Risk Based Vulnerability Management (RBVM)

Risk Based Vulnerability Management (or RBVM) is a process by which one evaluates the business risk for an organization resulting from its vulnerable digital assets and helps organization achieve an acceptable security posture by prioritizing the remediation.

Current challenges

Organizations are managing risk by :-

i. Complying to Industry Standards

E.g. ISO 27001:2022, NIST-CSF. This is via manual audits, which is time consuming and laborious. It is enough for an organization to achieve a cyber hygiene, but not sufficient to counter cyber-attacks, which are ever changing!

ii. Performing Vulnerability Assessments

Typically tool based, identifies vulnerabilities in assets by looking up popular vulnerability databases, like NVD (National Vulnerability Database).

Another class of issues is Misconfiguration. Though these are not the classic vulnerabilities, they do render the asset vulnerable. These are checks performed against popularly accepted industry benchmarks like CIS (Centre for Internet Security).

The IT infrastructure of an organization today is diverse, spread across the cloud, on-premise and employees working from home. The vulnerability assessment must cover the assets in the above scenarios.

Challenges with Vulnerability Assessments

The findings from these assessments are quite technical in nature.
Severity of the issues are based on CVSS (Common Vulnerability Scoring System), which is constant and does not take the organization context into account.
Reports of the each of the asset type are different, given 8-10 asset types, there is no way to correlate and normalize them.
The number of issues identified are large, with tens of assets, the identified issues can be in the thousands.

99% of the vulnerabilities exploited are already known!

Based on this finding, two reasons can be attributed to any/most incidents:

i. The organization did not know they had the issue.
ii. The organization did know they had the issue but it got buried under tons of other issues!

Every organization is constrained in terms of time and money they can invest in cybersecurity. When the number of issues identified are too large, prioritization becomes the challenge. It boils down to managing risk. For this the first step is identifying the risks.

So, what is Risk ?

The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.

Risk is not the enemy – too much of it is. But very importantly, so is too little of it. Between recklessness and complacency, there is a Goldilocks Zone of risk – not too much, not too little – just right.

Rohit Ghai – President, RSA

How to manage Risk ?

The process would be to identify vulnerabilities across the organization, model the risk for the identified weakness, prioritize them, and start remediating the top risks – thereby given the same time and effort, the organizations is de-risking themselves optimally.

Did you know?

Research has shown that organizations suffer 80% less breaches by adopting a Risk Based Vulnerability Management model.
– Gartner

DeRisk Center

DeRisk Center follows a Risk Based Vulnerability Management model.
Identifies asset’s inherent weaknesses by performing a combination of VA, Misconfiguration checks and PT (Penetration Testing). This is the inside out view.
Using Threat Intelligence identifies the threats from the outside, outside-in view.
Computes likelihood of a breach for each identified weakness.
Further, models the risk objects and scores them.
Builds a prioritized risk register and suggests remediations.

–YOU MAY ALSO LIKE–

Assessment VA PT

Risk based Vulnerability Management as the name implies, is identifying vulnerabilities to start with and analyzing the risk associated with the vulnerability. [Read more]