11 Tips for Choosing a Vulnerability Management Solution

“These tips go to 11.” – Nigel Tufnel

It can be daunting to choose between vulnerability management (VM) solutions when all vendors describe their offerings in very similar ways. So making the best choice for you means identifying what your organization needs, and ensuring the solutions you’re evaluating meet those needs.

It’s safe to say that any worthy VM solution will offer some kind of step up from CVSS scores and spreadsheets. But that’s often where the similarities end. 

Some VM solutions are provided by vendors who specialize in vulnerability management, and particularly risk-based vulnerability management. Others are merely VM bolt-ons to vulnerability scanners. 

Here’s a list of criteria that have emerged as must-haves for a modern vulnerability management solution. 

11 things to look for in a modern vulnerability management solution

1. A focus on risk. After years of pioneering work by industry innovators, risk-based vulnerability management (RBVM) is becoming what most of today’s VM solution vendors consider table stakes. And that’s good: As analysts have concluded, the future of VM will be risk-based. A risk-based approach is really the only one that makes sense because you can’t possibly patch all the so-called “critical” vulns a vulnerability scanner is likely to generate after a scan. (Our joint research with Cyentia has found that even well-resourced organizations can remediate only one out of every 10 vulnerabilities.) Solutions that automate risk-based prioritization will save you time, shorten vuln investigation and remediation cycles, and ensure that high-risk vulns don’t hang around your infrastructure any longer than they need to.  

2. Prioritization of vulns based on the risk they pose to you. Focusing on risk is critical, but it’s even more important to focus on the 2%-5% of vulns that are shown to pose a risk to your particular organization—in other words, by taking into account where the vuln resides in your infrastructure, how the vulnerable assets are used, the prevalence of exploits that target the vuln, and the likelihood that exploit will target you. (Here’s where automation really shows its stuff, because be honest: Are you really prepared to answer all those questions manually, and for every high-priority vulnerability?) Compliance auditors, too, like to see that you’ve taken a risk-based approach to VM. For instance, Payment Card Industry Data Security Standards (PCI DSS) Requirement 6.2 requires that financial services organizations and those that accept credit card transactions to “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.”
   The chart below illustrates the measurable difference that risk-based prioritization has on remediation coverage—or the completeness of remediation. In this real-world test, three approaches were used to prioritize vulnerabilities determined to be high-risk: CVSS 2 (orange), a leading vulnerability scanning platform (red), and a risk-based vulnerability management platform (blue), which prioritizes vulnerabilities based on the risk they pose on the infrastructure in question. The chart shows how many high-risk vulnerabilities had to be remediated to reach 50% coverage. To reach 50% remediation coverage using CVSS 2, the organization needed to remediate 17,279 vulnerabilities. Using the scanning platform, there was a slight improvement—remediating 15,214 vulnerabilities was necessary. Using the risk-based Kenna.VM platform, however, just 627 vulnerabilities had to be patched to reach 50% remediation coverage. Clearly, focusing on the risk a vulnerability poses to you leads to better, more efficient remediation.

3. Contextual insight. Determining the specific level of risk for each asset or application involves a lot of data—and a lot of data science. Billions of data points must be correlated and analyzed to provide the context necessary to understand the true risk that an asset faces. This is no task for humans. Look for solutions that will not only automate the correlation of these data points but also use models that are predictive of the likelihood of exploits and the impact of events. Additionally, dig under the hood to find out what is used as “ground truth” data. To effectively forecast successful exploitation events, you need to have successful exploitations that help train your models.

4. Real-time threat intel and analysis. Real-time threat and exploit feeds are essential to understanding what is currently being exploited, and to what degree. That intel gives Security the insight it needs to factor attacker behavior into their prioritization. In addition to feeds, look to threat exchanges and online chatter. The most advanced RBVM solutions incorporate data from an extensive array of sources to deliver a comprehensive picture of external threats. Pro tip: It’s not just about the volume of data here, it’s ensuring you have coverage across all the different types of threat data that cover vulnerabilities.

5. Risk scoring system.  Look for RBVM solutions that provide risk scoring across multiple asset and functional groups. A risk scoring system is perhaps the best way to communicate risk in ways that everyone can understand and act upon. The most advanced solutions allow you to assign a risk score to virtually any asset group or department, which allows remediation teams to see their progress as they patch high-risk vulns. It can also simplify your next audit when it comes time to produce evidence that you’ve been actually doing the things your security policy says you would be doing. In the end, you aren’t measuring the risk of individual vulnerabilities but rather measuring the risk of assets and applications. Your risk scoring system should tell you what groups of assets and applications are most likely to be exploited, not just another list of high-risk vulnerabilities.

6. Cloud-based architecture. Organic growth, acquisitions, and the introduction of IoT and expanded remote access will complicate your IT infrastructure and grow your attack surface. So the last thing you want is to deploy a VM solution that’s difficult to maintain and scale. Cloud-based architectures solve this by scaling as you need them to, while offering always-on availability, automatic software updates, native integration with public and private enterprise cloud applications, and the knowledge that your environment is served by multiple secure data centers.  Plenty of cloud-native VM solutions are available to help your VM environment keep pace with the challenges of your business. 

7. Interoperability with your existing IT environment. Few Security or IT executives are interested in locking their infrastructure into a specific platform that leaves them with limited options. Look for a vulnerability management solution that offers easy connectivity to a broad array of third-party scanners, asset management databases, and other key elements of your software stack. Take ticketing systems, for instance. One-off ticketing for vulnerability remediation is time-consuming and wasteful. Tight integration between an RBVM program and your IT ticketing system like ServiceNow helps automate this process and shortens time to remediation. 

8. Centralized risk management. Seek out VM solutions that allow you to centralize risk management across your IT environment. Be sure your candidate list includes vulnerability management solutions that provide a single consistent view for vulnerability management, with full visibility into on-site and remote assets, applications, and public and private cloud services. 

9. A self-service environment for remediation teams. IT and DevOps teams have spent years being handed long lists of “critical” vulnerabilities, a practice that too often makes their work with the Security team more tenuous. With the right solution, however, Security and IT teams can finally align around the common goal of reducing risk in a practical and efficient way. The most advanced solutions combine remediation intelligence and rich vulnerability and threat context to develop “top fix lists” that eliminate guesswork and ensure that IT and DevOps teams understand what to fix, why they should fix it, and how to fix it. Ultimately this allows teams to reduce their risk the most with the least amount of effort.

10. Risk-based SLAs. Not all service-level agreements (SLAs) are created equal, nor should they be. A 2019 analysis of how Security and IT organizations are implementing SLAs uncovered the “motivating power of deadlines.” In fact, defined SLAs helped reduce the volume of surviving (or not remediated) high-risk vulnerabilities by 15%. Taking a risk-based approach to SLAs further enhances the power of these deadlines. Rather than arbitrarily setting SLA terms at 30, 60 or 90 days, Security teams can set SLAs based on real-world threat and exploit data, along with peer usage data and incorporating their own risk tolerance for their business. The result is a more meaningful approach to managing risk, and a more efficient focus on remediation. While organizations can certainly design and implement their own risk-based SLAs, the most advanced VM solutions offer this data-driven capability today.

11. Technology to take you forward. Cyber threats remain a stubbornly moving target. Last year’s playbook isn’t likely to be as effective this year, and promises to be even less so next year.  When defining your needs, it’s wise to acknowledge that what you need tomorrow will almost certainly be different from what you need today. So when evaluating RBVM programs, look for features like natural language processing, which can analyze text from social media sites, the dark web, and other places where vulnerabilities are discussed, then extracts language associated with vulnerabilities for more complete risk assessments. Or predictive modeling, which calculates the risk of a vulnerability as soon as it is revealed—even before an exploit can be built. Features such as these ultimately allow you to become more proactive by remediating vulnerabilities before exploits are weaponized or used in the wild.

Take stock of other tools in your RBVM environment

OK, I lied…these tips go to 12.

One last tip: Before you choose an RBVM solution, ensure you have all the other pieces in place for an environment that will effectively and efficiently enable you to reduce cyber risk across your organization. These include asset discovery, assessment and management tools, vulnerability scanners, pen (penetration) testing tools, bug bounty programs, software composition analysis (SCA) tools…well, it’s a long list. All these are necessary to gain a full picture of your risk, and to provide the data necessary to feed these models.

For a detailed look at what it takes to implement a risk-based vulnerability management environment, download this eBook. It will help your evaluation journey, and you’ll likely learn some other tips and best practices along the way.