Vulnerability Management is the process of identifying, assessing, prioritising, and remediating ‘known’ vulnerabilities affecting digital systems and applications. Vulnerability Management is typically performed using automated scanning tools that assess the technologies and software used by an organisation to locate previously signatured and catalogued vulnerabilities, guiding patching and mitigation efforts accordingly.
Why do organisations need Vulnerability Management?
Despite routine vulnerability scanning being a core part of ongoing security assurance activity since the late 90’s, it’s not a problem that the security industry has solved (yet).
Cost of a data breach
According to the annual Ponemon Cost of a Data Breach report, the average cost of a data breach in 2022 was £3.93m, continuing its year-on-year rise. The UK in particular experienced an 8.1% increase on 2021 – higher than in the EU. In addition to direct costs, cyber attacks often result in a range of indirect impacts, such as the loss of customer confidence and regulatory sanctions, that can have prolonged effects on business operations.
High prevalence of vulnerability exploitation
Vulnerability exploitation continues to be one of the most prevalent cyber ‘breach vectors’ used by adversaries; i.e. the ways that an attacker can bypass a network’s outer defences to access valuable internal systems and data. Recent reports place vulnerability exploitation as one of the most prevalent breach vectors in 2022, often taking the top spot.
Reports such as Mandiant’s M-Trends (2023) found vulnerability exploitation to be the most prevalent breach vector in 2022, appearing in 32% of the intrusions that they investigated.
Financial impact
This initial step in the attack chain is then leveraged by attackers to achieve various nefarious goals with the potential to severely impact the business operations of their victims. Data theft and extortion for financial gain typically follows, with attackers often deploying Ransomware as the vehicle to achieve these goals.
According to the Verizon DBIR (2023) financial gain continues to be the primary motivation for 95% of attacks.
What challenges do organisations face when managing vulnerabilities?
Organisations are faced with a significant (and ever growing) challenge to stay on top of the vulnerabilities affecting their digital systems.
Huge volume of vulnerabilities
In the year 2000 there were just 1,020 published vulnerabilities in the newly created Common Vulnerability and Exposure (CVE) system. As of July 2023, there are 220,198 vulnerabilities in the NIST National Vulnerability Database (NVD), of which 74,505 are categorised as either critical or high. In 2022 alone, there were 25,080 vulnerabilities disclosed in 2022, an 18.78% increase over 2021, of which 50% were ranked critical and high.
Time burden
A typical medium-to-large organisation spends hundreds of hours per week on identifying, prioritising, and remediating vulnerabilities through patching and mitigations. This creates a significant overhead for employees (typically business application owners, software developers, and IT/security managers) that detracts from value-adding activities. Organisations can typically only remediate between 5% and 20% of their vulnerabilities – resulting in them falling further behind as vulnerabilities continue to emerge.
The danger of automation
Typical methods of vulnerability scanning can worsen the situation further. Often, automated vulnerability management produces superfluous findings, false-positives and incorrectly assigned risk ratings. This level of noise creates a technical barrier to organisations making informed decisions and can lead to exploitable issues being missed, increasing the likelihood of a security breach and leading to wasted remediation effort in less threatening areas.
Redcentric’s approach to Vulnerability Management
Putting the human back into automation
Redcentric Vulnerability Management is designed to overcome the limitations of conventional approaches by putting the human back into automation, considering contextual factors to optimise and prioritise the process for our clients.
Applying contextual knowledge
We utilise a modified vulnerability scoring framework and draw on our comprehensive vulnerability knowledgebase, built and continually refined through our extensive experience of performing adversarial testing and responding to live cyber incidents on behalf of our clients. This enables Redcentric to enrich vulnerability findings with the practical experience of which issues are likely to be exploited in context, eliminating common false positives and re-categorising findings based on our real-world knowledge of how vulnerabilities are practically leveraged by attackers.
Despite the huge numbers of vulnerabilities, in reality, fewer than 10% of known vulnerabilities are ever exploited in the wild. As attackers will naturally take the path of least resistance, prioritising vulnerabilities with exploit code that already exists on the internet is an effective method of filtering out the noise. For example, in 2022 of the 25,080 vulnerabilities identified, only 565 were susceptible to publicly available exploits.
Combining automation with human analysis
The Redcentric service is underpinned by our proprietary Clarus platform, combining automation with human analysis to produce an accurate risk assessment. We consider a range of factors when classifying vulnerabilities, such as:
- Whether exploit code exists on the public internet.
- Whether exploit code is likely to become publicly available in the future.
- The extent to which the vulnerability has been exploited previously.
- Our own experience of identifying, exploiting, and classifying the vulnerability or related issues.
- Adjustments made with the specific client over time to re-categorise the issue in context.
By engaging intelligent human experts, the information we hold about the client’s environment, threat model, and business context can be flexibly applied to modify the risk score in a way that automated-only solutions cannot.
We work with our clients throughout the end-to-end vulnerability management process. Data is validated and translated into a business focussed, cloud-based remediation tracker, which can be integrated with the Redcentric ticketing system and other common ITSM platforms to provide comprehensive visibility and traceability.
What benefits and outcomes does Vulnerability Management provide?
- Identify, track, and remediate vulnerabilities as they emerge to reduce susceptibility to exploit-based attacks.
- Prioritise patching and mitigation efforts to manage the risk of vulnerability exploitation.
- Reduce vulnerability noise associated with false positives and low-impact issues to streamline remediation efforts.
- Added value for the price of buying and operating a scanner yourself (as compared to the most popular COTS options) without the overhead of administering it.
You should consider this service if you:
- Have a large backlog of vulnerabilities, with issues going unpatched for extended periods of time.
- Are unable to effectively manage or prioritise vulnerabilities due to time and resource constraints.
- Are failing to effectively utilise the output from your existing vulnerability and asset management tooling.
For help with your vulnerability management program, contact Redcentric today. Whether it’s your first one or you need help updating your existing one to handle the added vulnerabilities your network has, Redcentric can help.
