Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

According to folklore, witches were able to sail in a sieve, a
strainer with holes in the bottom. Unfortunately, witches don’t
work in cybersecurity – where networks generally have so many
vulnerabilities that they resemble sieves.

For most of us, keeping the sieve of our networks afloat
requires nightmarishly hard work and frequent compromises on which
holes to plug first.

The reason? In 2010, just under 5000 CVEs were recorded in the
MITRE vulnerabilities database. By 2021, the yearly total had
skyrocketed to over 20,000^[1]. Today, software and
network integrity are synonymous with business continuity. And this
makes the issue of which vulnerabilities to address first
mission-critical. Yet owing to the countless documented
vulnerabilities lurking in a typical enterprise ecosystem – across
thousands of laptops, servers, and internet-connected devices –
less than one in ten^[2]
actually needs to be patched. The question is: how can we know
which patches will ensure that our sieve doesn’t sink?

This is why more and more companies are turning to Vulnerability
Prioritization Technology (VPT). They seek solutions that filter
out the flood of false positives generated by legacy tools and
poorly-configured solutions and address only those vulnerabilities
that directly affect their networks. They’re leaving traditional
vulnerability management paradigms behind and shifting to the next
generation of VPT solutions.

The Evolution of Vulnerability Management

It’s not news that even the most resource-rich enterprise can’t
possibly sort through, prioritize and patch every single
vulnerability in their ecosystem. That’s why the shift toward VPT
started in the first place.

Initially, Vulnerability Management (VM) focused on scanning and
detecting core networks for any vulnerabilities. This was known as
Vulnerability Assessment (VA), and the deliverable was a massively
long list of vulnerabilities that had little practical value for
already overextended IT resources.

To make VA more actionable, the next generation of VM tools
included vulnerability prioritization based on each vulnerability’s
global CVE
scoring^[3]. This was further
refined by adding another layer of prioritization based on
estimations of potential damage, threat context, and, ideally, a
correlation with local context to evaluate the potential business
impact based on DREAD^[4]
type models. This more advanced approach is known as Risk Based
Vulnerability Management (RBVM) and was a giant leap forward from
VA.

Yet even advanced VM tools implementing RBVM lag behind in
sophistication and actionability. These tools can only detect what
they know – meaning that misconfigured detection tools frequently
result in missed attacks. They cannot evaluate whether security
controls are configured to compensate for the severity of a given
vulnerability according to its CVE score correlated with local
context risk. This still results in bloated patching lists and also
means that – just like with early-gen VA tools – patching often
ends up at the bottom of the to-do list or is simply ignored by IT
teams.

Leveraging Next-Gen VPT

Advanced VPT solutions are the next generation of VM – offering
organizations a very different view of their unique cyber
risks.

Building on traditional VA detection and more advanced RBVM
capabilities, the latest generation of VPT solutions adds asset
criticality context, environmental context, and multiple,
pre-integrated threat intelligence sources. In this way, it
effectively augments vulnerability severity data with sophisticated
analytics and in-context applicability. These analytical
capabilities enable advanced VPT solutions to integrate highly
granular threat validation – creating the next generation of
capabilities that augment traditional VM: Attack Based Vulnerability Management
(ABVM)^[5].

ABVM is a game-changer. Because once network stakeholders are
able to effectively validate the real-world threats facing their
networks, they can test their environments based on actual exposure
levels and permeability to attack. According to Gartner^[6], the shift towards ABVM
is crucial to better prioritization and assessment of
vulnerabilities. It empowers security and risk management leaders
to both generate recommendations and apply them directly to their
security programs – addressing prioritized findings.

Leveraging ABVM, security stakeholders can identify all
undetected attacks, generate data and use cases that enable
continuous improvement of detection and response tool
configuration, and map out potential end-to-end attack paths with
detailed local context. Once these yet unsecured attack paths are
clearly mapped out, patching is too because threat validation
coupled with a deep understanding of attack paths enables
laser-focused patching prioritization. With ABVM, optimizing scarce
patching resources to plug only those holes that threaten to sink
the sieve becomes straightforward.

The move from traditional score-based VA or RBVM approaches to
ABVM can lower patching load by 20%-50% while markedly improving
overall security posture. By preventing security drift, ABVM also
helps streamline SIEM toolsets – improving tool configuration,
eliminating overlap, and identifying missing capabilities.

The Bottom Line

By improving security, reducing costs, refining resource
allocation, and strengthening collaboration between teams, ABVM
offers a new horizon of productivity and efficacy for security
teams. Taking traditional VPT to the next level, ABVM solves
chronic vulnerability patching overload, enabling networks to
remain afloat even in today’s threat-choked waters.