Risk-based vulnerability management has produced demonstrable results
Several years ago, risk-based cybersecurity was a largely untested and hotly debated topic.
But the tests have since been administered and the debate largely settled: risk-based cybersecurity produces proven results. The data shows that risk-based vulnerability management (RBVM) programs allow companies to get measurably better results with less work. Extrapolating from there, it’s possible to make a broad case that risk-based programs are a necessary component of enterprise cybersecurity.
It wasn’t always easy to make this case. To understand how risk-based security has answered its critics, we must review a bit of recent history.
For the past couple of decades, the cybersecurity industry has aligned itself around the “maturity model” of cybersecurity. In the maturity model the security team builds or buys certain capabilities according to an industry standard.
But the maturity model, McKinsey says, “can never be more than a proxy for actually measuring, managing, and reducing enterprise risk.” In other words, a company might implement 2FA, or install a firewall, because that’s what everyone else did, but it can’t know whether those actions reduced their risk without ground truth data. To be sure, implementing a WAF in blocking mode could close off one path, but if there’s an easier way in, the organization hasn’t necessarily lowered its risk just by having one.
Risk-based cybersecurity arose in this context. To its critics, its willingness to question whether fixing everything is always the best choice often led to its dismissal.
In no cybersecurity discipline was this disparity more glaring than in the field of vulnerability management. When maturity models added more and more monitoring services, those systems found more and more vulnerabilities. Most of these vulnerabilities posed little to no risk, either because they were found on systems that did not have exposure, had mitigating controls, or because there was no known exploit or attacks to the vulnerability in question.
In the maturity model, each vulnerability demanded a patch, because there could always be some unknown exploit lurking out there. Except that wasn’t a reasonable request. On average, companies patch one out of every ten vulnerabilities, and even the best companies only cover one out of every four. Enter risk-based vulnerability management, which tackles the problem with a data-driven perspective.
Risk-based vulnerability management
Risk-based vulnerability management doesn’t ask “How do we fix everything?” It merely asks, “What do we actually need to fix?” A series of research reports from the Cyentia Institute have answered that question in a number of ways, finding for example, that attackers are more likely to develop exploits for some vulnerabilities than others.
Research has shown that, on average, about 5 percent of vulnerabilities actually pose a serious security risk. Common triage strategies, like patching every vulnerability with a CVSS score above 7 were, in fact, no better than chance at reducing risk.
But now we can say that companies using RBVM programs are patching a higher percentage of their high-risk vulnerabilities. That means they are doing more, and there’s less wasted effort. (Which is especially good because patch management is resource constrained.)
The time it took companies to patch half of their high-risk vulnerabilities was 158 days in 2019. This year, it was 27 days.
And then there is another measure of success. Companies start vulnerability management programs with massive backlogs of vulnerabilities, and the number of vulnerabilities only grows each year. Last year, about two-thirds of companies using a risk-based system reduced their vulnerability debt or were at least treading water. This year, that number rose to 71 percent.
When a company discloses that their networks have been breached and that their data has been stolen or encrypted for ransom, there is a steady drumbeat of critics. The company, these critics contend, is somehow at fault. Its security team didn’t do EVERYTHING it could have to prevent the breach. The proof of this doesn’t lie in knowledge of what preventative steps the security team did, but in the fact that it got breached. Victim blaming was alive and well in cybersecurity.
Thankfully, this mindset is fading away. But when cybersecurity companies with risk-based approaches began entering the market, they faced headwinds from the security nihilism crowd who thought if you can’t fix everything, then “why bother?”
We can now say that, when it comes to vulnerability management – a complex, yet fundamental cybersecurity discipline – the risk-based approach has produced clear results. The proof is in the data.
Enterprises that use risk-based approaches to vulnerability management are getting faster and smarter at this foundational cybersecurity discipline. They are doing less work and seeing more impactful security improvements. It’s encouraging to see these year-over-year improvements and we believe this trend is likely to continue.