Prioritizing Security Risks—Not Vulnerabilities

By Bill Dunnion

With an attack surface that’s borderless, complicated, and connected to everyone and everything, it’s difficult, verging on the impossible, to fully protect the business from data breaches and their far-reaching consequences.

Furthermore, if the company is relying on traditional firewall and antivirus security, then it is ignoring the need for a holistic approach to cyber security that will effectively combat cyber crime. Today, such a holistic approach is essential: according to Hosting Tribunal, 73% of black hat hackers (those with criminal intent) said traditional firewall and antivirus security are irrelevant or obsolete. Even so, that’s not completely true as companies can put into action many lines of defense—there’s no single solution that will address all security threats.

And that brings us to vulnerability and patch management. First, let’s look at vulnerability management and how it helps in the fight against cyber crime. Companies must understand the types of vulnerabilities that exist and have in-depth knowledge of the attack surface, which includes containers, mobile devices, IoT devices, cloud instances, web applications, and point-of-sale (POS) terminals. As well, they must take into consideration endpoints that are a massive, growing attack surface and, as such, a highly appealing target for cyber criminals.

Vulnerability, according to Gartner (2019), is only as bad as the threat exploiting it and the impact it has on the business. The best approach, therefore, is to implement a vulnerability management program on the basis of the risk—the threat that is exploiting the vulnerability. Look at the types of risk and then list them in order of priority. This ensures that less risky vulnerabilities are not addressed first. The less risky ones, of course, can be addressed later as they are less likely to be exploited.

To help prioritize IT risks look at threat intelligence, which “…is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard” (Gartner). With such real-time data, companies can fine-tune processes and can take preemptive actions such as a patching management program. 

Although effective community policing against cyber crime is through the increased use of open-source software, it is difficult to know if the open source components used in applications are up-to-date with all critical patches applied. To keep open source software components risk free, it’s necessary to continually track open source components and their dependencies, while keeping up-to-date with open source community intelligence and updates through automated open source management tools.

This brings us to patching management, a critical tool that implemented properly does help to prevent breaches. In some cases, breaches have occurred because patches weren’t applied right after release, giving cyber criminals unbelievable opportunities: when a patch is released, the vulnerability is disclosed. In other words, patch as soon as possible, and automate as much as possible. With cloud-based automated patch management software, regular scans can be scheduled and patches can be applied under specific conditions or automatically.

A risk-based approach to threat and vulnerability management provides a benchmark, a rating that helps the business determine whether the risk will happen, whether it’s above acceptable levels, and how soon action should be taken. Through automation, tasks can be quickly delegated and remediation actions undertaken—within established timelines. This is, obviously, critical as the number and sophistication of threatened cyber attacks continue to increase exponentially. 

When a business implements risk-based vulnerability management, it has the best of two worlds: the traditional vulnerability assessment and the latest threat and vulnerability management program. These are unified into one platform.

Stop looking at vulnerabilities without context. Implement a risk-based vulnerability management program. Integrate security intelligence. Prioritize risks. And secure your IT environment with real-time defenses.