Cybersecurity
Exposure Management 101: Vulnerability Management
16.02.24
4 min read
Introduction
Vulnerability management is not a new concept. It might be one of the oldest security concepts for organizations, to be honest. However, vulnerability management might be one of the most misunderstood areas of security for most organizations due to the overwhelming number of vulnerabilities that all organizations face. The volume of vulnerabilities might even prohibit the organization from securing much of anything.
Vulnerability Prioritization and Exploitation
At the core of most vulnerability management solutions is the concept of “prioritization”. Prioritization is essential in triaging vulnerabilities due to the fact that there are very few known vulnerabilities that have been exploited. According to NIST (from 1/1/1999-2/10/2024):
- Total vulnerabilities with CVSS > 9.0: 40,456
- Total vulnerabilities with CVSS between 7.0 and 9.0: 79,140
- Total known exploited vulnerabilities: 1085
This makes the % of high and critical vulnerabilities that have been exploited less than 1%. NIST has also reduced this value of KEV to just around 20, which have been proven to be in most enterprises (1).
What does this mean for most organizations? The majority of vulnerabilities do not need to be addressed.
Combining Asset Priority with Vulnerability Priority
A key concept that most organizations can benefit from is the combination of asset and vulnerability priorities. With so many vulnerabilities to overcome, it would be ideal to know when high-value assets have the highest priority vulnerability.
A solution that can give you a list of the highest priority exploited vulnerabilities on the highest value assets can save time and have the biggest impact in reducing risk due to vulnerabilities. Look at this example:
Here is a list of all vulnerabilities in this test environment (3884):
Now, looking at the assets that have a prioritization of at least 7, the vulnerabilities reduce (3387):
Next, focusing on the vulnerabilities that are between 7.0 and 10.0 (166):
Finally, looking at only the vulnerabilities that meet our criteria and are on the KEV (41):
Using this method, we reduced the total number of vulnerabilities from 3884 down to only 41 that are exploited and located on high-value assets! That is very manageable for any organization.
Conclusion
Vulnerability management and analysis is not new. However, being able to manipulate the data to ensure that only the important vulnerabilities are addressed on the most important assets can make the difference between patching vulnerabilities and having a very high-risk environment.
To see where your assets are with vulnerabilities and to know which assets you need to address, visit us at https://www.nanitor.com or contact joe@nanitor.com for a customized demo.
