Risk based Vulnerability Management as the name implies, is identifying vulnerabilities to start with and analyzing the risk associated with the vulnerability. Vulnerabilities are identified by performing Vulnerability Assessments (VA) and validated by Penetration Testing (PT).
Vulnerability is a weakness in IT infrastructure or applications that can be exploited. An organization has IT assets and applications deployed, to run their business.
A Breach, is a result of a Threat exploiting a weakness in any of the assets or applications. To decrease the likelihood of a breach, it is imperative to plug the weakness, and to plug them, they have to be identified.
Vulnerability Assessment (VA) is the process of identifying all the weaknesses in the organization’s IT assets. Another class of issues is Misconfiguration. Though these are not the classic vulnerabilities, but do render the asset vulnerable. These are checks performed against popularly accepted industry benchmarks like CIS (Center for Internet Security).
Each scanner that identifies vulnerabilities is specific to a particular asset type like Web Application, Cloud configuration, Servers, Endpoints etc are disparate in nature.
Reports generated with such tools are not comparable as they lack common classification and rating methodologies.
It is defined as rigorous testing of the IT infrastructure and existing Information Security controls in order to penetrate the systems like real cyber attackers. The findings from VAs aid in PT efforts.
Expert driven, by qualified professionals.
Semi-Automated, using advanced tools.
Verify strength of existing Information Security controls and mitigate the gaps before cybercriminals exploit it. The number of vulnerabilities found can be very large and it is impossible to remediate all of them. So, it is important to ascertain the likelihood of breach.
Classic vulnerabilities have a CVSS associated with it. But this is a constant and does not take into account the asset and organizational context. To compute the likelihood of breach, apart from knowing that the weakness exists, one also needs understand the exploitability.
Continuous lookups with global and regional Threat Intelligence sources.
Early identification if there are any known Infections, Credential compromises , Data leakages. The likelihood of a breach for a weakness can be computed by knowing the:
Inside-out view [VA findings]
Outside-in view [Threat Intel lookup]
Follows an intelligent and integrated approach for Identifying, Categorizing, Normalizing and rating vulnerabilities in the IT Infrastructure across different types of IT Assets.
Takes a holistic approach to Vulnerability Assessments. Integrates with numerous best of breed open source and commercial vulnerability scanners to identify all types of weaknesses (CVEs, Misconfigurations).
Uses advanced Machine Learning (ML) techniques to normalize the individual reports and classifies them using a common taxonomy. Subsequently, they are rated using advanced decision science algorithms.
Does not rely on the CVSS score, computes the likelihood of breach, dynamically and contextually.
Threat and Vulnerability Databases are updated daily.