Connect with us

Hi, what are you looking for?


Risk Management

Emerging Trends in Vulnerability Management

Vulnerability management has historically been treated as an engineering exercise that is disconnected from how security flaws relate to the business and the actual threat they pose.

Vulnerability management has historically been treated as an engineering exercise that is disconnected from how security flaws relate to the business and the actual threat they pose.

The increasing adoption of undefended new technologies like Internet of Things (IoT) and escalation in cybercrime activity have given rise to more damaging breaches. The ensuing regulatory and legal scrutiny have revealed the shortcomings of this traditional approach. This raises the question about the limitations of traditional vulnerability management and what steps can be taken to drive a new, risk-centric approach designed to expose imminent threats (for mitigation) and more effectively reduce risk across the expanding attack surface.

According to the 2017 U.S. State of Cybercrime Survey (PDF), 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. In turn, organizations plan to upgrade their IT and data security to avoid cyber-attacks in the years to come. Based on the State of the CIO, 2014 – 2017 report, this has now become the second highest priority behind assisting in achieving set revenue goals.

In light of the wave of data breaches in 2017, we need to consider whether traditional approaches to vulnerability management are still viable and if just upgrading existing methods or tools is sufficient. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem, often leaving their security analysts without a clue on where to start. Given that the enterprise attack surface continues to expand from endpoints, applications, databases, mobile devices to IoT, things will only get worse. That’s why Gartner in its 2017 State of the Threat Landscape talks about the fact that “your roofs are leaky, and getting leakier”.

Vulnerabilities are not a new phenomenon – they are as old as computers. And while vulnerability management tools and practices have evolved over the past few decades by adding new capabilities like authenticated or agent-based scans, at their core they still rely on the Common Vulnerability Scoring System (CVVS), which is maintained by the Forum of Incident Response and Security Teams (FIRST). 

It is easy to be misled by CVVS scores and play math games with them. However, these exercises typically only reduce risk on paper – not in reality. Traditional vulnerability management approaches practice gradual risk reduction. They either focus remediation actions on the most severe vulnerabilities based on a high CVSS score (so-called vulnerability-centric model) or the value and exposure of an asset (i.e., Internet-facing, third-party access, contains sensitive data, provides business critical functions; so-called asset-centric model). Unfortunately, both practices are often tied to reducing the most amount of risk with the least number of patches.

These traditional approaches no longer suffice. Instead, according to Gartner (see “Threat-Centric Vulnerability Remediation Prioritization”), organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. An imminent threat can be identified by correlating vulnerabilities to their prevalence in the wild: 

• Is a vulnerability being targeted by malware, ransomware, or an exploit kit?

Advertisement. Scroll to continue reading.

• Is a threat actor leveraging the vulnerability and targeting organizations like ours?

Under this new model, imminent threats are prioritized and remediated first. While we can’t predict who will attack us, we can predict who or what successfully could.

Ultimately, organizations that are planning to “upgrade” their existing vulnerability and patch management practices should move beyond looking at the “what is”, in terms of their current security posture. A better approach is to augment tools with emerging security analytics and cyber risk management capabilities that allow for a scenario and objective-based approach that assesses the “what could be”, and predicts the impact and outcomes of potential threats.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.