Risk-based vulnerability management (RBVM) is a cybersecurity strategy in which organizations prioritize remediation of software vulnerabilities according to the risk they pose to the organization. A risk-based vulnerability management strategy has several components.

The need for risk-based vulnerability management The need for risk-based vulnerability management is driven by the fact that large enterprise networks contain more vulnerabilities than their cybersecurity teams can fix. Simply put, the scale of vulnerability management at large organizations makes the practice challenging. Cybersecurity executives at large organizations can manage, on average, 80,000 IT assets including laptops, servers, routers, and internet-connected printers. Combined, these assets may hold 40 million vulnerabilities. However, research by Kenna Security shows that companies have, on average, the capacity to remediate just one out of every ten vulnerabilities on their systems. Traditionally, organizations prioritized the vulnerabilities they needed to patch according to a mix of gut feeling, regulatory and compliance needs, and the theoretical damage a successful attack could do. For example, one common metric, the Common Vulnerability Scoring System (CVSS), scores vulnerabilities according to the damage it would do if exploited. But many vulnerabilities with high CVSS scores pose little or no risk of exploitation. Patching a vulnerability that is not likely to be exploited represents a waste of scarce resources. Sounds pretty hopeless right? It certainly has been for many companies, but that’s where risk-based vulnerability management comes in. If you look at the behavior of real-world hackers, they attack only a small subset of security flaws. Our research indicates that only 5 percent of enterprise vulnerabilities have known exploitation events. Therefore, organizations can drastically improve their security and minimize their risk by identifying and remediating the small subset of vulnerabilities prone to exploitation. How to succeed with a risk-based vulnerability management program The success of risk-based vulnerability management depends on the quality of the data used to predict exploitability. Since 2009, data scientists at Kenna Security have worked to identify the factors threat actors use when choosing which vulnerabilities to exploit and weaponize. Some examples of the factors that predict weaponization of an exploit include:

With knowledge of which factors make a vulnerability more likely to be exploited, security teams can not only prioritize vulnerabilities that pose an immediate risk but also patch software flaws before an exploit is developed. The risk-based vulnerability management revolution Risk-based vulnerability management is revolutionizing the way large organizations approach vulnerability management. By prioritizing vulnerabilities likely to be exploited, a risk-based system drives tremendous efficiency gains while improving risk posture. To be clear, a risk-based vulnerability strategy will leave some vulnerabilities unpatched but allows companies to do so with confidence that these weaknesses pose an acceptably low level of risk to the overall security of the company. It is this ability to delay work that opens up efficiency gains and reduces the risk of IT outages due to excessive change. At the same time, security risk is reduced. Risk-based vulnerability management really is a win-win for IT and Security. Written and published By Kenna, Jason Rollesten, Chief Product Officer