Tenable Specialists: "Not all vulnerabilities are a threat - organizations should focus on the major vulnerabilities".
The computer networks of organizations are constantly expanding: IT, cloud, IoT and OT form a complex computing landscape that represents the modern attack surface. With every new device, connection or application, this attack surface increases. In addition to this complexity, there are countless vulnerabilities that are discovered every day, and the challenges often seem insurmountable. The solution, however, is relatively simple - security teams need visibility to understand the risks.
More focus on acutely endangered vulnerabilities
Regardless of the size of the organization, fixing any vulnerability takes a long time, even with a large IT team and significant financial investment. Rather than dwelling on vulnerabilities that are not targeted, organizations can post thousands of vulnerabilities in order to focus on those who are a real threat.
The vulnerability overload
When it comes to vulnerability management, the question is often asked: How many vulnerabilities can a single security professional fix each day? Per week? Per month? The stopwatch starts when the security manager finds out about the vulnerability after CVE (Common Vulnerabilities and Exposures) has disclosed the vulnerability. With this limited information, a race begins to determine whether the vulnerability exists within your own network and which systems, devices or applications are affected - before the rectification can even begin.
The CVE ID only informs the security experts that the vulnerability exists - that's all. Further extensive research in numerous public sources is required to determine the actual risk. These describe in detail the characteristics of vulnerability and the function it fulfills in the current and past prevalence. This process should involve complementary sources such as social media posts, blogs, and even forums on the dark web.
The majority of attacks on organizations are not state commissioned or particularly sophisticated. The problem is the known but not yet patched vulnerabilities. It is impossible to fix all security holes, so the challenge is to know what is real and what is only theoretical.
Fix the risk
According to Tenable Research (Persistent vulnerabilities: causes and outlook) an exploit is only developed for 20% of the vulnerabilities and hackers only exploit a fraction of them. Security teams can use this to their advantage. The Tenable study also found that less than 6% of organizations are effectively addressing vulnerabilities. Many companies are not up to date with their security processes and spend their time fixing shortcomings that may never be exploited or affect areas that pose no real risk.
Risk-based Vulnerability Management (RBVM) goes beyond the basic assessment of the Common Vulnerability Scoring System (CVSS). It enables security teams to consider contextual elements - such as the criticality of the affected system or device, combined with constantly updated threat intelligence and predictive technologies. In this way, companies can efficiently identify the vulnerabilities that will be most exploited in the immediate future.
Reduce business risk faster
Finding and fixing the vulnerabilities that are being actively exploited is paramount to reducing business risk. With the help of a risk-based vulnerability management program, security teams can secure even the most complex IT landscape. For more information on RBVM, see Tenable's free whitepaper (including a guide): Implementing Risk-Based Vulnerability Management.
More on this at Tenable.com
About Tenable Tenable is a Cyber Exposure company. Over 24.000 companies worldwide trust Tenable to understand and reduce cyber risk. Nessus inventors have combined their vulnerability expertise in Tenable.io, delivering the industry's first platform that provides real-time visibility into and secures any asset on any computing platform. Tenable's customer base includes 53 percent of the Fortune 500, 29 percent of the Global 2000, and large government agencies.