Risk-Based Vulnerability Management Principles

Section 1. Risk-Based Vulnerability Management Overview

---

What is risk-based vulnerability management?

Risk-based vulnerability management (RBVM) helps identify and manage risks that threaten your organization. It uses machine-learning analytics to associate vulnerability severity and threat actor activity with asset criticality so you can prioritize and remediate the ones that cause the greatest risk to your organization and then deprioritize those that create lesser risk.

RBVM, which has a foundation in legacy vulnerability management practices, helps reduce your vulnerability overload by about 97% by identifying the top 3% that pose most risk to your enterprise.

How are risk-based vulnerability management and legacy vulnerability management different?

Legacy vulnerability management tools give you a theoretical view of risks to your enterprise. They show you which threats a vulnerability could introduce into your environment, without showing you which threats pose real risk. This can lead your security team down a rabbit hole trying to remediate vulnerabilities that aren’t a real risk for your organization. They can miss critical vulnerabilities that are more likely to impact your business.

Risk-based vulnerability management, on the other hand, does more than just discover vulnerabilities. It also helps you understand risks, along with threat context, and gives you insight into potential business impact of those risks.

Legacy vulnerability management also returns mountains of vulnerability data with no real insight into which ones you should fix first. Risk-based vulnerability management eliminates that guesswork.

And, while it’s true that legacy vulnerability management helps you discover risks, it doesn’t do a good job helping you adequately prioritize which threats are actual risks for your organization, and it can’t handle a modern attack surface with increasing threats.

Because of the complexity of your attack surface, legacy vulnerability management can’t give you complete insight into all of the devices that traverse your network and all of the risks that come with them. That’s because your modern attack surface is no longer just traditional IT assets. Today’s attack surface includes web apps, cloud infrastructure, mobile devices, containers, internet of things (IoT devices), industrial internet of things (IIoT) devices, operational technologies (OT) that converge and connect with your IT infrastructure, and more.

Legacy vulnerability management leaves you with blind spots that risk-based vulnerability management can better shine a light on to address where you have weaknesses in your existing security programs.

With a risk-based approach to vulnerability management, your team can focus on vulnerabilities and assets that matter most and address your organization’s true business risk instead of wasting valuable time on vulnerabilities attackers may not likely exploit.

Here are some other ways risk-based vulnerability management and legacy vulnerability management are different:

Legacy vulnerability management

• Assesses traditional on-premises IT assets such as:
• Desktop computers
• Servers
• Devices on your network
• Ignores modern devices on your attack surface such as:
• Web apps
• Mobile devices
• Cloud infrastructure
• IoT
• IIoT
• Containers
• OT
• Creates blind spots and puts your organization at risk
• Meets minimum compliance requirements
• Provides static, point-in-time snapshots of your vulnerability data
• Is reactive

Risk-based vulnerability management

• Enables assessment of both traditional and modern assets
• Uses machine learning to combine vulnerability data with asset criticality, threat intelligence and exploit intelligence to predict a vulnerability’s impact on your organization
• Uses best practices to reduce risk
• Facilitates continuous and dynamic visibility into your assets and vulnerabilities
• Is proactive and focused

Section 2: Risk-Based Vulnerability Management Processes

---

Implementing a risk-based approach to your vulnerability management program

To better protect your modern attack surface from threats, consider implementing a risk-based approach to your existing vulnerability management processes. This can help your organization move from being IT- and infrastructure-focused to having the tools and resources you need to more efficiently protect your entire attack surface.

A good starting point is to understand how a risk-based vulnerability management process aligns with your cybersecurity lifecycle. It looks like this:

• Discover: First, identify and map all of your assets for complete visibility into your computing environments
• Assess: Assess all assets across all of your environments seeking out vulnerabilities, misconfigurations and other security health concerns
• Prioritize: With an understanding of the context of your risks, prioritize remediation based on asset criticality, vulnerability severity and threat context
• Remediate: Apply appropriate remediation or mitigation techniques to your prioritized risks
• Measure: To make better security and business decisions, understand your cyber risk so you can calculate, communicate and make comparisons internally and against peer organizations

Risk-based vulnerability management best practices

Blind spots within your attack surface put your organization at risk. If you can’t see a device on your network or know which vulnerabilities exist for your assets, you can’t accurately secure your attack surface.

Today, you’re no longer protecting just traditional assets. You need complete visibility into your enterprise so you can see every endpoint and all traffic — no matter how infrequent or how short-lived — that connects to your network.

Because legacy vulnerability management tends to be reactive, you can better secure your organization with a more proactive security approach like risk-based vulnerability management.

Here are a few best-practice recommendations:

• Continually gather and analyze data across your entire attack surface.
• Go beyond traditional IT and include all of your endpoints, your cloud environments, mobile devices, web apps, containers, IoT, IIoT and OT.
• Use automation to streamline your processes such as configuration management, asset management, incident response and change management.
• Adopt a risk-based vulnerability management solution with easy-to-understand analytics and customizable reports. Be sure these reports meet your organizational needs and are scalable as your company changes and grows.
• Use reports and analytics to communicate your program’s successes and gaps with your key stakeholders. Role-specific insights will help you communicate technical data in a way that everyone understands, regardless of cybersecurity expertise. For example, when talking about security with your executives, align those reports with business goals and objectives.
• Use analytics and data to determine how well your team inventories assets and collects assessment information. Don’t forget to include success metrics to determine how well your team successfully remediates prioritized vulnerabilities, including processes used and time to remediate.

Section 3. Scanning and Discovery

---

What’s a security vulnerability?

A security vulnerability is a software flaw or programming mistake that creates a security risk. When talking about your vulnerability management program, these vulnerabilities are considered weaknesses that make your enterprise vulnerable to attacks.

What is active scanning?

Active scanning is a vulnerability management process that gives you detailed information about all of your assets, such as if you have open ports, if malware exists on your devices, which software is installed where and if you have any security configuration issues.

Uncredentialed scans (also known as unauthenticated scans), credentialed scans (also known as authenticated scans) and agent-based scans are all variants of active scanning.

Section 4: Prioritization

---

What is Predictive Prioritization and what’s its role in risk-based vulnerability management?

Legacy vulnerability management returns a mountain of vulnerability data that makes it difficult — if not impossible — for your security teams to dig out and know which vulnerabilities are priorities for remediation.

Risk-based vulnerability management, on the other hand, uses tools that help you prioritize your actual risks and reduce your vulnerability overload by 97%.

One effective way to prioritize your vulnerabilities is through Tenable’s Predictive Prioritization. Predictive prioritization strengthens your vulnerability management processes because it reduces the number of vulnerabilities that need your immediate attention and pinpoints the 3% you should focus on first.

Predictive prioritization relies on machine learning to identify the few vulnerabilities that pose the greatest risk to your organization. It gives you ongoing and complete insight into your modern attack surface.

Predictive Prioritization uses Tenable’s vulnerability data and combines that with third-party vulnerability and threat data. It then analyzes them together with an advanced data science algorithm Tenable Research developed.

By taking a risk-based approach to comprehensive vulnerability analysis, Predictive prioritization determines the likelihood an attacker could leverage a weakness against your organization.

Predictive prioritization updates nightly, analyzing 109,000 distinct vulnerabilities. It then predicts if an attacker might exploit a vulnerability in the near future.

Unlike the Common Vulnerability Scoring System (CVSS) traditionally used in legacy vulnerability management — which rates more than 60% of vulnerabilities as critical or high — Predictive Prioritization assigns each vulnerability a Vulnerability Priority Rating (VPR) and an Asset Criticality Rating (ACR) to determine prioritization for remediation.

CVSS, VPR, and ACR are discussed in more detail below.

What is a Vulnerability Priority Rating (VPR)?

In legacy vulnerability management, the Common Vulnerability Scoring System (CVSS) takes a theoretical view of the risk a vulnerability could potentially introduce.

CVSS starts with 0 as the lowest priority and goes up to 10 — the most critical. Unfortunately, CVSS assesses about 60% of all vulnerabilities with a high or critical CVSS score, even though they may pose little risk to your organization.

CVSS is unaware of real-world risk and doesn’t take into account the criticality of each asset within your environment. These are critical pieces of information you need to prioritize remediation effectively.

In risk-based vulnerability management, Tenable’s Predictive Prioritization builds on CVSS and anticipates the likelihood a threat actor may exploit a vulnerability. It also differentiates between real and theoretical risks. Tenable supplements CVSS with a Vulnerability Priority Rating (VPR) and an Asset Criticality Rating (ACR).

A VPR gives you more insight into risks by including threat and attack scope, vulnerability impact and threat score, whereas an (ACR) represents the criticality of each asset on your network based on several key factors.

Tenable calculates a VPR for most vulnerabilities, which is updated regularly to reflect the current threat landscape.

VPR uses a machine learning algorithm and threat intelligence to analyze every vulnerability ever published in the National Vulnerability Database (NVD). Vulnerabilities that are not listed in NVD do not get a VPR; however, you can still remediate those vulnerabilities based on a CVSS score.

VPR Range

VPRs range from 0.1-10.0, where higher values represent higher likelihood of exploits.

• Critical: 9.0 to 10.0
• High: 7.0 to 8.9
• Medium: 4.0 to 6.9
• Low: 0.1 to 3.9

Calculating VPRs

Here are some of the key drivers used to calculate VPRs:

• Vulnerability age: Number of days since NVD published the vulnerability
• CVSS Impact Score: NVD-provided CVSSv3 impact score (if there is no NVD score, Tenable Vulnerability Management displays a Tenable-predicted score)
• Exploit code maturity: Relative maturity of a possible exploit based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources
• Product coverage: Relative number of unique products affected by the vulnerability
• Threat sources: All sources where related threat events occurred
• Threat intensity: Relative intensity based on the number and frequency of recently observed threat events related to this vulnerability
• Threat recency: Number of days (0-730) since a threat event occurred
• Threat event examples:
• Exploit of vulnerability
• Posting vulnerability exploit code in a public repository
• Discussion of vulnerability in mainstream media
• Security research
• Discussion of vulnerability on social media
• Discussion of vulnerability on dark web and underground
• Discussion of vulnerability on hacker forums

VPRs supplement the CVSS used in legacy vulnerability management. CVSS scores often rank many vulnerabilities as high or critical, even if there aren’t exploits active in real world scenarios, so VPRs help you better understand actual risk.

What is a Common Vulnerability Scoring System (CVSS) score?

The Common Vulnerability Scoring System (CVSS) is a theoretical view of vulnerability risk.

Like VPRs, CVSS starts with 0 as the lowest priority and goes up to 10 — the most critical; however, CVSS rates about 60% of all vulnerabilities as high or critical, even though they may pose little risk to your organization.

CVSS doesn’t account for real-world risk or asset criticality within your environment. You need these critical pieces of information, which are included in VPRs, to effectively prioritize remediation.

An article in Security Week highlighted one report that indicated that if a security team focuses on remediating vulnerabilities exclusively based off of a high CVSS score, it’s similar to randomly picking a vulnerability to fix.

In other words, a CVSS assessment doesn’t correlate the reasonable likelihood of an exploit or even if an attacker has ever successfully exploited the threat in the wild.

What is an Asset Criticality Rating (ACR)?

An Asset Criticality Rating (ACR) represents asset criticality for every asset on your network. It’s based on several key metrics such as business purpose, asset type, location, connectivity, capabilities and third-party data.

ACRs range from 0 to 10. If an asset has a low ACR, it is not considered business critical. If it’s high, it is.

ACR Range

• Critical: 9 to 10
• High: 7 to 8
• Medium: 4 to 6
• Low: 1 to 3

Tenable provides an ACR value when you scan an asset on your network for the first time. After that, Tenable will automatically generate an ACR, which is updated daily.

You can customize ACR values to reflect your organizational needs.

Calculating ACRs

Here are some of the key drivers used to calculate VPRs:

• Device type
• For example: hypervisor (the device is a Type-1 hypervisor that hosts a virtual machine) or printer (the device is a networked printer or a printing server)
• Device capability
• The device's business purpose. For example: it’s a file server or a mail server.
• Internet exposure
• The device's location on your network and proximity to the internet. For example: it’s internal and within your local area network (LAN), possibly behind a firewall or it’s external and it’s outside your LAN and not behind a firewall.

What is an Asset Exposure Score (AES)?

In addition to VPRs and ACRs, Tenable also issues an Asset Exposure Score (AES) that can further support your risk-based vulnerability management approach.

Tenable calculates AES based on the current ACR and VPRs associated with an asset. It accounts for each asset’s vulnerability threat, criticality, and scanning behavior to quantify its vulnerability landscape.

An AES represents each asset's relative exposure ranging between 0 and 1000. A higher AES indicates higher exposure.

What is a Cyber Exposure Score?

A Cyber Exposure Score (CES) represents your organization’s cyber risk and combines your VPR with your ACR.

A CES ranges between 0 (minimal risk) and 1,000 (highest risk) and represents the average of AESs in your organization.

CES helps you prioritize remediation by:

• Examining asset criticality
• Analyzing your business goals
• Reviewing the severity of each potential threat within your attack surface
• Determining how likely an attacker may exploit the threat in the next 28 days
• Understanding threat context related to how prevalent the exploitation risk is in the real world

CES also helps benchmark your risk-based vulnerability management success internally and against peer organizations.

Tenable calculates your CES as a number between 0 and 1,000, based on the AES values for all assets scanned in the last 90 days. The higher the CES, the higher risk.

Cyber Exposure Scores are available for:

• Your entire organization
• Assets in a specific business context

Section 5: Choosing a Solution

---

Choosing a risk-based vulnerability management solution

If you’re interested in applying a risk-based approach to your existing vulnerability management program or you’re starting a new program from scratch, a risk-based vulnerability management solution can help you identify risks, prioritize and plan for remediation and give you unprecedented visibility into your organization’s cyber risks.

The right risk-based vulnerability management tool can even help you align your cybersecurity program with business goals and objectives so you can more effectively communicate your cyber risks to your teams and key stakeholders.

Here are a few recommendations to help you select which risk-based vulnerability management solution may be right for you:

First, it’s important to note that not all risk-based vulnerability management solutions are the same. You should have a good understanding of which features and capabilities are most important for your organization and how you will use them to keep your enterprise safe.

From there, you can align your information gathering process with the risk-based vulnerability management process to understand how a solution works in these phases.

Discover

• How does the solution identify all the assets across your attack surface?
• How does the solution discover vulnerabilities, weaknesses, misconfigurations and other security health issues within your enterprise?
• What strategy/approach does the solution use when discovering vulnerabilities and assets?
• When it comes to asset and vulnerability discovery, what does this solution do well and where does it fall short?
• Does the solution support regular and frequent scanning of your attack surface? If yes, how does this process work?
• Can the solution identify and map all asset types, not just traditional IT, such as OT, IoT, IIoT, cloud, serverless, mobile devices and containers?
• Can the solution immediately discover new assets as soon as they connect to your network?

Assess

• How does the solution assess all the assets across your attack surface?
• How does the solution assess vulnerabilities, weaknesses, misconfigurations and other security health issues within your enterprise?
• What strategy/approach does the solution use when assessing vulnerabilities and assets?
• Does the solution support immediate and ongoing assessments? If yes, how does this process work?
• Can the solution correlate and analyze vulnerability data with other contextual elements such as asset criticality and assessment of current and possible attacker activities?
• Is the solution supported by continuous, in-depth research from a focused vulnerability research team?
• Can the solution deliver deep insight into every vulnerability discovered on your extended network?

Prioritize

• Does the solution offer vulnerability prioritization tools?
• If yes, how does the solution prioritize vulnerabilities in your attack surface?
• What strategy/approach does the solution use when prioritizing vulnerabilities?
• Is the solution’s approach to vulnerability prioritization proactive or reactive?
• Does the solution continuously update priority ratings for each vulnerability based on changes in the current threat landscape?
• Does the solution use machine learning to analyze petabytes of data and assign a priority rating within seconds?
• Can the solution determine vulnerability severity, threat actor activity and asset criticality to accurately quantify true risk?
• Does the solution use a data science model to predict which vulnerabilities attackers are most likely to exploit in the near future?

Remediate

• Does the solution have tools to help you remediate vulnerabilities? If yes, what are they? If not, you will likely have to do manual remediation processes.
• Does the solution integrate with other security solutions, for example your SIEM, ticketing system or patch management tools?
• Does the solution support a range of remediation actions such as remediate, mitigate or accept?
• Does the solution automatically modify, or allow manual modification of, risk scores based on factors such as compensating controls?

Measure

• How does the solution measure your risk-based vulnerability management program effectiveness?
• Can the solution calculate key security and maturity metrics for risk reduction?
• Does the solution effectively communicate your security team’s effectiveness (both within teams and beyond, for example to executives and other key decision-makers)?

Benchmarking

• Does it have tools to help you benchmark your program performance internally and against industry peers?
• If yes, what does this process look like?
• How large of a sample size does the solution need for benchmarking?
• Do you already benchmark your program? If yes, can the solution offer similar or improved metrics for better benchmarking?

Research

• Does the vendor’s team do on-going research to support and enhance the solution?
• How large is the vendor’s research team?
• Is the research team known for rapid response for significant issues?
• What’s the research team’s median response time?
• On average, how many plugins does the research team develop per year?
• On average, how many vulnerabilities does the research team discover and disclose each year?

Professional Services

• How many people are part of the vendor’s professional services team?
• What types of professional services does the vendor offer?
• Does the vendor offer training for new users? If yes, what does that training look like?
• Does the vendor have 24-7 customer support? If yes, what does that look like?
• Does the vendor offer a dedicated team or advisor to help you when issues arise?