Which one of the following metrics would be most useful in determining the effectiveness of a vulnerability remediation program?

Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context and Business Impact

Your One-Stop Risk-Based Vulnerability Management Knowledge Base

Risk-based vulnerability management (RBVM) is a process that reduces vulnerabilities across your attack surface by prioritizing remediation based on the risks they pose to your organization.

Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.

Risk-based vulnerability management uses machine learning to correlate asset criticality, vulnerability severity and threat actor activity. It helps you cut through vulnerability overload so you can focus on the relatively few vulnerabilities that pose the most risk to your enterprise.

A risk-based approach to your vulnerability management program facilitates:

• Complete visibility into your attack surface, including modern asset types like cloud, operational technology (OT), IoT, serverless and containers
• Vulnerability prioritization, powered by machine learning, so you can determine which vulnerabilities attackers may be most likely to exploit in the near term
• Dynamic and continuous assessment of all of your assets and vulnerabilities, including asset criticality ratings

Get Insight Into High-Risk Vulnerabilities That Pose the Greatest Risk to Your Organization

Here are few highlights of what you’ll discover in this risk-based vulnerability management knowledge base:

Reduce the Greatest Amount of Business Risk with the Least Amount of Effort

Get Complete Attack Surface Visibility and Risk-Based Vulnerability Prioritization with Tenable

• Discover and assess every asset across your complete attack surface
• Understand vulnerabilities in context of business risk
• Prioritize high-risk vulnerabilities that pose the most risk
• Communicate business risk to your executives and key stakeholders

Learn More

Back to Top

Legacy vulnerability management solutions weren't designed to handle your modern attack surface and the increasing threats that come with it.

Your attack surface is no longer just traditional IT assets. It also includes mobile devices, web apps, cloud infrastructure, containers, Internet of Things (IoT) devices and operational technology (OT) assets.

In these modern networks, legacy vulnerability management tools can’t deliver complete and timely insights into all of the devices across your entire attack surface. That leaves you with blind spots and increases your Cyber Exposure.

Instead, these legacy tools are limited to a theoretical view of the risk a vulnerability could potentially introduce, which can cause your security team to chase after the wrong issues while missing many of the most critical vulnerabilities that pose the greatest risk to your business.

What’s even more frustrating are the mountains of vulnerability data generally returned from legacy vulnerability management processes. How do you know which vulnerabilities to fix first? How do you know which weaknesses pose the greatest threats to your organization?

Risk-based vulnerability management eliminates guesswork.

By taking a risk-based approach to vulnerability management, your security team can focus on the vulnerabilities and assets that matter most and address your organization’s true business risk instead of wasting valuable time on vulnerabilities attackers may not likely exploit.

If you’re new to risk-based vulnerability management, check out this comparison guide. It breaks down the differences between legacy vulnerability management and risk-based vulnerability management with insight into how a risk-approach can make your vulnerability management program more efficient and effective.

3 Things You Need to Know About Prioritizing Vulnerabilities

With the already unmanageable number of vulnerabilities continuing to increase for organizations of all sizes, how can you identify the biggest risks to your business so you know what to remediate first?

This white paper explores three critical steps you can adopt to build an effective vulnerability remediation program:

• First, look at all of the vulnerabilities that are currently actively exploited, which reflects real risk
• Next, use a risk-based vulnerability management solution with integrated threat intelligence to address weaknesses with known exploits in the wild
• Finally, remediate vulnerabilities attackers are most likely to exploit within the next 28 days

Based on Tenable research using more than 4.5 petabytes of internal data, plus 8 external data sources, Tenable Predictive Prioritization utilizes machine learning and predictive analytics to provide visibility into the likelihood an attacker may exploit a weakness.

In addition to these three steps, you’ll also learn about:

• The pitfalls and drawbacks of using CVSS to prioritize vulnerabilities
• Steps you can take to decrease the number of vulnerabilities that need your immediate attention
• Recommendations for issues like how to prioritize based on risk and which vulnerabilities to focus on first

How to Prioritize Cybersecurity Risks

Legacy vulnerability management processes generally return far too many vulnerabilities rated high/critical for your team to mitigate every last one, no matter how much you want to, and no matter how many efficiencies and tools you adopt.

Even with mature vulnerability management programs, hidden threats lurk in blind spots within your attack surface, and it can be hard to seek out and assess all emerging risks that may affect your business.

Remediation is even more complicated when you add in the factor that some patches and fixes require entire system shut downs.

So how can you maximize efficiency for your security teams to help them make the biggest impact on risk with the least amount of effort?

A risk-based approach to your vulnerability management program will improve the way your organization handles vulnerability assessment and remediation so you always know which weaknesses should get your attention.

In this white paper, you’ll also learn about:

• How to evolve from a static, point-in-time vulnerability data view CVSS provides, to a dynamic view of vulnerability, threat and asset criticality data analyzed by predictive machine learning algorithms that focus on mitigating business risk
• How visibility into all of your IT assets across your attack surface is essential for vulnerability remediation
• How to shift your focus from how many vulnerabilities you have to which vulnerabilities pose the greatest risk and need priority remediation

Predictive Prioritization: Data Science to Focus on the Greatest Risks to Your Organization

Organizations of all sizes are overwhelmed by the sheer number of vulnerabilities already in their networks—and that number is increasing rapidly as modern networks grow larger and more diverse.

This leads to an ever-expanding, dynamic attack surface and increasing vulnerabilities, which legacy vulnerability management solutions can’t handle.

Tenable’s Predictive Prioritization can help your team improve your cyber risk management processes by reducing the number of vulnerabilities that need immediate attention by 97%.

Predictive prioritization uses machine learning to identify the relatively small number of vulnerabilities that pose the greatest risk to your organization in the near future. It gives you ongoing, comprehensive insight into your ever-changing attack surface, including all known vulnerabilities related to all of your asset types.

In addition to taking a deep dive into predictive prioritization and how it works, you won’t want to miss learning more about:

• How predictive prioritization goes beyond Common Vulnerability Scoring System (CVSS) scores so you can focus on the 3% of vulnerabilities that matter most
• Insight into how predictive prioritization works, including guiding principles
• Why predictive prioritization is more accurate than other prioritization processes

5 Reasons Why Legacy Vulnerability Management Fails

Today’s modern attack surface is complex. It has more asset types than ever before and an ever-growing number of vulnerabilities. In the past year alone, more than 17,000 new vulnerabilities were disclosed and many organizations reported they’ve experienced a damaging cyber attack within the past two years.

If you’re still using legacy vulnerability management practices, your organization may be at risk for an increasing number of attacks.

Why? Because legacy vulnerability management doesn’t give you the complete visibility you need for comprehensive insight into your attack surface, especially for your most critical assets.

Check out this infographic to learn more about:Top reasons legacy vulnerability management fails

• How risk-based vulnerability management is different than legacy vulnerability management
• How risk-based vulnerability management works
• Benefits of adopting risk-based vulnerability management practices

Frequently Asked Questions about Risk-Based Vulnerability Management Are you new to risk-based vulnerability management? Do you have questions about how you can adopt a risk-based approach for your existing vulnerability management program, but are not sure where to start? This risk-based vulnerability management FAQ is a great resource: What’s a security vulnerability?

A security vulnerability is a software flaw that creates a security risk. These vulnerabilities are weaknesses, like a bug or programming mistake, that make your network vulnerable to attackers. Through vulnerabilities and misconfigurations, attackers can infiltrate your network to compromise systems and get access to your data and information.

What is risk-based vulnerability management?

Risk-based vulnerability management (RBVM) uses machine learning analytics to correlate asset criticality, vulnerability severity and threat actor activity so you can identify and manage risks that pose the greatest threat to your organization. You can then prioritize those critical weaknesses for remediation and deprioritize those that present less risk.

How is risk-based vulnerability management different from legacy vulnerability management?

Risk-based vulnerability management is different from legacy vulnerability management in several ways.

First, legacy vulnerability management generally assesses only traditional on-premises IT assets such as desktop computers, services, and devices on your network. Because this approach ignores other parts of your attack surface, such as mobile devices, web apps, cloud environments, IoT, OT and containers, it creates blind spots that put your organization at risk. Risk-based vulnerability management allows you to assess traditional and modern assets across your entire attack surface and then combine this data with threat and exploit intelligence, as well as asset criticality, to predict each vulnerability’s impact on your organization.

Here are a few other ways the two disciplines are different:

Legacy Vulnerability Management

• Only meets minimum compliance requirements
• Provides static, point-in-time snapshots of vulnerability data
• Is reactive

Risk-Based Vulnerability Management

• Uses best practices to reduce risk across your organization
• Facilitates continuous and dynamic visibility into your assets and vulnerabilities
• Is proactive and focused

What is active scanning?

Active scanning generates network traffic and interacts with devices on your network. It gives you detailed information about your assets, including open ports, known malware, installed software and security configuration issues. Unauthenticated scans, authenticated scans and agent-based scanning are active scanning variants.

What is a Common Vulnerability Scoring System (CVSS) score?

The Common Vulnerability Scoring System (CVSS) takes a theoretical view of the risk a vulnerability could potentially introduce. CVSS starts with 0 as the lowest priority and goes up to 10 — the most critical.

Unfortunately, CVSS assesses about 60% of all vulnerabilities with a high or critical CVSS score, even though they may pose little risk to your organization. CVSS is unaware of real-world risk and doesn’t take into account the criticality of each asset within your environment. These are critical pieces of information you need to prioritize remediation effectively.

Tenable supplements CVSS with Predictive Prioritization, an Asset Criticality Rating (ACR) and a Vulnerability Priority Rating (VPR), which are defined below. VPR gives you better insight into risks by also considering threat and attack scope, vulnerability impact and threat score. VPR performs in-depth analyses to determine the top 3% of vulnerabilities that should be remediated first.

What is a Vulnerability Priority Rating (VPR)?

A Vulnerability Priority Rating (VPR) is the output of Tenable’s Predictive Prioritization process.

VPR assesses more than 150 data points, including Tenable and third-party vulnerability and threat data. It then uses a machine-learning algorithm to analyze all the vulnerabilities in the National Vulnerability Database (plus others vendors have recently announced but have not yet been placed in the NVD) to predict which vulnerabilities have the greatest risk of being exploited in the near-future.

VPRs, rated from 0 to 10, help you prioritize remediation. VPRs at 10 indicate the most critical threats for priority remediation.

What is Predictive Prioritization?

Predictive prioritization uses a risk-based approach to vulnerability management to determine the probability an attacker may leverage a weakness against your organization.

Predictive prioritization includes asset and threat intelligence and adds machine learning to prioritize vulnerabilities based on the likelihood of an attack. Predictive prioritization gives each vulnerability a score called a Vulnerability Priority Rating (VPR). VPRs are from 0 to 10, with 10 the highest possible threat, so you can prioritize which weaknesses should get priority attention.

What is an Asset Criticality Rating (ACR)?

An Asset Criticality Rating (ACR) represents how critical each asset is on your network based on several key metrics including business purpose, asset type, location, connectivity, capabilities and third-party data. ACRs are from 0 to 10. If an asset has a low ACR, it is not considered business critical. If it has a high ACR, it is business critical.

What is an Asset Exposure Score (AES)?

An Asset Exposure Score (AES) uses both your Vulnerability Priority Rating (VPR) and Asset Criticality Rating (ACR). AES accounts for an asset’s vulnerability threat, criticality, and scanning behavior to quantify its vulnerability landscape.

What is a Cyber Exposure Score?

A Cyber Exposure Score (CES) represents your organization’s cyber risk. CES combines your Vulnerability Priority Rating (VPR) with your Asset Criticality Rating (ACR).

CES ranges between 0 (minimal risk) and 1,000 (highest risk) and represents the average of all Asset Exposure Scores (AESs) in your organization.

CES helps prioritize remediation by examining asset criticality and your business goals, the severity of each potential threat within your network, how likely an attacker may exploit the threat in the next 28 days, and the context of the threat related to how prevalent the exploitation risk is in the real world.

Your CES also helps benchmark your vulnerability management and vulnerability assessment success internally and against peer organizations.

What is a Proof-of-Concept (POC) exploit?

A Proof-of-Concept (POC) exploit is a way for an attacker to demonstrate that someone can successfully exploit a vulnerability.

What is PCI ASV?

PCI ASV is an abbreviation for the Payment Card Industry (PCI) Approved Scanning Vendor (ASV). It is related to the PCI Data Security Standard (DSS) Requirements and Security Assessment Procedures for quarterly external vulnerability scans, which must be conducted or attested to by an ASV.

Risk-Based Vulnerability Management in the Cloud

Risk-based vulnerability management isn’t just a process for on-premises assets. It’s also applicable to all your cloud environments.

A risk-based approach to vulnerability management can help you discover, assess, prioritize, remediate, and measure all of your cloud assets to build a mature vulnerability management program.

Here’s how it works:

Discover-Cloud-Assets

Discover Cloud Assets in a Dynamic Environment

Continuous visibility into your cloud environments is the foundation of risk-based vulnerability management. It ensures you’re not blind to short-lived assets in production and development.

Run-assessments

Run Assessments Built Specifically for the Cloud

Using security best practices and environment hardening templates from the Center for Internet Security (CIS) and cloud service providers like Amazon Web Services (AWS) and Microsoft Azure, you can audit your cloud environment, find vulnerabilities within your cloud stack and adopt a variety of scanning and monitoring methods to meet your organization’s cloud needs.

Prioritize-exposure

Prioritize Exposure Context

Risk-based vulnerability management helps you understand the context of exposures within your cloud environment so you can prioritize which to fix first. Risk-based vulnerability management helps you allocate your remediation resources to threats that pose the greatest risk to your organization, and you can share that information easily with your DevOps team and automatically send information to your SIEM for response.

Remediate

Remediate Vulnerabilities

When it comes to vulnerabilities, finding them in your live environment is only half the battle. Risk-based vulnerability management helps you remediate vulnerabilities before production by integrating directly into your CI/CD pipeline and image creation processes. With Tenable, you can also integrate bug-tracking and remediation tools using powerful APIs so you know which vulnerabilities your team fixes and when remediation is complete.

measure

Measure and Benchmark for Better Decision-Making

Risk-based vulnerability management can help you quickly understand your organization’s Cyber Exposure, even for dynamic assets in the cloud. By including your cloud environments in your CES score, you can compare how well your cybersecurity program works across internal departments, as well as against industry peers.

Risk-Based Vulnerability Management Process

Legacy vulnerability management doesn't give you a unified view of your entire attack surface, which makes it difficult to know which vulnerabilities to fix first. Risk-based vulnerability management helps you see which vulnerabilities actually pose the greatest risk to your organization and puts them into context so you can prioritize remediation. Moving from a compliance-driven approach of legacy vulnerability management to a risk-based approach, your organization can evolve from an infrastructure and IT focus to addressing your entire attack surface. Here’s a quick look into the risk-based vulnerability management process related to the Cyber Exposure Lifecycle:

1. Discover

   Identify and map all of your assets across your entire attack surface so you have visibility into all of your computing environments.

2. Assess

   Understand the state of all of your assets across all of your environments including vulnerabilities, misconfigurations and other security health issues.

3. Prioritize

   Understand the context of your exposures so you can prioritize remediation based on how critical each asset is to your organization, its threat context and vulnerability severity.

4. Remediate

   Prioritize which vulnerabilities to remediate first and apply the appropriate remediation or mitigation technique.

5. Measure

   Understand your Cyber Exposure so you can calculate, communicate and compare cyber risks internally and against peer organizations to make better security and business decisions.

Risk-Based Vulnerability Management Best Practices

While risk-based vulnerability management is a relatively new approach to vulnerability management, you can take steps toward a risk-driven program for your organization by implementing these best-practice recommendations:

1. Data Fidelity and Your Attack Surface

   An effective risk-based vulnerability management program should continually gather and analyze data from across your entire attack surface, including on-premises infrastructure, endpoints, cloud infrastructure, web applications, containers, mobile devices, IoT and OT.

2. Process Automation

   Streamline your risk-based vulnerability management processes including configuration management, change management, asset management and incident response.

3. Customized Analytics

   Your risk-based vulnerability management solution should provide analytics and customizable reports for your organization’s needs. You can use the reports to provide each key stakeholder with role-specific analytics. Topline analytics also provide insight into how well your teams collect asset and assessment information, including success metrics to remediate prioritized vulnerabilities.

   With risk-based vulnerability management best practices, your security team can build a successful program that delivers high-fidelity data and automated processes to effectively manage your Cyber Exposure across your entire attack surface.

Discover. Assess. Prioritize

Stop guessing about which vulnerabilities to fix first. Reduce the number of vulnerabilities that need your immediate attention by 97% and focus on what matters most with Tenable.io.

Try Tenable.io for Free

Risk-Based Vulnerability Management Blog Bytes

Should You Still Prioritize Exploit Kit Vulnerabilities?

The objective of strategic vulnerability remediation prioritization is to identify vulnerabilities that pose the greatest risk to your organization. Many organizations rely on the Common Vulnerability Scoring System (CVSS) to prioritize, but given the time and resources available, CVSS often yields far too many “critical” vulnerabilities for most to realistically remediate.

Read More

Vulnerability Management On-Demand

Lumin: Manage Cyber Risk Across Your Entire Organization

Do you know how to measure your organization’s cyber risk? Have you ever benchmarked your Cyber Exposure across your organization or against industry peers? Managing and measuring Cyber Exposure helps you make more strategic risk-based decisions for your security program and your business goals.

Here are a few ways Tenable Lumin, a risk-based vulnerability management (RBVM) benchmarking tool, and the Tenable Cyber Exposure Platform can help your organization:

• Discover and analyze all critical assets across your attack surface
• Compare how effective your internal security processes and programs are throughout your organization and against industry peers
• Find and plan to mitigate vulnerabilities with the greatest chance of impacting your organization in the near-term
• Prioritize your data and remediation strategies to reduce cyber risks

Enterprise Strategy Group Reports on Cyber Risk Management Survey Findings

Your attack surface is forever growing and changing. Today, you likely have more assets, more cloud-based workloads, and more data. That means more vulnerabilities and more risk-management challenges across your organization.

In a recent study, Enterprise Strategy Group (ESG) Research discovered that 73% of security professionals believe risk management is more difficult today than just a couple of years ago.

In this on-demand webinar, you’ll learn more about ESG’s Cyber Risk Management Survey Report including:

• Recommendations to prioritize your ever-changing vulnerability landscape
• Why you should evolve your vulnerability assessment processes beyond point-in-time scans to adopting continuous visibility processes
• How cyber risk translates into business risk

Tenable and Indegy: The First unified, Risk-Based Platform for IT and OT Security

No matter what your business is or which industry you’re part of, operational technology (OT) plays a more prevalent role in your attack surface—and that means more potential for a business-disrupting OT-related security event.

Recently, Tenable united with Indegy to create the industry’s first unified risk-based platform for all assets. Check out this webinar to learn:

• How a unified view of IT and OT vulnerabilities will help you better manage possible security issue along with vulnerabilities
• How to take a risk-based approach to measure, score, trend and benchmark OT with IT
• The ins-and-outs of IT and OT vulnerability assessment
• Process management for OT

Gain Insight Into Your Organization’s Overall Cyber Risk with Tenable Lumin

Tenable Lumin can help you visualize, analyze and measure your cyber exposure across your entire attack surface. It transforms vulnerability data into meaningful insights so you can manage cyber risk and focus on the top 3% of vulnerabilities that pose the greatest risk to your organization.

Risk-based-scoring

Risk-Based Scoring and Prioritization

Lumin combines vulnerability data with asset criticality and threat intelligence so your security team can focus on vulnerabilities that matter most.

Total-attack

Total Attack Surface Visibility

With complete visualizations of your entire attack surface, Lumin helps your team quickly measure and communicate your cyber risk.

Exposure-analytics

Exposure Analytics and Benchmarking

Powered by the industry’s richest set of vulnerability intelligence, Lumin helps you quantify your cyber risk so you can benchmark internally to determine your program’s effectiveness.

Try Tenable Lumin for Free

Visualize and explore your organization’s cyber exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Try for Free

Which one of the following types of vulnerability scans would provide the least information about the security configuration of a system?

What is the purpose of creating an MD5 hash for a drive during the forensic imaging process?