Page 46 - index
P. 46
advantage of the “forgotten” vulnerabilities by maintaining exploits for some older vulnerabilities
in current toolkits, simply because they know the exploits still work.
This statistic merely reinforces the point that organizations do not have effective VLM systems,
and are drastically lagging when it comes to patching older, known vulnerabilities.
These two facts are key to understanding the true effectiveness of an effective VLM system. At
the end of the day, organizations must account for the scope of systems affected as well as the
root cause of the vulnerability. Making one small change to an operating system configuration
which addresses 20 outstanding high and medium vulnerabilities has a much higher ROI on
your security spend than taking days to address a vulnerability that affects a single system. The
most effective risk-based approach is the “find it, understand root cause, fix it forever and for
everything, move on” approach. Organizations with this mentality spend less effort addressing
vulnerabilities and are more likely to avoid future threats, but this is not a process that is easily
managed on an Excel spreadsheet. We categorize the approaches to VLM into four buckets.
Four Common Approaches to VLM: The Good, The Bad, The Ugly
Risk-based. Many organizations take a simplified risk-based approach, reviewing the
vulnerability scan results by severity, starting at the highest severity and working their way
down. This can be inefficient, and potentially dangerous, because it treats all the highest
severity vulnerabilities as equal. In reality, they are not equal, and this reinforces a “find it, fix
this one, move on” mentality which ignores the root cause.
Asset-based. Some organizations take an asset-based approach. These organizations
consider which vulnerabilities are detected on critical assets or subnets and remediate those
first. This is typically blended with the risk-based approach, which is good, but root cause
analysis still typically takes a back seat to the “fix it now” pressures the security organization
faces.
Operational. Organizations which take an operational approach analyze the data by fix type
such as patches, operating system, application configuration, etc., then build a to-do list for the
! " $
! # ! "
