What is Risk-Based Vulnerability Management (RBVM)?

Risk-based vulnerability management definition

Risk-based vulnerability management (RBVM) is like vulnerability management 2.0 in that it still involves continuously monitoring and remediating vulnerabilities in IT infrastructure, systems, and applications. However, it doesn’t stop there. Instead, RBVM adds a context-driven approach where it helps security teams prioritize and understand the risk around the vulnerabilities so critical ones relevant to their organization can be addressed first.

RBVM helps reduce the amount of work for security teams by determining whether a critical vulnerability truly is a risk to the organization because of potential exposure, exploitability, or impact to business-critical applications.

Traditional vulnerability management can drown teams in alerts, regardless if the vulnerability could impact the organization. Traditional vulnerability management is the process of identifying and fixing security vulnerabilities and misconfigurations, focusing more on solving as many vulnerabilities as possible rather than risk potential.

Why is risk-based vulnerability management important?

Most organizations have implemented a vulnerability management program by now, but that can create its own additional problems due to the staggering number of open vulnerabilities. One Sysdig customer had more than 74,000 critical vulnerabilities from just one environment.

It’s just too much for security teams to handle without considering risk and context. The modern attack surface is too dynamic and rife with ephemeral workloads. Vulnerability exploitation possibilities change rapidly as threat actors look for ways to slip past security defenses and controls. 

So, RBVM isn’t about replacing traditional vulnerability management so much as it is taking it to the next level and improving what it can do. As a result, organizations can feel confident the critical vulnerabilities that could impact them are remediated in a timely manner.

Security and DevOps teams can’t fix every vulnerability that exists, but with prioritization, they can understand what needs to be addressed now and what doesn’t.

Risk-based vulnerability management vs. traditional vulnerability management

Traditional vulnerability management isn’t inherently bad compared to RBVM, it’s just that it doesn’t do enough to assist security teams with determining what vulnerabilities should be addressed first. Rather, it provides organizations with a big list of vulnerabilities to address.

Traditional vulnerability management has had a heavy focus on scanning for vulnerabilities and only offered a basic prioritization based on the Common Vulnerability Scoring System (CVSS) and the National Vulnerability Database (NVD). CVSS and NVD categorize each and every vulnerability based upon its complexity, whether it can be exploited, and its potential impact. That’s useful for sure – but not as narrowly focused as it could be for organizations.

RBVM takes vulnerability scoring further by considering context and prioritization. With this, security teams understand which vulnerabilities need to be addressed now and which ones can be addressed later. Not all vulnerabilities need to be remediated immediately, especially if they won’t even impact the organization.

Benefits of risk-based vulnerability management

Risk-based vulnerability management benefits include:

• Less reactive and more proactive: Security teams aren’t left just reacting to new critical vulnerabilities with RBVM. They can tackle the ones that matter most and be better prepared for new risks.
• Less low-risk noise: Alert fatigue impacts all security teams. Instead, with RBVM, context helps provide prioritization so business-critical vulnerabilities are addressed immediately and low-risk vulnerabilities can be deprioritized.
• Aligns security with business: RBVM helps security teams better align their efforts to business priorities to help the organization. Additionally, reporting remediation efforts to CISOs and the board is more clear and obvious.
• Reduced risk exposure: By knowing which vulnerabilities to remediate based upon potential business impact, security teams can keep IT infrastructure, systems, and applications better protected.

Challenges of risk-based vulnerability management

Some risk-based vulnerability management challenges include:

• Sufficient asset inventory: RBVM is only as good at protecting what it can see. This requires the ability to gain visibility into all corners of an organization’s IT infrastructure. Complexity around dynamic cloud environments and ephemeral workloads can make this difficult. Organizations need to be able to perform a complete asset inventory and discover assets and shadow IT within all environments.
• Appropriate buy-in from CISOs and other executives: Being able to highlight how many vulnerabilities were addressed can look impressive in a vacuum, but it doesn’t mean business assets are any safer. Changing to RBVM means being comfortable showing fewer vulnerabilities fixed and explaining that the vulnerabilities remediated were better aligned to business needs.
• Poor ownership and accountability: While it’s good to know the context and prioritization of vulnerabilities and risks in an organization, it doesn’t matter if no one steps up to actually remediate them. For RBVM to work effectively, security and DevOps need to communicate and be willing to remediate as needed.

Key components of risk-based vulnerability management

RBVM includes many of the components of traditional vulnerability management and adds the following to provide a more accurate list of critical vulnerabilities:

• Asset classification: This enables RBVM tools and security teams to understand what assets are important for business priorities and what assets aren’t.
• Threat intelligence: Integrate threat intelligence to understand what vulnerabilities are being actively exploited and what new vulnerabilities are emerging. This helps security teams prioritize vulnerabilities.
• Risk scoring: After collecting telemetry around critical assets and potential threats, create a scoring system that incorporates CVSS and risk context to get an accurate picture of business-critical vulnerabilities. Context includes whether the vulnerability involves actively used applications or production environments and the sensitivity of the data involved.
• Automation capabilities: Adopt vulnerability management tools that enable the automation of workflows to free up teams and resources. That means less time spent for teams to manually tag vulnerabilities and more on actually remediating risks.
• Continuous monitoring: By continuously monitoring for new vulnerabilities, security teams can speed up mean time to resolution while also adjusting their vulnerability management program for effectiveness.

How risk-based vulnerability management works

RBVM works much the same way as traditional vulnerability management, just with added context and prioritization applied. First, security and DevOps teams and leaders need to sit down and determine which assets and systems are most relevant to business priorities.

From there, use threat intelligence to get additional information on what vulnerabilities threat actors are actively exploiting.

Next, perform regular vulnerability scans of all IT infrastructure, assets, and applications to understand where security risk exists. Traditional scoring still applies to understand the general severity of each vulnerability.

From there, security teams or their RBVM tools can provide additional context around the critical vulnerabilities based upon their potential impact to their specific organization. This additional context helps to determine which vulnerabilities should be addressed immediately and which ones can be addressed later.

For example, a vulnerability in Java is deemed initially critical through CVSS, but further context identifies that the organization’s production workloads ran Go instead. This vulnerability won’t impact the organization, or at least can be remediated later compared to something that does threaten production workloads or business-critical assets.

Much like traditional vulnerability management, RBVM then performs continuous monitoring to discover new vulnerabilities and threats.

Get context and prioritization for risks at Sysdig

Risk-based vulnerability management helps security teams cut through the noise to find the vulnerabilities that truly matter to their organization. Not every vulnerability is a risk for the organization as context matters.

Sysdig’s vulnerability management goes beyond discovering vulnerabilities by including runtime context to understand the risk factors involved, such as exposure, exploitability, and reachability. Address vulnerabilities that pose the greatest risk.