Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.

Security icon

Implement Risk-Based Vulnerability Management

Get off the patching merry-go-round and start mitigating risk!

  • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
  • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

Our Advice

Critical Insight

  • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
  • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
  • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

Impact and Result

  • At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
  • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
  • The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
  • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
  • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

Implement Risk-Based Vulnerability Management Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Identify vulnerability sources

Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

2. Triage vulnerabilities and assign priorities

Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

3. Remediate vulnerabilities

Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

4. Measure and formalize

Evolve the program continually by developing metrics and formalizing a policy.

webinar status icon

On Demand

Webinar

Implement Risk-Based Vulnerability Management

Play Webinar

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.8/10


Overall Impact

$39,229


Average $ Saved

21


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Chapman University

Guided Implementation

10/10

$68,500

10

The best part was the expertise and professionalism brought to the project by Petar. Now only did he provide guidance and knowledge to the project,... Read More

Open Technology Solutions LLC

Guided Implementation

10/10

$68,500

10

Jon came in with great experience and advice based on his time working at the enterprise level in financial services.

Peel Regional Police

Guided Implementation

9/10

$5,000

10

Yolo County

Guided Implementation

9/10

$19,865

18

City of Atlanta / Atlanta Information Management (AIM)

Guided Implementation

10/10

N/A

20

Girl Guides of Canada

Guided Implementation

10/10

N/A

10

Noramco, LLC

Guided Implementation

10/10

$34,281

60

the experience was absolutely great. Mr Sooknanan experience and approaches are exceptional.

California Natural Resources Agency

Guided Implementation

10/10

N/A

32

Shastri proves to be a valuable asset to any conversation I've been apart of with him. He is knowledgeable and provides useful insights and recomme... Read More


Implement Risk-Based Vulnerability Management

Get off the patching merry-go-round and start mitigating risk!

Table of Contents

4 Analyst Perspective

5 Executive Summary

6 Common Obstacles

8 Risk-based approach to vulnerability management

16 Step 1.1: Vulnerability management defined

24 Step 1.2: Defining scope and roles

34 Step 1.3: Cloud considerations for vulnerability management

33 Step 1.4: Vulnerability detection

46 Step 2.1: Triage vulnerabilities

51 Step 2.2: Determine high-level business criticality

56 Step 2.3: Consider current security posture

61 Step 2.4: Risk assessment of vulnerabilities

71 Step 3.1: Assessing remediation options

Table of Contents

80 Step 3.2: Scheduling and executing remediation

85 Step 3.3: Continuous improvement

89 Step 4.1: Metrics, KPIs, and CSFs

94 Step 4.2: Vulnerability management policy

97 Step 4.3: Select & implement a scanning tool

107 Step 4.4: Penetration testing

118 Summary of accomplishment

119 Additional Support

120 Bibliography

Analyst Perspective

Vulnerabilities will always be present. Know the unknowns!

In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

Jimmy Tom, Research Advisor – Security, Privacy, Risk, and Compliance, Info-Tech Research Group.Jimmy Tom
Research Advisor – Security, Privacy, Risk, and Compliance
Info-Tech Research Group

Executive Summary

Your Challenge

Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.

Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option.

Common Obstacles

Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution.

Some systems deemed vulnerable simply cannot be patched or easily replaced.

Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself.

Info-Tech’s Approach

Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.

Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls.

Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion.

Info-Tech Insight

Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

Common obstacles

These barriers make vulnerability management difficult to address for many organizations:
  • The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient.
  • Many organizations feel that a “patch everything” approach is the most effective path.
  • Vulnerability management is commonly misunderstood as being a process that only supports patch management.
  • There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.
CVSS Score Distribution From the National Vulnerability Database: Pie Charts presenting the CVSS Core Distribution for the National Vulnerability Database. The left circle represents 'V3' and the right 'V2', where V3 has an extra option for 'Critical', above 'High', 'Medium', and 'Low', and V2 does not.
(Source: NIST National Vulnerability Database Dashboard)

Leverage risk to sort, triage, and prioritize vulnerabilities

Reduce your risk surface to avoid cost to your business; everything else is table stakes.

Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

Identify vulnerability sources

An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

Triage and prioritize

Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

Remediate vulnerabilities

Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

Measure and formalize

Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

Tactical Insight 1

All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

Tactical Insight 2

Reduce the risk surface down below the risk threshold.

The industry has shifted to a risk-based approach

Traditional vulnerability management is no longer viable.

“For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

“Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

“Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

“A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

Why a take risk-based approach?

Vulnerabilities, by the numbers

60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

Info-Tech Insight

Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

Vulnerability Management

A risk-based approach

Reduce the risk surface to avoid cost to your business, everything else is table stakes

Logo for Info-Tech.
Logo for #iTRG.

1

Identify

4

Address

Mitigate the risk surface by reducing the time across the phases ›Mitigate the risk by implementing:
  • patch systems & apps
  • compensating controls
  • systems and apps hardening
  • systems segregation
Chart presenting an example of 'Risk Surface' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. The area between the line and your organization's risk tolerance is labelled 'Risk Surface'.

Objective: reduce risk surface by reducing time to address

Your organization's risk tolerance threshold

Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.)Vulnerability information feeds:
  • scanning tool
  • external threat intel
  • internal threat intel

2

Analyze

Assign actual risk (impact x urgency) to the organization based on current security posture

Triage based on risk ›

Your organization's risk tolerance threshold

Risk tolerance threshold map with axes 'Impact' and 'Likelihood'. High levels of one and low levels of the other, or medium levels of both, is 'Medium', High level of one and Medium levels of the other is 'High', and High levels of both is 'Critical'.

3

Assess

Plan risk mitigation strategy ›Consider:
  • risk tolerance
  • compensating controls
  • business impact

Info-Tech’s vulnerability management methodology

Focus on developing the most efficient processes.

Vulnerability management isn’t “old school.”

The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

Equation to find 'Vulnerability Priority'.

When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

Info-Tech Insight

Vulnerability management is not only patch management. Patching is only one aspect.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Vulnerability Management SOP

The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.

Sample of the key deliverable, Vulnerability Management SOP.
Vulnerability Management Policy

Template for your vulnerability management policy.

Sample of the Vulnerability Management Policy blueprint.Vulnerability Tracking Tool

This tool offers a template to track vulnerabilities and how they are remedied.

Sample of the Vulnerability Tracking Tool blueprint.
Vulnerability Scanning RFP Template

Request for proposal template for the selection of a vulnerability scanning tool.

Sample of the Vulnerability Scanning RFP Template blueprint.Vulnerability Risk Assessment Tool

Methodology to assess vulnerability risk by determining impact and likelihood.

Sample of the Vulnerability Risk Assessment Tool blueprint.

Blueprint benefits

IT Benefits

  • A standardized, consistent methodology to assess, prioritize, and remediate vulnerabilities.
  • A risk-based approach that aligns with what’s important to the business.
  • A way of dealing with the high volumes of vulnerabilities that your scanning tool is reporting.
  • Identification of “where to start” in terms of vulnerability management.
  • Ability to not lose yourself in the patch madness but rather take a sound approach to scheduling and prioritizing patches and updates.
  • Knowledge of what to do when patching is simply not possible or feasible.

Business Benefits

  • Alignment with IT in ensuring that business processes are only interrupted when absolutely necessary while maintaining a regular cadence of vulnerability remediation.
  • A consistent program that the business can plan around and predict when interruptions will occur.
  • IT’s new approach being integrated with existing IT operations processes, offering the most efficient yet expedient method of dealing with vulnerabilities.

Info-Tech’s process can save significant financial resources

PhaseMeasured Value
Phase 1: Identify vulnerability sources
    Define the process, scope, roles, vulnerability sources, and current state
    • Consultant at $100 an hour for 16 hours = $1,600
Phase 2: Triage vulnerabilities and assign urgencies
    Establish triaging and vulnerability evaluation process
    • Consultant at $100 an hour for 16 hours = $1,600
    Determine high-level business criticality and data classifications
    • Consultant at $100 an hour for 40 hours = $4,000
    Assign urgencies to vulnerabilities
    • Consultant at $100 an hour for 8 hours = $800
Phase 3: Remediate vulnerabilities
    Prepare documentation for the vulnerability process
    • Consultant at $100 an hour for 8 hours = $800
    Establish defense-in-depth modelling
    • Consultant at $100 an hour for 24 hours = $2,400
    Identify remediation options and establish criteria for use
    • Consultant at $100 an hour for 40 hours = $4,000
    Formalize backup and testing procedures, including exceptions
    • Consultant at $100 an hour for 8 hours = $800
    Remediate vulnerabilities and verify
    • Consultant at $100 an hour for 24 hours = $2,400
Phase 4: Continually improve the vulnerability management process
    Establish a metrics program for vulnerability management
    • Consultant at $100 an hour for 16 hours = $1,600
    Update vulnerability management policy
    • Consultant at $100 an hour for 8 hours = $800
    Develop a vulnerability scanning tool RFP
    • Consultant at $100 an hour for 40 hours = $4,000
    Develop a penetration test RFP
    • Consultant at $100 an hour for 40 hours = $4,000
Potential financial savings from using Info-Tech resourcesPhase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800

Guided Implementation

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

What does a typical GI on this topic look like?

Phase 1

Phase 2

Phase 3

Phase 4

Call #1: Scope requirements, objectives, and your specific challenges.

Call #2: Discuss current state and vulnerability sources.

Call #3: Identify triage methods and business criticality.

Call #4:Review current defense-in-depth and discuss risk assessment.

Call #5: Discuss remediation options and scheduling.

Call #6: Review release and change management and continuous improvement.

Call #7: Identify metrics, KPIs, and CSFs.

Call #8: Review vulnerability management policy.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Day 1Day 2Day 3Day 4Day 5
Activities
Identify vulnerability sources

1.1 What is vulnerability management?

1.2 Define scope and roles

1.3 Cloud considerations for vulnerability management

1.4 Vulnerability detection

Triage and prioritize

2.1 Triage vulnerabilities

2.2 Determine high-level business criticality

2.3 Consider current security posture

2.4 Risk assessment of vulnerabilities

Remediate vulnerabilities

3.1 Assess remediation options

3.2 Schedule and execute remediation

3.3 Drive continuous improvement

Measure and formalize

4.1 Metrics, KPIs & CSFs

4.2 Vulnerability Management Policy

4.3 Select & implement a scanning tool

4.4 Penetration testing

Next Steps and Wrap-Up (offsite)

5.1 Complete in-progress deliverables from previous four days

5.2 Set up review time for workshop deliverables and to discuss next steps

Deliverables
  1. Scope and boundary definition of vulnerability management program
  2. Responsibility assignment for vulnerability identification and remediation
  3. Monitoring and review process of third-party vulnerability sources
  4. Incident management and vulnerability convergence
  1. Methodology for evaluating identified vulnerabilities
  2. Identification of high-level business criticality
  3. Defined high-level data classifications
  4. Documented defense-in-depth controls
  5. Risk assessment criteria for impact and likelihood
  1. Documented risk assessment methodology and remediation options
  1. Defined metrics, key performance indicators (KPIs), and critical success factors (CSFs)
  2. Initial draft of vulnerability management policy
  3. Scanning tool selection criteria
  4. Introduction to penetration testing
  1. Completed vulnerability management standard operating procedure
  2. Defined vulnerability management risk assessment criteria
  3. Vulnerability management policy draft

Implement Risk-Based Vulnerability Management

Phase 1

Identify Vulnerability Sources

Phase 1

1.1 What is vulnerability management?
1.2 Define scope and roles
1.3 Cloud considerations for vulnerability management
1.4 Vulnerability detection

Phase 2

2.1 Triage vulnerabilities
2.2 Determine high-level business criticality
2.3 Consider current security posture
2.4 Risk assessment of vulnerabilities

Phase 3

3.1 Assessing remediation options
3.2 Scheduling and executing remediation
3.3 Continuous improvement

Phase 4

4.1 Metrics, KPIs & CSFs
4.2 Vulnerability management policy
4.3 Select and implement a scanning tool
4.4 Penetration testing

This phase will walk you through the following activities:

Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

This phase involves the following participants:

  • Security operations team
  • IT Security Manager
  • IT Director
  • CISO

Step 1.1

Vulnerability Management Defined

Activities

None for this section

This step will walk you through the following activities:

Establish a common understanding of vulnerability management and its place in the IT organization.

This step involves the following participants:

  • Security operations team
  • IT Security Manager
  • IT Director
  • CISO

Outcomes of this step

Foundational knowledge of vulnerability management in your organization.

Identify vulnerability sources
Step 1.1Step 1.2Step 1.3Step 1.4

What is vulnerability management?

It’s more than just patching.

  • Vulnerability management is the regular and ongoing practice of scanning an operating environment to uncover vulnerabilities. These vulnerabilities can be outdated applications, unpatched operating systems and software, open ports, obsolete hardware, or any combination of these.
  • The scanning and detection of vulnerabilities is the first step. Planning and executing of remediation is next, along with the approach, prioritized sequence of events, and timing.
  • A vendor-supplied software patch or firmware update is often the easy answer, however, this is not always a viable solution. What if you can’t patch in a timely fashion? What if patching is not possible as it will break the application and bring down operations? What if no patch exists due to the age of the application or operating platform?

“Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016)

Effective vulnerability management

It’s not easy, but it’s much harder without a process in place.
  • Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion.
  • Patching isn’t the only solution, but it’s the one that often draws focus.
  • Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation.
  • Identifying new threats without proper vulnerability scanning tools can be a near-impossible task.
  • Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk.
  • Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

You’re not just doing this for yourself. It’s also for your auditors.

Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

webinar status icon

On Demand

Webinar

Implement Risk-Based Vulnerability Management

Play Webinar

Get off the patching merry-go-round and start mitigating risk!

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.8/10
Overall Impact

$39,229
Average $ Saved

21
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Identify vulnerability sources
  • Call 1: Scope requirements, objectives, and your specific challenges.
  • Call 2: Discuss current state and vulnerability sources.

Guided Implementation 2: Triage vulnerabilities and assign priorities
  • Call 1: Identify triage methods and business criticality.
  • Call 2: Review current defense-in-depth and discuss risk assessment.

Guided Implementation 3: Remediate vulnerabilities
  • Call 1: Discuss remediation options and scheduling.
  • Call 2: Review release and change management and continuous improvement.

Guided Implementation 4: Measure and formalize
  • Call 1: Identify metrics, KPIs, and CSFs.
  • Call 2: Review vulnerability management policy.

Author

Jimmy Tom

Contributors

  • 2 anonymous contributors from the manufacturing sector
  • 1 anonymous contributor from a US government agency
  • 2 anonymous contributors from the financial sector
  • 1 anonymous contributor from the medical technology industry
  • 2 anonymous contributors from higher education
  • 1 anonymous contributor from a Canadian government agency
  • 7 anonymous others, information gathered from advisory calls
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019