Home / Resources / News and Trends / Industry News / 2023 / Using a Risk Based Approach to Prioritize Vulnerability Remediation

Using a Risk-Based Approach to Prioritize Vulnerability Remediation

Author: Ray Payano, CISA, CISM, CDPSE, CEH, CISSP
Date Published: 7 February 2023

Organizations today struggle with vulnerability management. More specifically, remediating vulnerabilities in a timely manner poses a challenge. Vulnerability remediation backlogs are growing at an alarming rate. It has been reported that many organizations have a backlog of more than 100,000 vulnerabilities and are not meeting expectations set forth by their established remediation timelines and service-level agreements (SLAs).1 Fortunately, by calculating vulnerability risk, enterprises can prioritize vulnerabilities based on risk level to help determine the order in which vulnerabilities are addressed.

Why are organizations struggling with vulnerability remediation? There are several challenges that contribute to remediation backlogs:

  • The increased number of published vulnerabilities present within the organization—Published vulnerabilities have increased exponentially over the last 6 years. Between 2016 and 2022, there was a 362% increase in published vulnerabilities (figure 1).2 This increase forces organizations to dedicate more time and effort to remediation activities.

  • Lack of resources to perform remediation—As of 2022, there was a shortage of 3.4 million cybersecurity workers worldwide and 700,000 in the United States alone.3 This skills gap has resulted in existing staff experiencing heavier workloads than they would have at an adequately staffed organization. Thus, there are fewer staff available to dedicate the necessary attention to remediating vulnerabilities, and the employees who are available are more likely to be overworked and may be more susceptible to making a mistake.
  • Smaller maintenance windows/less downtime to remediate vulnerabilities—An increasing number of organizations are requiring their systems to be online and available for longer periods of time. Many systems require nearly 24/7 availability, which puts a burden on remediation teams to minimize downtime and keep systems protected from vulnerabilities. Limited time to remediate vulnerabilities could result in carelessness in an effort to work quickly rather than carefully.
The employees who are available [to remediate vulnerabilities] are more likely to be overworked and may be more susceptible to making a mistake.

To meet these challenges, organizations must be able to prioritize which assets and vulnerabilities are remediated and in what order. This is accomplished by calculating vulnerability risk.

Calculating Vulnerability Risk

Using standard risk calculations, an organization can assign a risk level to vulnerabilities and assets to help determine how vulnerabilities are addressed (figure 2).

Many organizations attempt to address vulnerability remediation only by leveraging the US National Institute of Standards and Technology (NIST) National Vulnerability Database’s (NVD’s) Base and Temporal metrics (a Common Vulnerability Scoring System [CVSS] score and Exploitability rating).4 The Base metric of a vulnerability is the inherent score of a vulnerability (ranging from 0–10) without any specific modifiers. Temporal metrics are characteristics of a vulnerability that change over time due to external events. Base and Temporal metrics are provided by most modern vulnerability management and scanning tools out of the box. What most tools are lacking is insight into organization-specific Environmental metrics such as asset criticality and effectiveness of controls. Environmental metrics are modifiers to the base score that account for the impact of the vulnerability on the organization. These metrics are critical for the calculation of vulnerability risk.

Understanding Asset Criticality

Asset criticality is the inherent value assigned to an information asset. Organizations use different methods to calculate and assign criticality to assets. Asset criticality is based on the potential impact to the organization if the asset were to fail or become compromised. This information can be gathered through business impact analyses (BIAs) and risk assessments.

To properly apply asset criticality, organizations must understand what information assets are present. Inventory and asset controls continue to be some of the most critical capabilities required for an effective cybersecurity program. An enterprise IT asset inventory (as part of an overall IT asset management program) must be established and implemented for visibility into information assets and to assign asset criticality to aid in vulnerability management.

Inventory and asset controls continue to be some of the most critical capabilities required for an effective cybersecurity program.

The elements of IT asset inventory that can be leveraged for asset criticality and vulnerability risk include:

  • Data stored and processed
  • User access
  • Location
  • Recovery point objective (RPO)/recovery time objective (RTO) requirements
  • Legal and regulatory requirements

Assessing the Effectiveness of Controls

The effectiveness of security controls is another Environmental metric for calculating vulnerability risk. Organizations implement security controls for risk reduction within their environments. These security controls include data protection, access and network controls. The effectiveness of security controls provides a metric of residual risk of a vulnerability.

Implementing a security control is not enough to qualify it as an Environmental metric. Control assurance must be implemented to ensure that security controls are working as designed and operating within established parameters.

Elements of control assurance that can be used to calculate vulnerability risk include:

  • Identification of the control
  • Analysis of control design
  • Control assessment based on design
  • Continuous control monitoring

With the application of asset criticality and effectiveness of security controls, organizations can properly calculate their vulnerability risk and properly prioritize and plan vulnerability remediation.

Reporting Asset Severity

Consider the following example. A vulnerability is discovered regarding an information asset that has been reported as “Very High” or “High” severity and has the following attributes:

  • The information asset is not public/Internet-facing.
  • It does not contain sensitive information.
  • Multifactor authentication (MFA) is required for access.
  • Audit logging and monitoring are implemented.
  • There is a Low to Very Low business impact if the system is not available.

With this information, the organization may downgrade the severity of the vulnerability to “Medium” or “Low.” With the adjusted severity, the organization can make the decision to prioritize this specific asset to a lower tier than an asset with the same vulnerability on an information asset that is deemed to have a higher impact on the organization.

The application of vulnerability risk can also be applied to increase the priority of vulnerability remediation.
Consider an alternative example wherein a vulnerability is discovered on an information asset that has been reported as “Low” or “Moderate” and has the following attributes:

  • The information asset is accessible from outside of the organization.
  • Exploits have been discovered in the wild.
  • Accessing the asset requires simple or single-factor authentication.
  • The asset stores and processes confidential, restricted information (e.g., public health information [PHI], personal identifiable information [PII], payment card information [PCI]).
  • The asset is not segmented on the network.
  • There is a detrimental or catastrophic business impact if the system is not available.

In this case, the organization may need to increase the severity to “High” or “Very High” to address this vulnerability at a higher priority to ensure that the information asset is protected.

Conclusion

The calculation of vulnerability risk helps organizations prioritize the vulnerabilities to be remediated. By including asset criticality and effectiveness of controls as Environmental metrics, vulnerability risk calculations are more precise and relevant to an organization. In turn, the organization gains the ability to efficiently address and reduce vulnerability backlogs, allow SLAs to be met, and better manage resources and workloads. 

Endnotes

1 Keary, T.; “Vulnerability Management: Most Orgs Have a Backlog of 100K Vulnerabilities,” VentureBeat, 14 September 2022
2 CVE Details, Vulnerabilities by Date,” 2022
3 ISC2, ISC2 Cybersecurity Workforce Study, 2022, USA, 2022
4 National Institute of Standards and Technology, Vulnerability Metrics, National Vulnerability Database, USA

Editor’s Note

Hear more about what the author has to say on this topic by listening to the “Using a Risk-Based Approach to Prioritize Vulnerability Remediation” episode of the ISACA® Podcast.

Ray Payano, CISA, CISM, CDPSE, CEH, CISSP

Is a cybersecurity risk manager for a major healthcare and wellness organization. He has worked in IT for 25 years, focusing on information and cybersecurity for the past 15 years. Payano has experience in multiple industries including the financial, healthcare and entertainment industries. He serves on the board of the ISACA® Central Florida Chapter (USA) as the education/program director. Payano is also a chapter-accredited trainer and conducts exam preparation sessions for the ISACA Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®) and Certified Data Privacy Solutions Engineer® (CDPSE®) certifications.