Join Thousands Who Have Benefitted from the Virtual Event of the Year - WATCH NOW No matter what size your organization is, you will never have enough human or financial resources to remediate all of your vulnerabilities. But the good news is, you really don't have to.

Most security teams are still prioritizing their remediation efforts based on vulnerability counts or the number of assets affected. Between these strategies and methods that employ static scoring such as CVSS 7+, you're wasting the overwhelming majority of your time and limited security and IT resources on remediating vulnerabilities that don't pose any risk.

Since less than two percent of your vulnerabilities will ever be exploited, you need to understand how to identify them, and then prioritize your remediation efforts accordingly to focus your teams on the relatively few vulnerabilities that matter most so that they can maximize risk reduction across the enterprise.

This session from the latest Cybersecurity Virtual Event will discuss the inefficiencies and associated costs of popular non risk-based methods, as well as using hard data to illustrate why employing CVSS as a strategy hurts more than it helps. It will highlight research to show why teams continue to fall behind and will introduce proven risk-based methods for overcoming the challenge.

Enjoy the video presentation and accompanying transcript below, by Jeff Aboud.

About Jeff Aboud

Jeff Aboud has been in the security industry for more than 13 years. Working for some of the best-known companies in the industry, Jeff has experience up and down the security stack – from client-side scanning and perimeter security solutions, to encryption technologies.

At Cisco, he taught information and operational technology professionals about the security ramifications of IoT technologies and advised them on how to embrace IoT securely. At Kenna Security, he’s a member of the product team. He works with technical and research teams to understand the pros and cons of the wide range of vulnerability risk management methods utilized in organizations of all sizes, and then translates the results into advice and guidance for SecOps and IT teams in top-performing enterprises. 

Cybersecurity Virtual Event - Kenna - Don’t Fix That! Learning to Focus on the Vulnerabilities that Matter Most


Hi, my name is Jeff Aboud, Director of Product Marketing here at Kenna Security. Today I'm going to be talking to you about risk-based vulnerability management, essentially how to prioritize the vulnerabilities you have in your environment to make sure you make the best use of your very limited time and resources, both human and financial.

Risk-based Vulnerability Management (RBVM)

Now, before I get into things too much, I want to pause here for just a moment because I know that everybody is really from a different background and has different levels of expertise in vulnerability management, so I wanted to first acknowledge and define at least a few terms I'm going to be using through this presentation, just to make sure that everybody's on the same page.

So, first, I've already used one of them, "risk-based vulnerability management," you'll also see it throughout the presentation called RBVM, and what that really means is really what the term implies, and that is taking a risk-based approach, or taking a look at your vulnerabilities based on the specific amount of risk that each vulnerability actually poses your organization. Now, this is opposed to some of your legacy, most your legacy methods of taking a look at any particular score that's taken at a point in time throughout the organization, saying, "Okay, based on these things that we're seeing, based on this potential, we think this one's more or less critical."

But it's really just looking at attributes of a vulnerability, it's not really looking at the real-world risk, and since it's never updated, those legacy methods are never updated, then you really don't have a real-time view based on what attackers are doing in real-time, what they're doing, what they're using, how prolific those threats our, whereas risk-based vulnerability management really takes a look at, almost exclusively, just risk: what is the risk to your environment? What are attackers doing, what does that mean to your environment? How important is the asset to you? All of those different types of things we bring into RBVM, risk-based vulnerability management, and we score the vulnerability based on the very specific amount of risk that it poses, and we update that continuously throughout the day every day.

Common Vulnerability Scoring System (CVSS)

Now, the second term, some of you, in fact I would presume that most of you know, but just to make sure that everybody's on the same page, I will say CVSS a lot, and what CVSS stands for is "Common Vulnerability Scoring System," and this is a community-based project, out of, that produces this numerical score. It's essentially a 1-10 score that reflects the potential severity of all these different CVEs, all these different vulnerabilities, again, as I mentioned earlier, based on principle characteristics, not based on risk.

So, usually, a CVSS score is determined within a couple of weeks of a new vulnerability or new CVE being discovered. And CVE, by the way, I don't have it listed on here, but I'll use that a lot, CVE is for "common vulnerabilities and exposures," and that is something that's actually done out of MITRE, so scores all these vulnerabilities or all of these CVEs. I'm sorry, they name all these different vulnerabilities as a CVE, so now we actually know which one we're talking about. So, I can tell you, "It's CVE 2016-1573," and you know exactly which one I'm talking about, so it's really just a common naming system.

Coverage and Efficiency

And then that brings us to our last two terms, which are different, but highly, highly related, and that's "coverage" and "efficiency". So, coverage measures the completeness of your remediation, so it's really saying, "Okay, of all the vulnerabilities that really should be remediated, according to our risk-based vulnerability management approach, how many actually work?"

And efficiency looks at the opposite piece of that, so it's looking at the precision of your remediation, so it's saying, "Okay, of all the vulnerabilities that we believe need to be remediated, how many actually should have been?"

So, that's really taking a backward look, saying that, "Okay, if you identified it for remediation, but it really shouldn't have been because it wasn't very risky, it didn't actually pose real risk to your organization, then it shouldn't have actually be remediated," so if you did, that's really a waste of time, it's inefficient effort. So, those two different measures of coverage and efficiency, we're going to use quite a bit throughout this presentation.

Prioritizing Vulnerabilities

So, now let's get into it. I'm going to throw some numbers at you here, and these are just some statistical averages that we've actually noticed throughout our own database of customers, and we've noticed that the average, at least large enterprise, has millions of vulnerabilities, with dozens of new ones discovered every single day. And this is really for large enterprises, but even if you're a small organization and you have maybe only two million vulnerabilities, rather than 40 million, the number of people in your team is actually going to correspond with that as well, so you're going to have many fewer people to work on those two million, versus a very large enterprise that's going to have very large teams to work on the 40 million.

So, no matter what, no matter how big or small you are, manually analyzing, correlating, and prioritizing all those vulnerabilities just simply isn't humanly possible, I don't care how many people you have, they're just too much data coming in, and it's coming in too quickly in order to gain that upper hand. So, the problem really isn't limited to just those enterprises, it's every size of organization, and the problem is really just getting worse.

So, let's face that cold hard reality: No matter what the size of your organization, you're never going to have enough human or financial resources to fix every single vulnerability in your environment. But the good news is: you actually don't have to.

And that's what I'm going to really spend the bulk of this presentation explaining, why you don't have to, and the different methods that you can use, going by a risk-based vulnerability management type of methodology in order to figure out which ones are much more important than others so you can really focus on those that really matter the most.

Prioritization is Absolutely Essential to an Effective Vulnerability Management Program

So, we did a lot of research, we've been doing a ton of research over the past two years. And some of it is just our own, some of it we've actually done in conjunction with the Cyentia Institute. And if you're not familiar with Cyentia, Cyentia is actually the same guys who actually developed the Verizon DBIR several years ago. So, they're very, very well known people in the industry, they really understand this stuff, and we've actually been working with them, our data scientists, our key security analysts have all been working with them in order to co-produce a lot of this research.

In this research that we co-produced with them, we found that actually only 22% of all vulnerabilities ever have any exploits written against them. Now, that's important because once an exploit is written, the vulnerability is actually seven times more likely to be exploited in the wild. And since most enterprises can really only remediate about 1 in every 10 of all their vulnerabilities, you really want to make sure you're focusing on remediating those first, in order to minimize your risk to the enterprise.

So, think about that: if you're remediating anything in the 77%, it doesn't mean they're not important, it doesn't mean they won't be exploited, it just means they're far less likely to. And then, of course, we have our outliers up here, with that .6% where exploits were just seen in the wild with nothing that was actually produced prior. You're always going to have those outliers, there's no perfect science here; all we can help you do is really get much, much better at being far more efficient.

So, looking at that 22% between this light purple and this purple-blue color, there's where we have exploit code published, and then this 1.2% is where we saw the exploit go to publish and it was also observed in the wild, so it's that 22, I guess almost 22.5%, where it had those exploits written against them. So, you want to prioritize these because they're seven times more likely to ever have anything happen, versus these that are far less likely.

Only 5% of Observed CVEs Ever Get Exploited

Now, here's another way of looking at it. Again, in this joint research that we conducted with Cyentia, we found that only 5% ... so, the prior pie chart was the world in general, what we're looking at now is what we can actually see in customer environments, and we found that what's actually in customer environments, only 5% of all CVEs that are actually in those environments ever get exploited. So, you really don't care about any of this stuff on the right, whether it's been exploited or not, because those things aren't in your environment.

And, by the way, you really also don't care about anything that's represented in the blue here, so anything on the right-hand side, you don't care about because even though they are in your environment, they're not being exploited. So, let me backtrack a little bit, you do care about them, it's not like you want to just ignore them forever, but you want to deprioritize them, they're not nearly as important. What's the most important, what you really want to focus on, is these boxes up in the red, these are the ones that are actually in your environment and they're actually being actively exploited.

So, that represents the 5%, those are the ones that you actually want to pay attention to first, and then you can start working on some of the things in the blue. You never care about the purple ones or these teal ones because they're not in your environment, there's nothing to remediate. But in terms of the ones that are actually in your environment, you want to focus on these first, and then start working your way through these. But that's the essence of that beginning level of prioritization.

CVSS Won't Help You Prioritize

Now, in order to prioritize, and this is where that first ... I mentioned I'm going to be talking about CVSS quite a bit, and the reason is because most organizations throughout the world are using CVSS scores in order to prioritize what to fix first. And many, or even most of them, in fact, when I ask prospects, "Hey, how are you prioritizing?", most of them will say, "I just try to fix all the criticals," which is really, typically, for most organizations, it's defined, the "criticals" are typically defined as CVSS 7 and above, so anything that scored a 7, 8, 9, or 10.

Now, some organizations try to narrow it down a little further by saying, "Hey, I'm just going to fix 8 and above, or 9 and above," or they may even say, "Forget it, I only have time for the 10s, let me just fix those first," or if you're a financial institution, they have to fix 4 and above, so it just depends on your industry, it depends on the size of your organization, it really depends on a lot of different things. But no matter which of those methods you choose, if you're using CVSS, it's really proven to be a terrible method for assessing risk.

Now, this is true for two major reasons. First, most CVEs, as you can tell, fall into that 4-8 range, so they're in this range right here. So, even if you use that 7+ strategy, everything that's scored as a 4, 5, or 6 is never going to be looked at, so all that risk is going to stay in your environment. If you take a look at the chart, and it's kind of hard to tell unless you start adding up all of these numbers, but there actually is many exploited vulnerabilities, and the exploited ones are the ones represented by the navy blue bar here, there is many of those with a CVSS score of a 4 or a 5 as there are with a 7, 9, or 10, combined.

So, if you think about that, that's an awful lot of risk that you're still leaving in your environment, if you're only looking from here over beyond, so basically from here to the right. But then, if you look at that 7 and above, look at these gray bars, the gray bars actually say that there's no known exploits, and, again, we don't want to say that we don't want to look at those at all, but we want to deprioritize those, we want to prioritize the ones that are navy blue first, because if we add all of these up, all of those gray bars up, we're going to actually notice that 73% of them, it's actually 73.1%, if you really want to be technical about it, have no known exploits.

So, all those 7 and above, 73.1% no known exploits. So, remediating those is really inefficient. Remember we talked about efficiency versus coverage, it's horribly inefficient because if 73% of them have no known exploit, it means that 27% of your efforts are actually efficient; the other 73% of your efforts, so all your very limited teams' efforts, are wasted because they're actually spending all that time remediating vulnerabilities that really don't pose much risk. And after all of that wasted time, you still would have only remediated about half of the risky vulnerabilities in your environments because the other half lies between, some in the 2s to 3s, but most of them there in your 4 and 5 realm there.

So, you only have like 360 here, 211 here, but you have, what, about almost 7500 here that you're not going to even touch because you're only looking over here. So, there's your coverage, you only have about 53% coverage, looking at 7 and above, and only 27% efficiency. So, think about it that way, and you have to really think about, "Is there a better way?"

Remediation Takes Time

And all of this is really important because remediation takes a lot of time and a lot of effort. Again, in our studies, we found that, on average, it takes firms about a month to remediate just 25% of the vulnerabilities that are in their environment, and another two months to get them over the halfway mark. And this page is the median life span of a vulnerability at about 100 days. So, what that really means, let's just be clear here, more and more ... it's not like that's just a snapshot in time, "Oh, hey, in 100 days, I'll be fine." To be clear, more and more of these things are going to be discovered every single day in your environment.

So, it's not just like it's this three-month remediation cycle and you've fixed half; instead, it really means that you fixed half of the vulnerabilities they found three months ago. So, to really put a finer point on it, we're now in late October, so if you start fixing things ... I'm sorry, if you take a look back, you would have just now remediated half of what you discovered back in early July, taking a look at this 100 day MTTR. So, if you think about that, you've just now fixed half of what you found in early July, then how many actually were discovered in your organization and in your network between July and, now, late October? And you haven't even started on those. So, you really want to make sure that you're fixing the right things first.

Now, to provide a slightly different look at this, a study that we conducted, actually probably about 18 months ago now, is still very valid information, but you'll notice the numbers kind of change a tiny bit as we update the numbers here, but it revealed that using CVSS to prioritize your vulnerabilities actually delivers about the same results as random chance. I mean, seriously, if you look at these numbers here, here is your efficiency, and here's your coverage of your CVSS strategy. So, here's your CVSS 7+ strategy, which says you're 31.5% efficient, and 53.2% coverage, as opposed to random chance, which is not quite as good, but it's not much worse in your coverage.

But then if you start looking at 8 and above or 9 and above, a lot of organizations just say, "Forget it, I don't want to look at 7 and above, I want to narrow things down and start looking at 8 or 9 and above," well, these are almost dead even with random chance; look at this, it's 23.1, 23.2, 23.1, and these are all 23%; 7% coverage, 7.1% coverage. So, when you go on down the line here ...

Now, the other interesting thing is as you get into some of these lower CVSS scores, even though your efficiency goes up some, your coverage actually drops. So, here, we have our 53% versus 39, 53 versus 65, so it's only a little better, and then this is actually just marginally better. So, it's really interesting to see what's happening here when we start looking at it in a different way.

So, as I mentioned before, there's a better way. If we start taking a risk-based approach to vulnerability management, you can actually address your critical issues much more quickly and, by the way, with significantly less effort than using CVSS. So, this is actually a study that we just did, maybe about 30 days ago, and we noticed that if your MTTR, so your mean time to remediation, so this is just statistical mean, so if you just look at that mean average, you're saying it takes roughly 105 days to remediate, if you're only using CVSS.

Taking a Risk-Based Approach Helps Address Critical Issues More Quickly

But if you use a risk-based prioritization method, it takes just under 65 days, so that's truly a full 40 days faster to remediate on that mean average than if you use CVSS. And then some people say, "Well, I like to use both, I get the whole risk-based thing, but I still really am tied to CVSS." Well, using both is certainly better than just using CVSS alone, but it's worse than using risk-based only, by an order of almost 20 days. So, if you think about it that way, you really want to start looking at that risk-based prioritization method because you're going to be much faster, you're going to be much more efficient in what you do, and that's going to speed your MTTR quite a bit.

... And Reduces the Effort of Vulnerability Remediation

Now, taking a risk-based approach not only speeds the process of remediating your critical vulnerabilities, but it's also going to dramatically reduce your team's required effort, and that's going to make them a lot more efficient and more effective at reducing the risk to your enterprise. So, let's review the results from another study we did; again, this was done just this past summer, where we analyzed the number of CVEs that it would take in order to remediate under each of the given CVSS strategies, and we're going to compare that against what it would take to achieve the same amount of coverage using a risk-based model.

So, as you can tell here, if you take, say, your 7+, I keep going back to 7+ because that's the most common one, but you can take a look at this chart based on what is most in line with your organization. So, if you're a financial institution, you're probably looking at this bottom row; if you're trying to be more efficient, you may be looking at 8 or 9, but I'm going to use 7+ as my standard, just because that's what the majority of firms are doing. And, again, you'll notice these are slightly different numbers, I think last time, a couple slides ago, I mentioned it was like 53.something, now 62.7, again, it's just different data, so a more updated data, and it's not like, "Hey, it's getting more efficient," it's cyclical. But what you'll see is is, in general, it is still pretty low.

So, if you take your 7+, you see that you have 62.7% coverage. Well, in order to get that coverage, on average, it takes, in terms of your effort, you're going to have to remediate over 2700 CVEs. Now, if you take the risk-based vulnerability management methodology, it takes only just under 1100 CVEs in order to achieve that same amount of coverage, so that's a reduction in nearly 61% of your team's efforts. And that's really important because what can you do with that extra time?

If you think about it, you can take a couple of different strategies here: you can either say, "Hey, I'm pretty happy with 62.7%," and you can actually reallocate those resources to do much more strategic stuff, maybe get ahead of some of those threats, do more predictive stuff before it actually gets to this point where you have those CVEs, maybe they're doing more on the perimeter, maybe they're shoring up other aspects of your environment in order to better protect you in a more comprehensive way; or, you can actually continue to use the same amount of resources, specifically on your remediation efforts, and actually get much higher here, in terms of your coverage and, therefore, become even safer, essentially.

But that strategy is really up to you, but the main point I wanted to make here is you're going to dramatically reduce that effort that's required, so that makes them more efficient and more effective and that's going to make, by the way, much, much happier security analysts, and makes you a lot safer as an organization.

The Next Step: Adding Preditcion

Now, the next step here, once you're focusing on just those vulnerabilities that pose the greatest risk, you're taking a truly risk-based approach, you're almost there. You're already far more effective and efficient than the vast majority of your colleagues, and certainly much more than you ever have been before, but there's still one more critical step that you really need to do to get ahead of attackers and make a material impact on your organization's exposure to risk, and that is really automating ahead of the threat, and you do that through what we call "predictive modeling".

Now, predictive modeling helps you truly get ahead of attackers and make a material impact on your organization's exposure to cyber risk by automating ahead of that threat. Now, by the time you get the intelligence on a new CVE, you're already in a race with your adversaries because they get access to the same public information you do, which is, by the way, very minimal; you essentially have a name, or essentially a label, and you have a general sense of what it does, and that's kind of it.

But your adversaries have exactly the same information you do, so they're already working on their exploits, and the sad fact is that they actually have a lot more time and resources than you do, and there are a lot more of them. So, think about it that: they more time than you do because they don't have day jobs, you do; they don't have to constantly go through this remediation cycle because they're not remediating, they're on the opposite side; and there are tons more of them than there are of you, and they're all working together. So, to really get ahead, you have to predict the future, based on using your past intelligence.

So, at this stage, like I mentioned just a minute ago, you really only have a description of the CVE, so you don't really have enough information to automate, so the solution is to look backwards, you got to look at the past, look at attacker behavior, and other types of metadata and security information in order to try to arrive at a conclusion. So, this is going to involve things like supervised machine learning, it's going to require random forest, logistic regression, things like that, against all the different features against the vulnerability [inaudible 00:28:06] metadata, etc., using all of that stuff.

And then what you want to do, if you're building your own model, I'll just briefly tell you how we did ours, you have to train and evaluate it. So, what we did was we have a database that has more than three billion vulnerabilities in it, and a lot of other intelligence as well, but we took that whole database, we took 70% of it and we used that 70% of our database in order to train our model.

And then once we really got it honed in on exactly how we wanted it to look and really believed we had, really, essentially, the perfect model, then we took the other 30% of our database and we used that to evaluate its performance, we used it to essentially test and make sure that it was as good as we thought it would be. So, you have to be able to do those types of things, to build that model and to test that model to make sure that you're actually getting the results that you believe you're getting.

Taking Control of Your Risk Posture

Now, once you've done that, and, again, this is all based on the research that we did based on our predictive model, so you might get different results, but we can test the efficacy of that predictive model using this continuous process of intelligence against the vulnerabilities that we know that we want to focus on at any given moment. So, this really helps the security team save time and ensure that it's fixing what matters.

So, as you can see, from this chart, predictive modeling really offers huge improvements in the effectiveness and the efficiency over the legacy vulnerability remediation strategies that we analyze. So, to put a finer point on this, here's my CVS 7+, and I've got all the others in here, too, here's your 8, 9, and 10, here's your 5 and 6, and there are a lot of different things in here, too, but all of these, I'll call them purple bubbles here, are all your CVSS strategies. And then this red line, with these red bubbles, this is our predictive modeling, so this is our risk-based priority, basically our risk-based vulnerability management, with predictive modeling built into it.

And we actually had this highly efficient one, where we only fix the ones that we really knew that mattered, and then we tried a broader coverage, where we said, "You know what, let's go more for that 4+ and that 5+," we didn't obviously use CVSS, but more along those lines of thinking, and said, "Let's cast the net a lot wider," and then we found that really this balance approach, for us, was the best. But where you lie on this line is really going to depend on your organization: what's your appetite for risk? What is your budget? How many people do you have in your organization, versus the number of vulnerabilities?

So, it really depends on a lot of different factors that are up to. But you'll notice that, here's your CVSS 7+, and like I mentioned, this is going back about a year, so you have that 53% coverage with just over 30%, about 31% efficiency, as opposed to your balance approach, which is about double the efficiency, and better coverage as well. So, this is going to be much more efficient, much more effective, and it's going to require a lot less effort than what CVSS is actually going to require.

Maximizing Your Team's Effectiveness

So, this is kind of taking a different slice of that, this is looking at that balanced model versus that CVSS 7+. So, we were actually looking at that predictive modeling, we were actually able to achieve just about double the efficiency, with half the effort, so we only had to remediate 19,000 CVEs instead of 37,000, which would require with CVSS 7+; and we have better coverage, we had 62% versus 53% coverage; and, by the way, we had a third the false positives, so it really gets down to the efficiency and the effectiveness that I've been talking about throughout this presentation.

Putting It All Together

Now, let me just take a minute to explain how this whole model works, and before you look and say, "Oh my God, I have no idea what I means," essentially what we're trying to do here is we're trying to say, "Listen, you can't just start doing this, you need data, you need, what we refer to as "context"." So, we have customer context that you want to bring in, so this is everything in your environment, your vulnerability scanned data, and most of you probably have more than one scanner, lots of people do, but even if you only have one, you want to bring in that scanned data. But you also want to bring in any other security data you've got throughout your environment.

If you have asset information from CMDBs, if you have pen testing data, if you have bug bounty programs, you want to bring in all of that stuff because that's all really important context. And then you want to take in all of these global threats, so you want to bring in a lot of different threat and exploit feeds, and pull those all in, and actually correlate all these things together. So, you really need to understand the full context of all of these vulnerabilities.

So, in order to do that, you need to analyze all of that internal security data that I just mentioned, including that vulnerability and the asset information, in order to understand which of your vulnerabilities are most likely to be exploited. And then, through all of these different threat and exploit information streams, you need to understand what attacker activity is in real-time so that you can understand what attackers are doing, how they're doing it, and even the tools that they're using to exploit vulnerabilities in the wild.

Now, once you have all of this, now you can assess all that information through the lens of volume and velocity, and what I really mean by that is volume and velocity, how much is a particular vulnerability being exploited? Do I have a hundred active exploits out there in the wild against this vulnerability? Or do I have 10,000? So, that's volume. And then velocity: have I seen a huge uptick in the past day, or even couple of hours? Or have I seen this 10,000 over the course of six months? Very, very different velocity, how quickly is it coming in, how quickly is it hitting us?

Now, once I do all of that, now I can actually determine which of those threats actually pose the most urgent threat. Now, once I've done that, all my internal contexts, all my external contexts, now I actually need to correlate all that security data for all those internal and external sources in order to determine the relevant consideration set for my organization. After all, as I mentioned earlier in the presentation, I don't really care about the exploits that affect vulnerabilities that aren't in my environment, I really only care about the ones that are in my environment. And I can deprioritize any vulnerabilities that are in my environment that really don't pose any immediate risk.

Now, once I have all of that, now I need to run it through data science algorithms, and that includes things like natural language processing, as well as a lot of this predictive modeling. So, I want to make sure that I really analyze it through all these numerous data science models and predictive technologies in order to really assess the specific level of risk for every vulnerability, and that's going to give me a risk score, a very specific quantifiable risk score for every single one of my vulnerabilities.

Now, once I have all of those, that score alone isn't enough, just having a score, pretty much everybody has a risk score these days, or some score, in order to help you prioritize, and in reality, the score itself is sometimes no better than CVSS. Now, we've run ours through a lot of data science here, so it is much better, but the score itself still isn't going to help you that much. You need to take that and you need to go to the next step and use what we call "remediation intelligence". Now, that remediation intelligence is going to pair all of that score with remediation intelligence that leverages data science to automate the analysis, all of that data, to determine which vulnerabilities pose the greatest risk to your organization.

And, by the way, it's going to show you which remediation efforts will have the greatest impact on your environment for the least amount of effort, and that's really important because you want to make sure that you're spending the least amount of time, again it gets back down to that efficiency and the coverage, but also the effort that's involved, you want to make sure that we're actually taking a look at "Okay, what is the one that I need to fix right now?"

So, if I score my vulnerabilities from 1-100, I might have 10,000, 20,000, 30,000 100s in my environment, and that doesn't do me that much good. But when I use remediation intelligence that I paired with that, now it's going to tell me, "Hey, go fix this one" because it's going to give me the biggest bang for the buck, it's going to tell me, for the least amount of effort involved, you can actually make the biggest impact on your risk score. So, you're actually going to reduce the most by working the least, and that's what we really need to get down to because, again, you have limited time, you have a limited team, you don't have time to actually go through and try to figure out which one of these 30,000 vulnerabilities that are all scored at 100 has the most risk and should be remediated first.

A model like this, this whole remediation model, risk-based remediation model, with all of the data science built into it, will actually get you down to that level, where now you're just looking at "Let me fix this one, and then let this team fix this one, and let that team fix that one," and now I'm actually making the biggest impact on my organization's risk score with the least amount of effort.


So, that's all that I wanted to introduce today, I think that's a lot, and I hope you were able to follow along with everything. But, in summary, just to reiterate, you're never going to have the resources to fix everything, you just won't, so you have to focus on what truly matters. And all those legacy methods, so whether it's CVSS, or if you're just looking at the number of vulnerabilities or the number of assets that they affect, they don't work because they're inefficient and, as a result, they're going to leave you vulnerability, they're going to leave you a lot of risk in your environment. But, taking a risk-based approach to vulnerability management is going to help you reduce the most amount of risk by using the least amount of effort, and especially when you pair it with that remediation intelligence that I just talked about on the last slide.

And, finally, predictive modeling, it's going to help you not just take that look at risk, at today's risk, but it's going to actually help you get ahead of those attackers by looking in the future, the day the CVE is announced, and saying, "Here's what's likely to pose the most risk in the near-term future," and you fix all of those, and now you actually truly are not even just being proactive, like risk-based vulnerability management will do, but now you are actually being fully predictive, and you're getting ahead of all those adversaries who have a lot more resources than you do and a lot more time. So, now you're getting ahead of them, you're playing the game better than they are is essentially what it comes down to.

For More Information

Now, again, I know that I threw a lot of information at you, and if you have any questions, please feel free to reach out to me, please feel free to just reach out to Kenna, via telephone or via our email. But, in general, if you want to learn more about how a predictive model can help you reach the optimal coverage and efficiency, in order to really minimize your organization's risk exposure, you can actually download, we now are up to four reports, so this picture here just shows Volume I, but we actually have four volumes that we've produced over the last 18 months.

So, if you go to this site, it's actually going to take you to where all of those prioritization and prediction reports are, and you can download all of them, and I guarantee you, it's really, really great reading; some of it's going to be over your head, I'm going to be honest, a lot of it's over my head, but it's phenomenal information, it's really going to help you more fully understand how to get ahead of these threats and how to get ahead of these adversaries.

So, with that, I thank you very much for listening. Have a great rest of your day, and like I said before, feel free to reach out if you need anything else. Thank you.