Risk Based Vulnerability Management (or RBVM) is a process by which one evaluates the business risk for an organization resulting from its vulnerable digital assets and helps organization achieve an acceptable security posture by prioritizing the remediation.
E.g. ISO 27001:2013, NIST-CSF. This is via manual audits, which is time consuming and laborious. It is enough for an organization to achieve a cyber hygiene, but not sufficient to counter cyber-attacks, which are ever changing!
Typically tool based, identifies vulnerabilities in assets by looking up popular vulnerability databases, like NVD (National Vulnerability Database).
Another class of issues is Misconfiguration. Though these are not the classic vulnerabilities, they do render the asset vulnerable. These are checks performed against popularly accepted industry benchmarks like CIS (Centre for Internet Security).
The IT infrastructure of an organization today is diverse, spread across the cloud, on-premise and employees working from home. The vulnerability assessment must cover the assets in the above scenarios.
The findings from these assessments are quite technical in nature.
Severity of the issues are based on CVSS (Common Vulnerability Scoring System), which is constant and does not take the organization context into account.
Reports of the each of the asset type are different, given 8-10 asset types, there is no way to correlate and normalize them.
The number of issues identified are large, with tens of assets, the identified issues can be in the thousands.
Based on this finding, two reasons can be attributed to any/most incidents:
i. The organization did not know they had the issue.
ii. The organization did know they had the issue but it got buried under tons of other issues!
Every organization is constrained in terms of time and money they can invest in cybersecurity. When the number of issues identified are too large, prioritization becomes the challenge. It boils down to managing risk. For this the first step is identifying the risks.
The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability. Risk is the intersection of assets, threats, and vulnerabilities.
The process would be to identify vulnerabilities across the organization, model the risk for the identified weakness, prioritize them, and start remediating the top risks – thereby given the same time and effort, the organizations is de-risking themselves optimally.
Research has shown that organizations suffer 80% less breaches by adopting a Risk Based Vulnerability Management model.
DeRisk Center follows a Risk Based Vulnerability Management model.
Identifies asset’s inherent weaknesses by performing a combination of VA, Misconfiguration checks and PT (Penetration Testing). This is the inside out view.
Using Threat Intelligence identifies the threats from the outside, outside-in view.
Computes likelihood of a breach for each identified weakness.
Further, models the risk objects and scores them.
Builds a prioritized risk register and suggests remediations.