
- – asset inventory,
- – vulnerability identification,
- – risk assessment,
- – prioritization,
- – remediation and mitigation.
These stages may seem the same as those of traditional vulnerability management. But there is a difference: vulnerability risk management enables more effective prioritization. It ensures a focus on the most business-critical vulnerabilities first, instead of simply grading them by their severity score.
Unlike traditional vulnerability management, vulnerability risk management considers factors such as vulnerability criticality, exploit likelihood, and business impact. Using vulnerability risk management allows the organization to allocate resources more efficiently, reduce the attack surface where it has the most impact and improve its security posture. All while maintaining regulatory compliance.
How to Conduct Asset Inventory and Identify Vulnerabilities
There are various sources of weaknesses in external attack surfaces: it could be compromised websites or web applications, misconfigured cloud infrastructures, weak access controls, or inadequate authentication mechanisms in APIs. All these vulnerabilities provide threat actors with an opportunity to compromise sensitive data and gain unauthorized access to the company’s infrastructure.
To manage all of that, you need to start somewhere. The best starting point is getting a clear understanding of the assets within your organization’s external attack surface.
External attack surface management (EASM) tools can help you discover and validate (confirm that they belong to your organization) both known and unknown internet-facing assets such as IP addresses, domain names, subdomains, ports, and SSL certificates. You think you are aware of most of them, but a thorough scan can often reveal quite a few that were previously not on the radar.
Basic scanners can also help discover some assets (however, they likely have lower coverage than a good EASM tool) and identify security flaws and vulnerabilities. EASM tools can do all of that and may provide you with asset inventory and offer a more sophisticated analysis of vulnerabilities, remediation suggestions, and continuous monitoring.
New Vulnerability Prioritization Approach Based on Risk Assessment
A good EASM tool will certainly discover many CVEs in the infrastructure of any company. And a significant number of them will likely fall into the high or critical categories. However, most of these vulnerabilities never see a working exploit. An even smaller number of threat actors get to actively exploit in the wild.
That’s why prioritizing vulnerability remediation solely based on their severity classification may not be the most adequate approach. Vulnerability risk management suggests a more effective method: prioritizing vulnerability fixes based on assessing risks that each vulnerability poses for the organization.
A risk-based assessment considers three main factors:
- How critical is the vulnerable asset?
- How likely is it that the vulnerability will be exploited?
- How will patching it affect the business processes?
For the likelihood of exploitation, you can consider the vulnerability CVSS impact score, and also factors like whether a weaponized exploit is available, whether it is used in the wild, and whether it is trending in the dark web. Some EASM tools include a built-in risk-based prioritization system.
The questions of business criticality are for the business departments to answer, and as for how patching affects business processes, consider potential downtimes and the need to restart some services, thus interrupting the normal business flow.
Remediating & Mitigating Vulnerabilities
After you’ve assessed the risks and prioritized vulnerabilities, you can either remediate or mitigate them. Remediation involves directly addressing and fixing the vulnerabilities to eliminate associated risks. To confirm the success, validate the fix after application.
Sometimes immediate remediation is not possible. For example, you may need to reboot the whole system to implement an update, and that, of course, cannot be done daily. In this case, mitigation strategies will help reduce the potential impact of exploitation until you can apply a permanent fix.
Monitoring and Response: Identify, Assess, Prioritize, Remediate, and Repeat
The process of vulnerability risk management never stops or ends. New vulnerabilities are discovered every day. In January 2024 alone, Microsoft released new patches for 49 vulnerabilities, with 2 of them recognized as critical and 4 as high.
Moreover, new external assets appear in organizational infrastructures every day. So, the process of risk-based vulnerability management is continuously ongoing.
That is where EASM tools again come in handy. Active use of these tools allows to make vulnerability scanning and asset inventory regular – and mostly automated – procedures.
EASM Tools Can Help Implement Vulnerability Risk Management Approach
EASM tools provide companies with the opportunity to adopt vulnerability risk management to address security issues regularly according to organizational risk rather than issue severity.
By employing Vulnerability Risk Management, companies can effectively block potential attack paths and safeguard critical attack vectors to reduce their external attack surface most efficiently.