Risk-based vulnerability management a better form of cyber defense

By consolidating vulnerability management tools and adding AI, risk-based vulnerability management protects the entire attack surface.

Risk-based vulnerability management a better form of cyber defense
Getty Images

Protecting an organization from threats is becoming increasingly difficult, as the number and sophistication of threats continues to increase exponentially. A big issue is finding, prioritizing, and fixing vulnerabilities before they are exploited.

That has always been a top priority for security professionals, but the growing number of vulnerabilities makes it difficult, if not impossible, for legacy vulnerability assessment tools to be effective.

Many security tools, such as anti-malware and intrusion detection systems, have used artificial intelligence (AI) as a way to modernize and keep up with current trends, but the vulnerability assessment market has not. Infusing AI into this market would shift the market from treating all vulnerabilities as equal to enabling businesses to evaluate and prioritize them based on risk. However, one approach doesn’t replace the other, but rather complements, as both are required to protect against the widest range of attack vectors.

Vulnerability assessment falls behind

Vulnerability assessment has been a tried-and-true method for finding vulnerabilities for over a decade now. The technology looks for out of date software, operating systems that need patching, and other basic holes in software. There is obviously some value in vulnerability assessment, but it hasn’t evolved much in the past decade. vulnerability assessment tools struggle with discovering all enterprise assets, particularly with new types of enterprise assets, such as mobile devices, unmanaged assets, and Internet of Things (IoT) devicdes.

Also, vulnerability assessment doesn’t look for advanced attack vectors, such as bad passwords or phishing, which are often a bigger problem than unpatched systems.

Another issue with legacy vulnerability assessment is that it doesn’t prioritize the vulnerabilities it finds. Security teams see a massive list of vulnerabilities with no context. That means a contractor’s computer in an isolated segment would appear to have the same level of criticality as the CFO’s laptop that has out-of-date financial software. The security team is left to triage the list and determine which ones should be addressed first. This obviously wastes valuable time, is often unachievable, and exposes the company to unnecessary risk. Representative vulnerability assessment vendors include Rapid7, Qualys, and Tenable (formerly SecurityCenter). This is still important information, but it often lacks any insights to make it actionable.

Threat and vulnerability management an improvement, but not a complete solution

Threat and vulnerability management (TVM) is a newer approach that layers on top of vulnerability assessment and uses security analytics to apply some logic and analysis to vulnerability assessment data to help understand the risk level of the associated vulnerabilities. Making sense of this data through manual inspection is impossible, as even the most seasoned security professional couldn’t connect the dots in the massive amount of data collected.

This is where analytics has value in that it analyzes the data in real time and uses multiple factors and logic to provide the security team with a list prioritized by risk. This is certainly a step function improvement from traditional vulnerability assessment, but it still doesn’t solve the whole problem.

First, one can’t forget about the information that the legacy systems provide — it’s important because threat and vulnerability management tools don’t gather their own internal inventory data and use vulnerability assessment feeds. Like vulnerability assessment systems, threat and vulnerability management tools omit hundreds of advanced attack vectors, such as password reuse, phishing, and user behavior from their calculations. Nor do they take into account the actual business impact of assets and users. Also, there’s no sense of how to remediate the identified and prioritized issues. Many vendors play in this market, including Brinqa, Core Security, Kenna Security, and SkyBox.

So, what’s a security team to do? It looks like they need to run both a threat and vulnerability management tool and traditional vulnerability assessment. That might seem logical, but it’s suboptimal. Running dual security tools leads to something called “swivel chair management” where the administrator needs to quickly pivot between the two, and any kind of correlation must be done manually. Also, analyzing the data across systems isn’t feasible given the volume of data coming from the two systems.

Risk-based vulnerability management offers the best of both worlds

A better approach is risk-based vulnerability management where both traditional vulnerability assessment and newer threat and vulnerability management capabilities are unified in a single platform. AI is used to continuously discover and update the enterprise inventory and to provide predictive risk analytics across hundreds of attack vectors, threats, business impact, and compensating controls.

This is akin to what’s happened in the anti-malware space where legacy vendors such as Symantec and McAfee catch known viruses, and AI-based companies such as Cylance are able to detect new malware. One doesn’t replace the other. Customers need both for maximum protection. Unfortunately, such a unified product doesn’t exist in the anti-malware market yet. But one does for risk-based vulnerability management. Balbix currently offers this capability, and Tenable has a defined roadmap to get there.

The Balbix/Tenable approach gives customers a complete view of the attack surface through a single pane of glass that includes vulnerability information across a very broad set of vulnerability types, as well as AI-derived risk and contextual information. The risk-based information and prioritized action list in the Balbix dashboard, for example, make it easy for security teams to ensure energy is being directed to close off the vulnerabilities and assets that could cause the most damage.

Locating vulnerabilities has been a core focus area for security professionals as long as we have had computer systems. Breaches occur when these vulnerabilities go unnoticed and unpatched. Traditional methods, such as vulnerability assessment and threat and vulnerability management, were effective in the past when the size of the attack surface was manageable. Today that's changed, and the attack surface has grown exponentially, as has the rate at which threats are hitting companies. AI-based risk-based vulnerability management provides security professionals with a complete view of the attack surface and the contextual knowledge to understand how to prioritize the security team's efforts. 

SUBSCRIBE! Get the best of CSO delivered to your email inbox.