Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

A Practitioner’s Perspective on Risk-Based VM: What People, Processes and Technologies Are Required?

Moving from legacy vulnerability management to a risk-based approach can be a paradigm shift, requiring not only new technologies, but changes in your existing processes and procedures. Here’s a brief overview of how you can get started.

Vulnerability management can often feel like a never-ending game of Whac-a-Mole. Fix one vulnerability and several more pop up elsewhere. As the number of new vulnerabilities continues to skyrocket, it’s become clear that legacy VM practices are no longer sufficient at keeping up and addressing the risks that matter most. 

The problem is legacy VM tools are inefficient at best. They assess only traditional, on-premises IT environments, and their periodic scans don’t reflect the evolving threat landscape. They also lack the context you need to prioritize which vulnerabilities to remediate first. 

Of course, this inefficiency didn’t happen overnight and isn’t the result of any one thing. Organizations have been slow to adapt to incremental changes in several different areas over time. Fortunately, the tools and best practices now exist to help your team quickly evolve your VM program to meet the demands of the modern attack surface.

Moving from reactive to proactive: The lifecycle for risk-based VM

As a general rule, you want to evolve from a highly reactive VM program, which is interrupt-driven and error-prone, to an approach that is proactive and strategic so you can maximize your efficiency and effectiveness. In other words, you need to get out of firefighting mode so you can focus on the vulnerabilities that pose the greatest risk. How can you accomplish this? In addition to investing in an expanded set of tools, your organization will need to update its VM policies and procedures to keep pace with evolving cyberthreats.

At Tenable, we think about this organizational process as a five-step lifecycle:

Cyber Exposure Lifecycle for Risk-Based VM

Rather than just discovering and assessing vulnerabilities, risk-based VM enables you to effectively prioritize them by understanding the full context of each vulnerability, determine the appropriate action to take, and calculate key metrics as well as compare against industry standards. A few of the many ways this can benefit your organization includes: 

  • Prioritize valuable security and IT resources
  • Optimize the team’s efficiency
  • Reduce business risk
  • Minimize VM program costs
  • Improve security reporting
  • Build confidence across the C-suite

Discover critical business services across your attack surface

The first step in a risk-based VM strategy is to take the time to truly understand your business environment. That means determining and prioritizing business-critical services and applications, identifying service and application owners and other stakeholders, and evaluating existing security and applicable IT policies and processes. 

You don’t necessarily need tools for this step, but you do need cooperation from the rest of your organization – particularly from the owners of all business-critical assets, applications and services. You need their permission to access their assets for scans, patching and other security measures. You also have to work out a schedule to ensure that your actions won’t interfere with the availability of their services.

Assess your network with frequent scans to eliminate blind spots

Next, you’ll need to fully assess all your assets. That means you’ll need a new scanner – one that can go beyond your traditional IT network to assess your entire attack surface, including any assets you have in cloud, operational technology (OT) and container environments. Having an integrated web app scanner is important too, since the majority of your organization’s sensitive data lives in, or runs through, apps – which has made the application layer a primary attack vector.

But simply upgrading your tools isn’t enough. You’ll also need to examine your security processes. Are you scanning enough of your network? Any assets your scanners can’t see puts you at risk from critical vulnerabilities that may reside on those assets. You also have to determine if you’re scanning frequently enough. Many organizations employing legacy VM methods scan monthly or less frequently. As a result, they’re basing their remediation decisions on old, outdated information. The threat landscape is dynamic in nature, so you’ll want your security intelligence to be dynamic, as well.

Prioritize vulnerabilities based on asset criticality and attacker activity

Once you can see all the vulnerabilities across your entire attack surface, you need to understand them in the context of business risk and use that data to prioritize your team’s efforts. That means you need a VM platform capable of analyzing the vulnerability data that comes from your scanners, together with other essential contextual elements, including the criticality of the affected assets and an assessment of current and likely future attacker activity. 

Of course, analyzing all this data simply isn’t practical to do on your own. So, you’ll want your VM platform to employ automation and machine learning, so it’s capable of rendering an accurate decision in seconds.

As you continue to refine your prioritization strategy, make sure your assessment windows work well for each asset to minimize business disruptions while achieving reasonable service-level agreements (SLAs). This is tied to the work you did in step 1, when you took the time to understand the business environment and established agreements on patch windows. After all, achieving your SLAs is meaningless if the cost to the business is greater than the benefit of the fix.

Remediate or mitigate critical vulnerabilities 

Once you’ve determined which vulnerabilities are the highest priority, you’ll want your VM platform to tightly integrate with your ticketing system so you can send tickets directly to IT, pre-populated with the information they’ll need to understand what to fix, how to fix it and why it’s a priority. Auto-ticketing capabilities further streamline the effort and maximize the efficiency of the entire process. Communications should also be bi-directional so IT can initiate scans to validate their remediations.

Keep in mind that you can’t remediate everything, and doing so isn’t necessarily the best use of your security resources. Instead, you’ll want to determine the implications of remediating each prioritized vulnerability. Is remediation feasible? If not, are mitigation factors in place that reduce or neutralize the threat exposure? Can you afford to simply accept the risk and take no action at all? Risk acceptance may be appropriate if the vulnerability is on a non-critical asset, or it may be necessary if the remediation runs the risk of breaking critical processes that are running on the asset.

In many cases, you’ll need to get agreement from each asset owner on your response plan before you take any action. And once you perform the remediation, you’ll need to validate its effectiveness before moving on to the next vuln.

Measure to communicate your security progress

Finally, you need a rich set of reporting and analysis tools to effectively communicate the team’s efficiency – to gain and maintain management’s confidence in your abilities. In addition to the tools, themselves, you’ll need to work with the various security groups throughout the organization to develop common dashboards that ensure consistent reporting. You’ll also need to work with your management to decide when and how often reporting should occur.

As with most of the prior steps we’ve discussed, the weaknesses you’ll need to address here are on the human side, rather than with the technology. You’ll need to decide as an organization what KPIs are most important, so each team can deliver consistent reports that can be easily rolled up to encompass multiple areas of responsibility, or even the company as a whole, so that the CISO can clearly report your progress to the board.

Risk-based VM is the foundation of a modern security strategy

Implemented correctly, a risk-based VM strategy can help you prioritize your remediation efforts to focus first on the assets and vulnerabilities that matter most. As a result, you’ll be able to make the most efficient use of your limited security resources by reducing the greatest amount of risk with the least amount of effort. This newfound efficiency will free some of your most senior resources to work on more strategic security initiatives.

Want to learn how to put this framework into practice? Download our whitepaper, Reference Architecture: Risk-Based Vulnerability Management



作者:Robert Huber•2020 年 9 月 16 日 - 上午 8:51

订阅 Tenable 博客

免费试用 立即购买

选择 Tenable.io

免费试用 30 天

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即注册。

立即购买 Tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65 项资产


免费试用 立即购买

免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。完整介绍请见此处。

免费试用 立即购买

试用 Tenable.io Web Application Scanning

免费试用 30 天

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN



免费试用 联系销售人员

试用 Tenable.io Container Security

免费试用 30 天

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器映像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器映像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

获取 Tenable.sc 演示

请将您的联系方式填写在下方表格中,我们的销售代表很快与您联系安排演示。您也可以写下简短评论(不得超过 255 个字符)。请注意,带星号 (*) 的字段为必填项。

免费试用 联系销售人员

试用 Tenable Lumin

免费试用 30 天

通过 Tenable Lumin 直观呈现及探索 Cyber Exposure,长期追踪风险降低状况,并比照同行业者进行基准度量。

购买 Tenable Lumin

联系销售代表,了解 Lumin 如何帮助获取整个企业的洞见并管理网络安全风险。

申请演示 Tenable.ot