The vulnerability landscape constantly evolves, with new and newly-exploited vulnerabilities emerging at any moment. We are nearing a quarter of a million CVEs, and according to recent research from Cyentia Institute, that number will grow 16% each year. To combat the constant onslaught of data, vulnerability management (VM) programs must offer effective, scalable options.
But not all VM programs are the same. Recent analysis of data collected from more than 225 organizations and more than 13 billion vulnerabilities found the top 10% of organizations that exhibit greater vulnerability management maturity, remediate half of vulnerabilities in just 9-12 days. Comparatively, the middle 50th percentile mitigates vulnerabilities in 31-59 days, and the lowest 10 percent between 78-111 days.
What makes these high maturity organizations so effective? What do these VM programs have in common that others can learn from? We’ve identified five common characteristics shared by those organizations that demonstrate highly-effective and efficient VM programs:
- Leverage personalized prioritization: It’s generally understood that the act of prioritization helps VM teams focus on the highest priority vulnerabilities. One would expect this effort would result in fewer vulnerabilities being remediated, because prioritization helps determine the CVEs the team does not need to fix. But looking at these top performing programs, we’ve found just the opposite. The more precise their prioritization, the more they fixed, not less. Why is this important? Consider that the first step to VM maturity requires learning to triage at scale. To do this, the team has to know their focus. For these organizations, adjusting risk scores from upstream tools in an attempt to fix less, actually led to more remediation. This implies that the organizations that are really good at fixing those high-priority vulnerabilities are also good at fixing all vulnerabilities efficiently, which lets them fix more in less time. Good remediation practices of high risk vulnerabilities actually leads to more remediation overall.
- Integrate with other business operations: No cybersecurity effort can exist in a vacuum. VM programs must work in concert with other business operations. An organization that excels at this collaboration might have security experts embedded with remediation teams, AppSec with product teams, and VM teams working with their engineering teams. This integration lets VM teams know and understand what the business needs, what the team can do, how much risk the organization can assume, and how their work may impact other parts of the business.
- Know when to bundle, know when to lock in: Many VM teams are hampered by the size of the team and the sheer volume of vulnerabilities. Thus, smart VM teams look for opportunities to fix more vulnerabilities with the same amount of effort. Using data from scanning tools and external resources, effective VM teams take a higher level view of all the vulnerabilities in their environment. They then look to identify patterns and shared similarities and bundle those items together to eliminate entire sections of risk with the same effort as remediating one vulnerability at a time. These same teams also understand when to forego efficiency in favor of fixing one important vulnerability. By looking for certain attributes and then analyzing those against their organization’s priorities and risk threshold, they’re able to identify those “wake the CISO” vulnerabilities that need their immediate and complete focus. They do this in a very mature way where they aren’t looking at everything that comes in, rather they're really precise with the definitions and parameters that demand that level of attention.
- Don’t take data feeds at face value: There are a lot of vulnerability data feeds available. While these feeds offer critical data on newly discovered and actively-exploited vulnerabilities, mature VM teams don’t just take vulnerability data at face value. They do their own analysis of the data to understand which vulnerabilities are most important to their organization. The hard part: doing it at scale.
- Automate non-VM processes: Mature VM programs improve their remediation effectiveness when they automate steps within processes that are not directly related to vulnerability management. Yes, automating remediation, patching, or prioritization can offer tremendous efficiency gains, but our data shows a clear correlation between automating non-VM processes and the number of vulnerabilities these teams can remediate. For instance, automating processes related to ticket generation and upkeep can have a big impact on remediation. Teams should also automate asset ownership assignment and then leverage that data to set SLA policies on groups of assets or vulnerabilities. Those organizations with highly-effective VM programs have gone that extra step to identify and automate those workflows outside of traditional VM processes to enhance the organization’s overall efficiency.
Highly-effective vulnerability management programs don’t just happen. They require significant effort, investment in the right tools, and experienced, dedicated analysts. These five characteristics are commonly shared by high-performing VM programs. These behaviors aren’t easy to develop and some may take years to perfect, but they offer proven guidance for other organizations looking to improve their remediation efficacy.
Scott Kuffer, co-founder and COO, Nucleus Security
