Risk Assessment in a Continuous Vulnerability Management Program
*This post originally appeared on the RiskSense blog prior to the acquisition in August 2021, when RiskSense became part of Ivanti.
The key to any vulnerability management program is the IT organization’s ability to assess the level of risk that vulnerabilities pose to the business. The better the assessment, the better able the organization will be to prioritize vulnerability remediation.
Given the increasing importance that real-time threat monitoring and remediation have in cybersecurity practices today, we asked several experts to weigh in on the topic of risk assessment in the context of continuous vulnerability management. Not surprisingly, our experts had several perspectives and a lot of insight on this challenging aspect of security management.
The first question is, how do you even assess risk in a continuous vulnerability management program? Here’s what our experts had to say:
- Andy Hendrickson, chief information security architect at Federal Reserve Information Technology, provides practical advice about integrating risk assessment and remediation in a continuously changing live environment. He advises, “Schedule vulnerability scans, and perform credentialed analysis of your targets. To avoid operational impacts, group and schedule targets for assessment during business-acceptable time periods. Remediate individual vulnerabilities that score above the business risk appetite either through automation or through a ticketing process in coordination with parties that need to test continued functionality. Remediation activities are generally performed in lower-priority environments before being applied to the production environment.”
- John Howie, chief information security officer (CISO) at The Climate Corporation, takes an IT governance approach to evaluating risk: “All too often, vulnerability management descends into patch management, or ‘patch and pray.’ Risk exists when unpatched software is found in the environment, but this glosses over other risks (or even ignores them). A better approach is to focus on IT governance and make sure that only approved software versions and patches are deployed into the environment. Any asset that has unapproved software is out of compliance and represents a risk.”
- Brian Freeman, information security operations manager at MatrixCare, underscores the importance of using threat data in risk assessment. “To stay on top of a continuously changing threat landscape, you must take advantage of the power of data. You can no longer simply apply antimalware and patch systems and say the organization is safe. You must use the value of data with automation to perform scheduled threat scanning to detect and remediate vulnerabilities. Use the power of data collected from sources around the country and the world; correlate them with your own log collections to identify threat patterns. Build your own standards for norms so that you can better identify anomalies. Products and services exist today to capture and correlate global data and compare the results with your own findings to generate useful assessments.”
- Peter Riedman, senior information security analyst at Proskauer Rose LLP, reminds us that identifying risk is one thing, but decision makers need to understand the risk’s significance. “You have to translate the risks that technical tools identify into relatable terms for the relevant stakeholders. In speaking with colleagues on the topic, when I explain things in terms like reputational risks or operational risks, I find that the conversation is more engaging.”
Clearly, organizations must assess risks and turn those assessments into actionable intelligence, but in a continuous vulnerability management program, do you also have to have continuous cyber risk assessment? The experts say yes, but again, they have different perspectives on what “yes” means:
- Riedman points out the dangers of half-measures when he says, “A continuous cycle of vulnerability discovery, risk assessment, remediation, and verification creates an environment in which you are working to have all the bases covered. I once heard someone at a conference say, ‘75 percent coverage is still 100 percent vulnerable,’ and that stuck with me. You must constantly strive to get to that full picture of risk.”
- Howie points out the value of IT governance in managing continuous risk assessment. “If your vulnerability management program is, in reality, a patch management program, then yes, you have to quantify risk every time you find unpatched software. If, however, you focus on IT governance, then your cyber risk assessment processes come into play only when you receive notification of a software update to approved software or discover unapproved software in your environment. That said, a continuous cyber risk assessment program is something that most organizations should strive for.”
- Freeman agrees but notes that such a process cannot be manual. “Continuous assessment by hand is not sustainable. You need to develop metrics and algorithms to help determine the potential threat, and then categorize that threat so that you can prioritize your response. Most organizations don’t have the ability to respond to every single vulnerability: They must determine the most important, most likely risk, and then direct their response accordingly.”
- Hendrickson notes the tight link between vulnerability and risk assessment. “Continuous vulnerability assessment and cyber risk assessment should be one activity. Asset exposure to threats, asset value, and vulnerability severity should be factored into remediation priorities to provide a threat-driven, risk-based vulnerability management service.”
Continuous risk assessment should be integral to a continuous vulnerability management program, but how do you implement continuous risk assessment? Our experts offer some good advice:
- Howie shows how IT governance can help here, as well. “I would posit that your vulnerability management program supports your continuous cyber risk assessment program—not the other way around. The output of vulnerability management should feed into your risk decision making, your scorecards, and your overall risk picture. However, if you are spending all your time patching, you are probably not adequately focusing on risk, which is why IT governance is so important.”
- Freeman says that data must be your guiding light. “There are too many ways to react to known vulnerabilities. Identify the risks, compare them to the libraries of known vulnerabilities, and then prioritize your response. Make sure that you are collecting your critical logs. Include data not just from servers and firewalls but from all network gear, critical applications, websites, domain controllers, databases, and anything else that can provide information about traffic patterns and usage. Then, engage analytics using a security information and event management (SIEM) system to analyze the data in real time and categorize, prioritize, report, and alert on what rises to the top.”
- Hendrickson explains how vulnerability and risk assessment are moving targets that can change with time. “Remediating all vulnerabilities is not feasible or cost-effective. Factor asset exposure to threats, asset value, and vulnerability severity into key risk indicators to inform remediation priorities and management reporting and provide a threat-driven, risk-based vulnerability management service. Time is key in remediation. Generally, vulnerability risk increases over time as adversaries construct threats to exploit weaknesses. Older, moderate-severity vulnerabilities may become high-severity vulnerabilities if you do not remediate them in a timely way. Organizations commonly do not have the capacity to reexamine vulnerability severity, so consider employing technology that increases the risk score of vulnerabilities according to time and industry exploitation experience.”
- Riedman notes that organizational culture can play a big role in how a business approaches vulnerability and risk management. “I think it is cultural. Reinforcing that risk is directly relevant to all facets of business, and building consensus among the participants is vital to success. When everyone is aware of the impact of vulnerabilities, threats, and risks, it’s easier to build the momentum necessary to succeed.”
There is no question that continuous risk assessment goes hand-in-hand with continuous vulnerability management and that such assessment plays a critical role in the effectiveness of your vulnerability management program. How you implement continuous risk assessment depends in part on how you manage vulnerabilities, but you should view assessment and management as equal parts of the same security challenge.
- If you are spending all your time patching, you are probably not adequately focusing on risk.
- Continuous vulnerability assessment and cyber risk assessment should be one activity.
- Factor asset exposure to threats, asset value, and vulnerability severity into key risk indicators to inform remediation priorities and management reporting and provide a threat-driven, risk-based vulnerability management service.
- Continuous assessment by hand is not sustainable. You need to develop metrics and algorithms to help determine the potential threat, and then categorize that threat so that you can prioritize your response