Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Risk-Based Vulnerability Management: Five Steps to Cybersecurity Success

Take charge of your cybersecurity program foundation with these five steps — discover, assess, prioritize, remediate and measure all assets across your computing environments.

Tenable Named a Leader in The Forrester Wave™: Vulnerability Risk Management, Q4 2019

Looking for a system of record to measure and reduce cyber risk? Check out the definitive analyst guide for evaluating vulnerability risk management vendors.

Forrester, Leader in Vulnerability Risk Management

Effective risk-based vulnerability management requires a strong process mapped directly to these five Cyber Exposure phases:

1. Discover
Discover

Discover

Inventorying all hardware and software assets in your entire attack surface is the first step in any vulnerability management program. Asset discovery is difficult because you are likely to have diverse asset types — including traditional IT, transitory, mobile, dynamic and operational technology — which often require different discovery technologies. You may be using disparate technologies from multiple vendors to discover these diverse asset types, which increases your acquisition and management costs. Using a variety of disjointed discovery products results in asset inventory silos, making it difficult — if not impossible — to map diverse assets to business services.

Understand your complete attack surface.

A complete inventory of every hardware and software asset across all of your computing environments — including IT, mobile, cloud and operational technology — is the foundation of vulnerability management. You must know all of the assets in your attack surface before you can adequately protect it.

Tenable Lumin Cyber Exposure Score Trend

Know which assets support specific business systems.

Group assets by business system to identify critical assets and inform vulnerability assessment and remediation. Leverage machine learning algorithms to predict criticalities based on information gathered in the discovery phase.

Streamline IT asset management processes.

Integration between Tenable platforms and your IT Configuration Management Database (CMDB) provides you with an enterprise-class system of record for your assets. The Tenable platform improves CMDB data integrity by adding assets identified during the Discover phase that may have been previously unrecorded in the CMDB. Asset attributes in the CMDB, such as asset owner, administrator, location and SLA will inform downstream vulnerability management phases. Rich CMDB data facilitates IT service management processes, including asset management and change management.

Netskope
[We have] live discovery of every Netskope asset, providing dynamic and holistic visibility across the modern attack surface (cloud, data center, IoT, etc.). This includes automating asset discovery, particularly assets in their cloud infrastructure, including containers. Netskope Read the Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

For critical infrastructure and operational technology.
2. Assess
Assess

Assess

Assessing assets for vulnerabilities and misconfigurations across your complete attack surface is challenging due to diverse asset types. Your asset mix likely includes traditional IT, transitory, mobile, dynamic and operational technology assets, all of which require different assessment technologies. But these must all be supported in a single vulnerability management platform that delivers a unified view of exposures.

Understand cyber exposures across your attack surface.

Identify vulnerabilities, misconfigurations and other weaknesses in traditional IT, transitory, mobile, dynamic and operational technology assets.

Tenable Lumin
Audit patching and configuration changes.

Audit patching and configuration changes.

Ensure that vulnerabilities and misconfigurations are remediated as expected.

Inform incident management.

Inform incident management.

Automatically send vulnerability and misconfiguration information to your SIEM to enrich event data, help prioritize events for investigation and inform responses.

Francis Pereira
Tenable.io provides us with a unified view of the state of all of our assets. We use it to run compliance scans in addition to system and network vulnerability scans across all our assets every night. Francis Pereira, Head of Infrastructure, CleverTap Check Out the Video Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

For critical infrastructure and operational technology.
3. Prioritize
Analyze

Prioritize

Proactively respond to security issues by predicting which vulnerabilities will be leveraged against you. Current vulnerability prioritization methods like CVSS focus only on the theoretical risk, resulting in too many false positives that waste valuable remediation time and resources. Prioritization should combine hundreds of data sources - including threat intelligence and vulnerability metadata - and leverage machine learning algorithms to predict vulnerabilities with the highest likelihood of exploitability. Taking a risk-based vulnerability management approach to prioritizing vulnerabilities dramatically reduces the probability of a business-impacting cyber event occurring.

Identify vulnerabilities requiring immediate attention.

Prioritize vulnerabilities based on a combination of threat intelligence, exploit availability and vulnerability metadata.

Tenable Lumin
Provide comprehensive vulnerability information to IT Operations for remediation.

Provide comprehensive vulnerability information to IT Operations for remediation.

Focus remediation resources on the vulnerabilities having the highest potential impact to your organization. Document what the vulnerability is, why it is a top priority and how it can be remediated.

Inform incident management.

Inform incident management.

Automatically send vulnerability and misconfiguration information to your SIEM to enrich event data, help prioritize events for investigation and inform responses.

Dan Bowden
We can’t dump that list of 10,000 [vulnerabilities] on the IT team and expect them to engage with us. If I give them a list of a couple of hundred? [...] They’ll engage. Dan Bowden, CISO, Sentara Healthcare Check Out the Video Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

Calculate, communicate and compare cyber exposure while managing risk
4. Remediate
Fix

Remediate

Remediating vulnerabilities, misconfigurations and other weaknesses is challenging because commonly the infosec team members responsible for identifying and prioritizing exposures must hand off remediation to a completely separate operations team. Even in the best circumstances, the hand-off can be error-prone. Unclear expectations and instructions often undermine operations professionals’ abilities to remediate required exposures. By taking a risk-based approach to prioritize which vulnerabilities to fix first, IT operations can reduce time and effort to ensure the business is secure.

Reduced attack surface.

Successful remediation of vulnerabilities, misconfigurations and other weaknesses greatly reduces the probability of a business-impacting cyber event occurring.

Tenable Lumin
Improved operational efficiency.

Improved operational efficiency.

Focus remediation resources on vulnerabilities with the greatest potential impact on your organization. Document the vulnerability, why it is a top priority and how it can be remediated.

Increased confidence.

Increased confidence.

A closed-loop vulnerability management process ensures remediation is accomplished as expected. Remediation scans validate if your vulnerability remediation actions on targets is successful. If a remediation scan cannot identify a vulnerability on previously identified targets, the system changes the status of vulnerability instances to mitigate.

Mike Koss
By putting in the right tools, IT security is now able to get ahead and patch and remediate and resolve security issues before they are discovered by the bad guys. Mike Koss, Head of IT Security & Risk, N Brown Group Watch the Video

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

5. Measure
Measure

Measure

Measuring Cyber Exposure risk across your organization’s entire attack surface is difficult because you must map all supporting assets to a business service, assign a criticality rating to each asset and factor in the vulnerabilities, misconfigurations and other weakness for each asset. Only then can you prioritize risk and present information to your technical and business stakeholders.

Automatically calculate your cyber exposure.

Advanced analysis and risk-based exposure scoring weigh asset value and criticality, vulnerabilities and their context — providing clear context about where to focus.

Tenable Lumin
Communicate status to stakeholders.

Communicate status to stakeholders.

Visualizations of the entire attack surface allow anyone — from analyst to executive — to quickly understand and communicate their organization’s Cyber Exposure.

Benchmark your performance.

Benchmark your performance.

Compare your Cyber Exposure Score to other internal organizations and to similar external organizations.

Compare your effectiveness internally and externally.

Compare your effectiveness internally and externally.

Measure the effectiveness of your risk-based vulnerability management program to enable a clear dialogue between technical and business leaders to focus on areas for improvement and investment. To communicate a plan for improvement and to agree upon steps to address, compare how effective each part of the organization performs against key metrics, such as assessment frequency or time to remediate critical vulnerabilities.

Matthew S American Eagle Outfitters
Metrics are an important part of information security, and being able to speak the language of executives and to be able to present information in the appropriate fashion. Tenable does a really nice job of helping me do that. American Eagle Outfitters Check Out the Video Case Study

Explore
Related Products

Accurately identify, investigate and prioritize vulnerabilities.

Calculate, communicate and compare cyber exposure while managing risk
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.