Why we must bring order to cyber vulnerability chaos

Depiction of digital data in binary code
(Image credit: Shutterstock / carlos castilla)

The rapid pace of digital transformation across nearly every industry has brought dramatic changes to the operational efficiency of organizations, enabling them to streamline processes and improve the services provided to customers. However, this pace of change has not only opened up the attack surface but has also escalated the volume and complexity of security vulnerabilities.

Last year alone marked a record-breaking surge in reported Common Vulnerabilities and Exposures (CVEs), with figures surpassing 29,000 new IT security vulnerabilities globally, according to the US National Vulnerability Database. Amidst this unprecedented growth, traditional methods of identifying and patching vulnerabilities are no longer viable. The challenge now lies not just in detecting these vulnerabilities but in effectively prioritizing and managing them in a way that is aligned with the specific risks that they pose to each individual organization. As we delve deeper into this cyber vulnerability chaos, the need for a strategic, risk-based approach to vulnerability management becomes critical.

Patrick Ragaru

CEO of Hackuity.

The challenges of overwhelming data and fragmentation

The rapid expansion of business operations today means organizations often operate across more fragmented networks which makes maintaining visibility of vulnerabilities all the more challenging. And with a greater number of interconnected and interdependent systems, organizations can face a new set of risks as vulnerability exploits across just one system or device can lead to large-scale disruption.

This fragmentation can also create information overload, with too many moving parts to manage. As a result, firms struggle to keep on top of risk management. The National Vulnerability Database (NVD), responsible for analyzing and scoring each reported CVE, published more than 25,226 vulnerabilities in 2022 alone. The reality is that organizations can’t realistically patch everything; in fact, it’s estimated that they can only patch between 5% and 20% of identified vulnerabilities on average per month, leaving a vast majority unaddressed. On paper, those percentages are fine. In fact, they’re inflated. Less than 1% of critical vulnerabilities need immediate remediation for a given organization.

The question is whether teams are focusing on the right patches. More often than not, the short answer is no. The key strategy is to prioritize the most critical vulnerabilities and address them in real time. But traditional methods of risk prioritization are failing as they can’t provide full visibility across more complex network ecosystems and, ultimately, businesses can’t protect what they can’t see. Shadow IT, data obsolescence, and outdated asset inventories are continuously growing, and this gap in IT visibility and management exacerbates the vulnerability confusion. All this underscores the need for a new approach to vulnerability management that can adapt to the rapidly evolving cyber landscape.

Risk-based vulnerability management: choosing the most effective solution

Confronting this vulnerability chaos requires a shift from the traditional tick-box method of vulnerability management to a more nuanced, risk-based approach that identifies the specific threat to each individual business.

Risk-based vulnerability management (RBVM) solutions can evaluate vulnerabilities not just on their severity but also according to the context of the organization's unique attack surface, industry sector, and operations. At the same time, it can provide a holistic view of the entire network, including asset knowledge, threat intelligence, and effective process management.

Effective RBVM solutions are able to seamlessly integrate with existing security tools within the organization and access public and private threat intelligence sources, enabling organizations to consistently gauge the evolving nature of threats. This informed perspective allows for the dynamic prioritization of vulnerabilities, ensuring resources are allocated where they are needed most.

However, RBVM is not just about tools and processes; it fundamentally hinges on people and their ability to effectively manage vulnerabilities. Establishing clear responsibilities, fostering accountability, and ensuring coherent team efforts are vital. These human elements, combined with robust processes and the right tools, create a potent mix that transforms vulnerability chaos into manageable order.

Going forward, businesses will need to align their vulnerability management practices with evolving compliance and regulatory requirements. There is a critical intersection between vulnerability management and compliance, especially with new regulations emerging across various industries.

The recent evolution of the Common Vulnerability Scoring System (CVSS) to version 4.0 underscores this trend, marking the first major update in eight years. This new version aims to provide a more granular and contextual framework for assessing vulnerabilities, echoing the principles of RBVM. However, relying solely on CVSS scores may lead to misguided priorities. Businesses need to base their security strategy around their vulnerability management processes, and specifically around their RBVM practices.

For smaller organizations, this might mean balancing reactive and preventive measures, blending cyber hygiene with responsive capabilities. For larger enterprises, it involves deep dives into asset management and threat intelligence, ensuring that every potential vulnerability is evaluated within its specific business context.

The successful adoption of RBVM and regulatory compliance demands a concerted effort across various facets of a business – from aligning C-level strategy to streamlining IT processes and adopting advanced toolsets. By integrating the right solution, achieving visibility over the entire IT ecosystem, breaking silos between teams, and establishing a culture of collaborated knowledge sharing, businesses can navigate this chaotic cyber landscape and build a resilient defense.

We've featured the best IT management tool.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Patrick Ragaru is CEO of Hackuity.