Risk-Based Vulnerability Management (RBVM) prioritizes remediation efforts based on the potential impact in a particular environment, and the likelihood of exploitation. Knowing which vulnerabilities pose the greatest risk empowers security teams to allocate resources more effectively and improve their overall security posture.
So, this leads us to the data used to rate that risk and one of the most utilized is the framework Common Vulnerability Scoring System (CVSS).
But can this framework be the only reference needed?
Why not keep using CVSS as the main framework to evaluate risk in vulnerabilities?
Imagine the Nile River, with its many tributaries and streams pouring towards the Mediterranean, creating a powerful current cutting through East Africa. It seems efficient because all the water is channeled into one path, except during the spring and summer months when the Nile Basin fills with rainwater. The banks of the river swell with rain, which changes the direction and flow of water locally. Prolific flooding occurs upstream, and droughts occur downstream.
When it Comes to Risk Prioritization Context Matters
If every vulnerability was only assessed for risk using one framework, there would be an overflow of resources and attention in certain areas. Numerous factors influence the risk rating of a given vulnerability. If all those factors flow into a single framework, the CVSS river, then it causes flooding and droughts by creating gaps in coverage and diminishing security testing accuracy. Everyone uses CVSS, it’s been trusted for almost 20 years, but the problem with using CVSS alone is the fact that it fails to describe context. For example, only 5% of all vulnerabilities are exploited in the wild. 2
Edgescan rates the severity of each vulnerability using a proprietary scoring process called EVSS (Edgescan Validated Security Score), in addition the Platform uses CVSS, EPSS (Exploit Prediction Scoring System), CISA KEV (CISA Known Exploited Vulnerability) and the OWASP Top Ten. The Edgescan platform also allows users to edit or accept risk for any individual vulnerability, further customizing the EVSS to prioritize your scanning results.
Map and Monitor Your Global Attack Surface
Discovery is the first step to securing your assets using RBVM. Now more than ever, organizations are struggling to keep up with a dynamic, ever-expanding attack surface. That’s why according to Forbes “the most common reason organizations struggle to succeed with Risk-based VM is that they don’t know the span of their asset environment… Simply put, you can’t protect something you don’t know exists.”1
Without knowing the topography of the Nile River Valley, you can’t tell what will be flooded and what will become arid. Without knowing the attack surface of your enterprise, you can’t properly assess risk posture, because not every asset is being scanned. Edgescan’s external attack surface management solution (EASM) inventories, monitors, and manages corporate assets across disparate environments, providing a view of your entire digital estate. After mapping out your attack surface, any discovered assets can be automatically put into a scanning cadence where it will be assessed and discovered vulnerabilities risk rated.
It’s also important to note that “a new Risk-based VM solution is probably not your organization’s first investment toward vulnerability management.”1 Organizations that know the pain of using old-school vulnerability scanners tend to see the most value from Risk-based VM. Legacy scanners can produce a significant number of false positives, particularly if they are incorrectly configured. False positives reported during security testing with a high CVSS score will cause panic to rip through your SOC, only to discover it poses no threat at all. False positives, regardless of CVSS score, deplete resources that could be spent mitigating REAL risk.
Verified Results = No False Positives
Edgescan guarantees no false positives with our unique hybrid approach (using cyber analytics and expertise combined), ensuring that results are always real and actionable.
Edgescan’s CEO and Founder, Eoin Keary and AppSec Guru Jim Manico go into more detail about RBVM in this recent podcast: Edgescan War Room – Episode 3 or visit our Risk-based VM solutions page to learn more.
You won’t want to be in denial (DeNile) when it comes to the improvements Risk-based VM can make to your cybersecurity management program and improving you security posture.
Reference:
1. Five Best Practices to Succeed At Risk-Based Vulnerability Management
2. The EPSS Model