Risk-based vulnerability management (VM) is the identification, prioritization and remediation of cyber-based vulnerabilities based on the relative risk they pose to a specific organization. 

Vulnerability management has been something of a moving target within the complex world of cybersecurity. It began with organizations scanning their systems against a database of known vulnerabilities, misconfigurations and code flaws that posed risks of vulnerability to attack.

Among the limits to this initial approach, however, were several factors:

    In response, cybersecurity providers have developed an array of approaches that provide more continuous, customized, specifically risk-based vulnerability management products. 

    These risk-based tools are typically provided either as modules within a major security vendor’s larger platform or as a more narrowly focused suite of capabilities from a more specialized provider. Gartner has forecast that the rapidly growing market for risk-based vulnerability management tools will reach $639 million by 2023.

    To fully understand the key steps your organization needs to take to manage vulnerabilities, you should understand the difference between a vulnerability, a threat and a risk. 

    A vulnerability is defined by the International Organization for Standardization (ISO 27002) as “a weakness of an asset or group of assets that can be exploited by one or more threats.”  

    As the vendor Splunk notes: “First, a vulnerability exposes your organization to threats. A threat is a malicious or negative event that takes advantage of a vulnerability. Finally, the risk is the potential for loss and damage when the threat does occur.”

    The 7 most common types of vulnerabilities

    Cybersecurity vendor Crowdstrike has identified the 7 most common types of vulnerabilities:

      Vulnerabilities not included in one scanner’s database may get overlooked. That has led organizations to use multiple vulnerability scanners. 

      Modern, risk-based VM must be highly automated not only to manage the incorporation of data from multiple, continuous scans, but also to assess and prioritize recommended steps and priorities in responding to an organization’s risk-based prioritization of vulnerabilities and levels of remediation.

      “Vulnerabilities are the tip of the spear; the problem is that there can be thousands of spears and you need to know which are the ones that are going to provide the deadly blow,” said Eric Kedrosky, CISO of Sonrai Security. “That is why risk in context is so critical.” 

      The scope and scale of this processing has led to the use of machine learning (ML) in many steps of the process, from information intake and risk scoring, to recommended priorities and approaches for remediation, to ongoing reporting.

      “Vulnerability management is the process of identifying, prioritizing and remediating vulnerabilities in software,” said Jeremy Linden, Senior Director of Product Management at Asimily. “These vulnerabilities can be found in various parts of a system, from low-level device firmware to the operating system, all the way through to software applications running on the device.”

      Vulnerability management, then, is more than being able to run vulnerability scans against your environment. It also includes patch management and IT asset management. The goal of VM is to rapidly address vulnerabilities in the environment through remediation, mitigation or removal. VM also addresses misconfiguration or code issues which could allow an attacker to exploit an environment, as well as flaws or holes in device firmware, operating systems and applications running on a wide range of devices.

      When infrastructure was all on-premises, it might have been acceptable to institute daily scans. But in the era of the cloud, a whole new level of depth and breadth is needed. Vulnerability management is now a continuous process of identifying, assessing, reporting on and managing vulnerabilities across cloud identities, workloads, platform configurations and infrastructure. Typically, a security team will use a cloud security platform to detect vulnerabilities, misconfigurations and other cloud risks. A strong cloud security vulnerability management program analyzes risk in context to address the vulnerabilities that matter the most as quickly as possible. 

      The vulnerability management process lifecycle

      VM can be broken into a series of steps, most of which are automated within modern risk-based tools.

      1. Conduct an asset inventory

      Begin by understanding the scope of your systems and software. Asset and software inventories are acquired through discovery efforts. They enable the organization to set configuration baselines and to know the extent of what they are supposed to be protecting. Note that some scans only deal with on-premises resources. Make sure all cloud assets are included — the ever-growing web of identities and their permissions allows for infinite potential pathways to danger in the cloud. 

      “Companies need complete visibility into each and every identity, human and non-human, and the permissions each has to access data, applications, servers and systems,” said Brendan Hannigan, CEO of Sonrai Security. “Recent industry research indicates that 80 percent of U.S. companies have suffered at least one cloud security breach over the past 18 months.”

      2. Scan for vulnerabilities

      This includes scanning for specific new high-priority threats as well as remedial baseline scanning. It should be a frequently deployed or continuous process.

      3. Report on found vulnerabilities

      Deliver a report showing the currently exploitable vulnerabilities affecting the environment.

      4. Prioritize remediation and identify workarounds

      If there are a great many vulnerabilities to address, use a combination of threat severity and criticality to establish priorities. In some cases, patches may not be available or feasible to apply. In those situations, the vulnerability may be mitigated through workarounds such as network or configuration changes that reduce or eliminate an attacker's ability to exploit the vulnerability.

      5. Deploy remediations

      The process of remediating can address service configurations, patches, port blacklisting and other operational tasks. Remediating vulnerabilities should be automated, but with oversight to ensure all actions are appropriate. As with all changes in environment, remediations can cause unforeseen system behaviors. Therefore, this process should be done only after a peer-review and change-control meeting. 

      “Develop a patch planning process that assesses the risk of vulnerabilities to prioritize, and focus on those that pose the greatest risk to your environment,” said Brad Wolf, senior vice president, IT operations at NeoSystems. “Implement the patches or configuration changes in accordance with change control, and then perform a follow-up scan to ensure the vulnerability has been resolved. There may be times when vulnerabilities cannot be resolved, in which case a mitigation and risk acceptance process should be defined and include a periodic review of accepted risks.” 

      6. Validate remediations

      Many forget that they need to rescan environments after remediation. Sometimes remediation actions might not effectively resolve the issue as intended. A new scan will tell the tale.

      7. Report on resolved vulnerabilities

      Deliver an after-action report on the vulnerabilities which have been removed (and validated) within the environment.

      The above steps should not be limited to a once-per-month basis, as is currently common among traditional on-prem vulnerability management tools. They should be done on an ongoing basis with automated, risk-based tools.

      10 best practices for risk-based vulnerability management in 2023

      This list of best practices includes cited recommendations from Gartner and several vendors: