Lab Reports

After every roundtable and lab sessions we produce a report summarizing all aspects of the conversation, with key takeaways, learnings, and clear next steps.

Lab Report | Beyond CVSS – New Approaches to Vulnerability Management

Date/Time: Jan 31 @ 1:00 PM ET
Parent Topic: Vulnerability Management

Companies Need to Radically Prioritize Their Vulnerabilities

The number of IT vulnerabilities has risen by 411% since 2005, when CVSS scoring was first introduced. Legacy vulnerability management practices no longer work.

Why It Matters

Vulnerability Management is a relationship management job. There needs to be trust between Cybersecurity teams and their partners who manage the technology and are responsible for any remediations. Traditional vulnerability management programs do the exact opposite — they flood partners with thousands of vulnerabilities that cannot, and should not, all be remediated.

A new framework is needed that:

• Radically prioritizes vulnerability remediation based on the threat landscape and a company’s exposure to those threats. This framework should differentiate between when there are vulnerabilities that pose an imminent threat to the organization, and then everything else.
• Shifts mindsets across the organization and governing bodies. Remediation partners embrace new behaviors built on the right sense of urgency. Executives and governing bodies embrace risk management, rather than risk elimination.
• Includes a unified view of vulnerabilities and remediation priorities across a vast technology footprint. This view can ease today’s subject-matter expertise resourcing requirements across both cybersecurity teams, and remediation teams. While this unified view has proven elusive for most teams, it is a potential game-changer.

Quick Win Opportunity

• Implement a remediation hierarchy with no more than 3 tiers. Put vulnerabilities from your Attack Surface at the top and define an aggressive timeframe and process for remediation, while lengthening timeframes for lower tiers. Consider invoking incident management to signal urgency. Be particularly vocal in recognizing remediation partners when SLAs are achieved.

Shifts in Vulnerability Management Approaches

As the four lab participants outlined their transformation journeys a key theme emerged: success is achieved when you’ve aligned the resources, processes, and tools to responsibly allocate vulnerability identification and remediation labor.

Company 1 described their journey from “fix everything” to risk-based prioritization.

• The program started out heavily focused on numbers and efficiency — grabbing vulnerability
  data from all over the network and leveraging a third-party to run the operations.
• The combination of the two didn’t work. Too much data was blindly passed to partners and was not resulting in remediation of the worst vulnerabilities.
• More recently, they have established a new scoring mechanism and remediation timelines for vulnerabilities based on exploitability and impact.
• Components of the risk score include: exploitability of the vulnerability and where the asset sits on the network.
• While they won’t re-score older vulnerabilities, they do provide recommendations on how to prioritize the backlog.
• Team structure: Recently they’ve insourced the program and tied it more closely to the risk management function. The cybersecurity team currently does not manage Cloud vulnerabilities.

Download the full report for all four companies’ approach.

Participant Poll

Go Deeper

Studio Participants continued working together on a new framework in follow-up sessions including

• OT Vulnerability Remediation
• Approaches to Attack Surface Management
• Radical Vulnerability Prioritization
• Vulnerability Remediation Partner Relationship Management