The scale of vulnerability management has grown complicated in recent years. More than 28,800 vulnerabilities were reported in 2023, according to the National Vulnerability Database, an increase of 3,000 from the prior year. That’s about 80 a day, every day. The growth in identified vulnerabilities in software and hardware alone makes it clear that legacy processes for patch management are untenable.

This is especially clear with regard to Internet of Things (IoT) devices. The scale of IoT devices deployed within many organizations means that security teams need a more effective plan than “find and fix” when it comes to vulnerability management. What they need is to prioritize their vulnerabilities. Only then can they be effective at managing the risk of a cyberattack.

What is Vulnerability Prioritization?

Vulnerability prioritization is the practice of patching identified weaknesses based on impact on the business, rather than a severity score. The Common Vulnerability Scoring System (CVSS) assigns a severity score to each reported vulnerability that receives a CVE – Common Vulnerability Enumeration. This score runs from 0.0 to 10.0, with ranges connoting Low to Critical severity in terms of the level of potential damage the CVE could describe when exploited. 

This practice has led to traditional patch management focusing on CVEs with higher scores as opposed to lower scores. Many organizations have internal service level agreements (SLAs) that tie the allowable time to fix a vulnerability straight to its CVSS score. In theory, a higher CVSS means that the vulnerability is more damaging and thus should be patched quickly. A lower score means that the weakness can be patched later. This isn’t necessarily true though. 

A High or Critical severity vulnerability could be extremely difficult to exploit as part of an attack chain. In this case, a threat actor may not use the Critical vulnerability because it would require too much effort and too much time to do so. Keep in mind that cybercriminals, by and large, are opportunists. They’re looking for the path of least resistance and thus would be more likely to ignore weaknesses that take too much time or require too much skill to use. A CVE with a lower severity score may thus be more attractive and ultimately cause more damage because it’s easier to exploit. 

Vulnerability prioritization means examining identified vulnerabilities for what could actually have the most impact on a specific company’s systems. In practice, this means looking at which flaws within your systems are the most exploitable and which ones could cause the most damage. For example, a temperature sensor in a remote facility that’s accessible from the open internet without sufficient mitigations could be a major risk. A vulnerability that allows remote code execution on that machine could be potentially damaging. 

Vulnerability prioritization also takes into account the different risk levels based on device configuration. That same remote sensor may have been installed with a specific configuration that could be just different enough to make an identified vulnerability be less impactful. In that case, an identified weakness on that specific machine may then become a lower priority than a vulnerability on a security camera. 

Prioritizing vulnerabilities based on actual impact on your systems means adopting a risk-based approach to patch management. Identified weaknesses are examined based on the specific context of your systems as opposed to an external CVSS severity rating that doesn’t take into account any defenses you may have in place.

How Vulnerability Prioritization Informs IoT Risk Management 

Vulnerability prioritization is a necessary component of an effective IoT security and risk management strategy. Identifying weaknesses in your connected devices is only the first step in this process. Following that, you need to take a harder look at what these weaknesses are in the context of your unique system architecture. 

Prioritizing these weaknesses based on your unique environment ultimately means that you can reduce the risk of a cyberattack spreading throughout critical systems and impacting patient care. Scoring identified IoT weaknesses based on the risk of exploitation and how damaging they could be if exploited means that you can allocate resources more effectively. Resolving the riskiest vulnerabilities first could eliminate a lot of possible attack pathways and ultimately make your company more secure quickly. 

Your risk mitigation and management strategy requires this ability to prioritize identified weaknesses based on impact. There are too many CVEs and too many devices to patch each and every weakness as it comes up. Moreover, the lack of vendor support that’s common in the IoT space means that not every vulnerability even has a patch or vendor-identified mitigation measure. 

There might need to be alternate methods of limiting the spread of a cyberattack that originates with legacy technologies that are connected to the internet and still in use. IoT devices that run on outdated operating systems are common. Remote sensors that operate on some old version of Windows may have a critical severity weakness that the vendor is not going to resolve. However, it serves the company’s needs just fine. Security teams would need to mitigate that vulnerability anyway. Prioritizing that weakness ahead of other issues may ultimately make the company more secure than it would otherwise be. 

In this way, the ability to prioritize vulnerabilities based on the specific system context makes the company more secure. Understanding where the biggest risks are thus means that security teams can do their work more efficiently and more effectively. This makes your organization more secure and reduces the opportunities threat actors have to exploit vulnerabilities to achieve their goals. 

How Asimily’s Advanced Vulnerability Prioritization and Management Informs Your Strategy

The Asimily platform features advanced vulnerability prioritization functionality designed to streamline your risk management and ensure appropriate resource allocation. The platform’s patented vulnerability prioritization capabilities provide holistic visibility into all IoT devices connected to your networks for IT and security teams to begin working toward a comprehensive security program. 

This includes automated inventory identification through passive scanning to surface: 

• Operating system
• IP address
• MAC address
• Port numbers
• Applications
• Hostname
• Version number

This information means that you get a richer picture of all the IoT devices attached to your systems. Effective vulnerability prioritization means understanding the full scope of your inventory first, and Asimily’s passive scanning empowers that step. Asimily also scours security data provided by manufacturers, open source software repositories, attacker activity, and vulnerability criticality information to identify weaknesses and assign contextual criticality to them. 

Asimily customers can efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. The Asimily platform uses this information in the context of your unique environment to allow our deep contextual recommendation engine to provide actionable remediation steps to reduce your risks and save time. 

Leveraging Asimily’s advanced vulnerability prioritization and management capabilities empowers companies to mature their IoT security and risk management programs. Ultimately, this makes companies safer and reduces the risk of long-term business disruption.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.