Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

The Imperative for Modern Security: Risk-Based Vulnerability Management

By prioritizing vulnerabilities based on risk and aligning security efforts with business objectives, organizations can enhance their resilience to cyberattacks, optimize resource allocation, and maintain a proactive security posture.

In recent months, the news has been filled with reports of vulnerabilities being exploited, such as the Apple Shortcuts Vulnerability, SlashandGrab ScreenConnect Vulnerability, ESET Privilege Escalation Vulnerability, Zoom Vulnerability, Roundcube Webmail Vulnerability, and Ivanti VPN Vulnerability. These incidents underscore the urgent need for organizations to modernize their vulnerability management practices. According to the Cybersecurity and Infrastructure Security Agency (CISA), adversaries exploit vulnerabilities within just 15 days of their discovery, while organizations typically take several months to patch them. This raises concerns about how organizations can close this gap and minimize their risk exposure effectively.

Since computer software became the backbone of modern commerce, communications, and entertainment, it has been a prime target for hacktivists, organized cybercriminals, rogue nation-states, and terrorist organizations. Their primary method of attack is exploiting design flaws and weaknesses in applications to steal data, commit fraud, and disclose sensitive information.

The State of Vulnerability Management

In today’s ever-evolving digital landscape, safeguarding sensitive information and critical systems against cyber threats is more challenging than ever. The volume and complexity of vulnerabilities continue to rise due to factors like rapid technological innovation, open source library adoption, an expanding attack surface that now includes the cloud, the proliferation of software applications, and the increasing sophistication of cyber threats.

Many organizations face resource constraints, including limited budgets, personnel shortages, and competing priorities, making it difficult to keep pace with the constant stream of vulnerabilities and effectively allocate resources to mitigate them. Patch management, while essential, presents its own challenges. Timely patching without disrupting critical systems and operations requires careful coordination and testing, straining organizational resources and introducing potential risks.

A one research study from 2023, organizations take an average of 88 days to patch critical vulnerabilities and 208 days for low-severity vulnerabilities, providing attackers ample time to gain access to corporate networks. In many cases, vulnerabilities remain unaddressed even a year after discovery, exposing organizations to unsophisticated attacks.

According to IBM’s 2023 Cost of a Data Breach Report, 67% of breaches were discovered by third parties rather than internal resources, highlighting the need for organizations to gain better control over vulnerability management.

Implementing a Risk-Based Approach

Advertisement. Scroll to continue reading.

Given these challenges, the need for a risk-based approach to vulnerability management has never been more apparent. A risk-based approach involves prioritizing vulnerabilities based on their potential impact on the organization’s assets, operations, and strategic objectives. By focusing on the most critical vulnerabilities first, organizations can optimize their limited resources and enhance their overall security posture.

Transitioning to a risk-based approach requires a comprehensive and systematic approach encompassing people, processes, and technology. Key steps in implementing a risk-based approach to vulnerability management include:

  1. Risk Assessment and Prioritization: Organizations should conduct thorough risk assessments to identify vulnerabilities, assess their potential impact, and prioritize them based on risk severity and business criticality.
  2. Integration with Risk Management Frameworks: Organizations should align their vulnerability management processes with broader risk management frameworks, such as the NIST Cybersecurity Framework or ISO 27001, to ensure compliance and alignment with organizational risk management objectives.
  3. Automation and Orchestration: Organizations should leverage automation and orchestration tools to streamline vulnerability detection, assessment, and remediation processes, enabling faster response times and more efficient resource utilization. AI-powered technology will be a difference maker here.
  4. Continuous Improvement and Optimization: Organizations need to establish a culture of continuous improvement and optimization by regularly evaluating the effectiveness of vulnerability management practices, identifying areas for enhancement, and implementing lessons learned from security incidents and breaches.

Conclusion

The transition to a risk-based approach is essential to address the growing complexity and dynamic nature of cyber threats and vulnerabilities. By prioritizing vulnerabilities based on risk and aligning security efforts with business objectives, organizations can enhance their resilience to cyberattacks, optimize resource allocation, and maintain a proactive security posture in today’s increasingly digital world.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.