Vulnerability Management Is Wasted Without Risk Analysis
Vulnerability management has historically focused on resolving as many security holes as possible. It is fundamentally a “find and fix” mentality, focused on patching every identified vulnerability as soon as possible.
The idea has some merit. Patching security holes as they’re identified does reduce the risk of a breach occurring from that vulnerability and does make critical systems more secure. However, this is time-consuming and can often result in security team members patching holes that don’t significantly reduce the risk of a cyberattack. That same effort could have reduced more risk sooner.
This leads to two of the biggest problems of traditional vulnerability management, and why a new approach is needed. These two issues are the scale of reported vulnerabilities, as well as the time it takes to patch a security hole. A new approach is needed given that the number of newly discovered vulnerabilities is unlikely to slow down, and the time needed to successfully deploy a patch is also unlikely to budge much. Given these two realities and the fact that it’s next to impossible to patch everything in a timely fashion, enterprises need a new way to allocate their defensive resources. They need risk analysis.
Traditional Vulnerability Management Is Failing
When a vulnerability is reported, it receives a Common Vulnerability Enumeration number and is added to the National Vulnerability Database. As of May 19, 2024, there were 15,801 new CVEs added to the database in 2024. In 2023, the NVD received reports of 28,826 vulnerabilities of all severities.
Already, the reported number of vulnerabilities is a little over half of what was reported in the full year of 2023. The number of reported vulnerabilities has gone up every year since 2016, with 25,043 reported in 2022 and 20,155 reported in 2021. This scale of reported vulnerabilities means that keeping up with every reported CVE isn’t possible.
The second problem is that it takes an average of 55 days, according to research, to deploy a critical patch once it’s been made available. That’s 55 days when the organization is at risk, including finding the right patch, testing it, and deploying it to the company at large. What this ultimately means is that patching a security vulnerability takes too long and there are too many of them to possibly patch everything within a traditional approach.
That’s if the vulnerability is even identified in the first place. Around 80% of exploits are published well before the CVE is assigned. Between the sheer scale of CVEs to find and the time it takes to patch each one, the scale of the problem is nearly insurmountable.
Further, vulnerability scanning tools lack context around which vulnerabilities to patch first. The Common Vulnerability Scoring System (CVSS) does provide a numerical score around severity but does not provide any information specific to how actionable the vulnerability is. This is one of the failures of the find-and-fix model – especially one based on raw criticality. And why risk analysis could be such a transformative discipline.
Risk Analysis Strengthens Vulnerability Management
Risk analysis resolves the problems of the classic find-and-fix vulnerability management methodology. Instead of trying to resolve every possible vulnerability, analyzing the real possibility of a vulnerability being exploited and used to compromise systems based on specific context can direct resources far more effectively.
Prioritizing patching based on CVSS score, on the other hand, could send cybersecurity team members running after irrelevant vulnerabilities that have minimal impact. The CVSS score is only a theoretical number in terms of criticality. A critical vulnerability that does not load into memory, or only loads under highly specific conditions, does not pose the same level of risk as a low-scoring vulnerability that might be easier to execute.
The Log4Shell vulnerability of November 2021, for example, was extremely easy for threat actors to execute and compromise systems. That ease of execution is what made it so incredibly damaging globally. It was marked as a critical vulnerability as soon as it was identified, and appropriately so.
There was a second Log4j vulnerability identified around the same time as Log4Shell. Although that vulnerability was also rated critical, it was much harder to execute and much less far-reaching. Traditional vulnerability management systems, however, would rate both of these vulnerabilities the same because they both have critical-level CVSS scores.
They are not the same, of course. A risk analysis would include the likelihood of a vulnerability causing damage as part of an attack chain based on a specific system context. That’s the difference with a risk-based approach to vulnerability management. Adding the specificity of how the rest of the systems connect can alter how damaging a specific vulnerability is.
In this way, risk analysis can help cybersecurity teams make better decisions about what vulnerabilities to patch. Resolving only those vulnerabilities that have the potential to truly impact overall security posture is the most effective way to protect critical assets. It also saves time and empowers organizations to spend more time on other, more strategic activities.
How Asimily Informs Risk Analysis for Vulnerability Management
The Asimily platform features advanced functionality designed to simplify risk mitigation for Internet of Things vulnerabilities. The platform’s patented prioritization technology provides holistic visibility into all IoT devices connected to your networks for IT and security teams to begin working toward a comprehensive security program.
This includes automated inventory identification to surface:
- Operating system
- IP address
- MAC address
- Port numbers
- Applications
- Hostname
- Version number
This information means that you get a richer picture of all the IoT devices attached to your systems. Effective vulnerability prioritization means understanding the full scope of your inventory first, and Asimily’s scanning empowers that step. Asimily also scours security data provided by manufacturers, open source software repositories, attacker activity, and vulnerability criticality information to identify weaknesses and assign contextual criticality to them.
Asimily customers can efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like Software Bills of Material (SBOMs) and Common Vulnerability and Exposure (CVE) lists. Asimily uses this information, as well as our advanced risk modeling and simulation to ensure that you can conduct the most robust risk analysis possible. Likelihood and Impact scores are used to determine the riskiest devices to work on next. There are no moral victories – fixing a low-risk vulnerability in a device with multiple issues does not reduce its risk score at Asimily. From the attacker’s point of view, the risk level hasn’t changed.
Leveraging Asimily’s advanced risk analysis, vulnerability prioritization, and management capabilities empowers companies to mature their IoT security and risk management. With the Asimily platform, customers can be confident that they have resolved the most impactful vulnerabilities in their systems and reduced their risks effectively.
To find out more about how Asimily can help improve your organization’s security posture, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.