Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Not All Vulnerabilities Are Created Alike: Focus on What Matters Most

As the number of security vulnerabilities continues to skyrocket, prioritization is necessary for organizations to effectively reduce their cyber risk.

For more than two years, I’ve explained to security professionals at all levels that the dramatic increase in vulnerabilities discovered each year, coupled with the expanding attack surface from the emergence of modern networks, has created the perfect storm that has buried them in a proverbial pile of vulnerabilities. In fact, I frequently grab their attention by making a sweeping statement: 

“Regardless of your company size, you will never have enough human or financial resources to remediate every vulnerability across your attack surface.”

But this statement is more than just a marketing tagline or cheap ploy for attention. It’s a fact that organizations of all sizes grapple with every single day. Think about it: small companies may only have tens of thousands of vulnerabilities, but they also have a correspondingly small team. In fact, the “team” may consist of one person who manages security on a part-time basis, in addition to other primary responsibilities. On the other end of the spectrum, large enterprises likely have tens of millions of vulnerabilities, outpacing the bandwidth of even a fully-staffed operation of dozens of full-time security analysts spread across multiple teams.

Why legacy methods are no longer sustainable 

To break this open, we really only have to ask ourselves, how many vulnerabilities can a single security analyst handle per day? Per week? Per month? Of course, the answer can vary dramatically for each individual vulnerability, but let’s presume that it takes roughly two hours to fully assess a single vulnerability. I believe that’s a fair estimate, considering the fact that when analysts pull a vulnerability, they have little more than a Common Vulnerabilities and Exposures (CVE) entry to begin with. 

How does one move from an otherwise meaningless CVE ID to a determination of relative importance to the organization? By investigating numerous public sources for information on the characteristics of the vulnerability and how it works, as well as its current and past prevalence. The investigation may even include sources such as social media sites and chatter on the dark web.

At an average rate of two hours per vulnerability, analysts can only reasonably be expected to assess four vulnerabilities a day, or roughly 80 per month. Even the smallest organization discovers more vulnerabilities than that each month. Looking at it through this lens, it’s easy to see how 81 percent of security teams fall behind in their assessments, with no real hope of catching up.

Focus on the few vulns that pose actual risk

While I stand by the big statement that you’ll never be able to fix everything, the good news is that you don’t have to! In fact, odds are that your team is already staffed enough to remediate everything that truly matters. That’s because, according to Tenable Research, only about 20 percent of vulnerabilities ever have an exploit available, and only a fraction of those are actually ever exploited in the wild.

By understanding your vulnerabilities in the context of business risk, your team can use that data to prioritize its efforts, reducing the greatest amount of risk with the least amount of effort. That means going beyond just Common Vulnerability Scoring System (CVSS) base scores to also include contextual elements such as the criticality of affected assets, continuously updated threat and exploit intelligence and predictive technologies to determine which vulnerabilities are most likely to be exploited in the near future. 

Join the elite group of risk-minded security leaders 

According to Tenable Research, only 5.5 percent of organizations are gaining ground in their remediation efforts. By taking a risk-based approach to vulnerability management, you can be one of them. Risk-based VM helps you understand vulnerabilities in the context of business risk, so you can focus on the vulnerabilities and assets that matter most. In turn, organizations can focus their remediation efforts on the vulnerabilities that pose the most immediate risk while deprioritizing those that are unlikely to ever be exploited.

To learn more about concrete steps you can take to upgrade your VM program, download our free guide on How to Implement Risk-Based Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.