How effective is your vulnerability management strategy? Last year we discovered more than 26,500 vulnerabilities, a number that continues to grow every year. The attack surface also continues to grow and diversify. A product in your IT landscape that was secure yesterday could be your biggest risk tomorrow. Given limited resources in an ever-expanding digital world, the challenge is not only finding new vulnerabilities, but also determining which vulnerabilities to prioritize.

Vulnerability management is like defending a medieval city while the enemy lurks in the surrounding forests. The city walls have many cracks and holes: which part of the wall should you repair first? The answer is not to simply start on one side, because that leaves the rest of the city vulnerable. Instead, you should first find and repair the weakest parts of your wall, because that is where an attack would do the most damage.

In a modern organization, a vulnerability scan often uncovers hundreds of thousands of vulnerabilities that an attacker could exploit. Like the city walls, you need to prioritize the vulnerabilities that pose the greatest risk. How? By adding context to each vulnerability. Rather than relying on raw data, it’s better to focus on contextualized vulnerability data with threat intelligence as a guide. This turns reactive chaos into proactive strategy.

Of the 26,500 vulnerabilities discovered in 2023, we only know of 1,114 being exploited. It is not the number of vulnerabilities that should worry us, but the potential damage they could cause.

The challenges for vulnerability management

Dealing with vulnerabilities may sound simple, but many organizations still have large holes in their metaphorical medieval walls. Repairing and reinforcing these is a complex challenge. The volume can be very overwhelming, with new vulnerabilities emerging every day. That’s why it’s important to prioritize. There are various frameworks and rating systems to help with this. Patching itself can also be complex, as there is never a right time to take a server down for maintenance.

Another common challenge is lack of visibility, often caused by dark spots and undocumented systems. Of course, it’s difficult to protect what you can’t see. In addition, IT environments are becoming increasingly complex, with more assets and more dark spots. This growing attack surface has made threat intelligence (tracking the latest threats) a full-time job. Finally, organizational culture can also be a barrier. Do you have the right processes in place? Who coordinates patching efforts?

Common misconceptions about vulnerabilities

Unfortunately, there are still many misconceptions that mislead many organizations:

• “We will find too much if we scan everything, so let’s start small”

Many organizations choose this approach because they fear being overwhelmed. However, excluding risks from your scope goes against best practices. It’s like rebuilding part of your wall while leaving the rest vulnerable and hoping for the best. Always prioritize the most critical issues.

• “We need to fix all vulnerabilities before we scan again.”

In today’s fast-paced world, new vulnerabilities emerge every day, so you should check for issues at least once a week and fix the most critical ones immediately. Don’t just go through the list, it’s dynamic and will never be finished.

• “Automated patching fixes all vulnerabilities”

Automated patching is great, but it doesn’t solve everything. Some patches fail due to download errors, aborted installations, etc. Regular scanning is still essential.

• “Vulnerabilities are only IT’s problem”

While IT is best placed to fix vulnerabilities, the entire organization must share this responsibility. Remember that vulnerabilities can affect anyone in the company.

• “Windows is more vulnerable, but with Mac we are safe”

Although Windows may have more vulnerabilities, no platform is completely secure. Every system is vulnerable to vulnerabilities and needs to be scanned. If we look at the list of actively exploited vulnerabilities, Mac’s attack rate is actually comparable to Windows.

• “High CVSS vulnerabilities should be our top priority”

It’s good to have a Common Vulnerability Scoring System (CVSS), but it doesn’t give you a complete picture. To accurately assess and prioritize threats, a more holistic and dynamic approach to vulnerability management is needed.

Implement a risk-based approach

According to our Security Navigator and remediation data from our Vulnerabilities Operations Center, vulnerabilities in the financial and insurance sectors are remediated the fastest (within 54 days). But while the industry quickly addresses average threats, other vulnerabilities remain unresolved for up to 1,400 days or more. In healthcare, it takes an average of 244 days to remediate a vulnerability, while the oldest vulnerabilities can take up to 300 days. Yet high-risk vulnerabilities remain on the agenda, leaving the organization more vulnerable.

To manage vulnerabilities, it’s important that you continually inspect assets and scan vulnerabilities and repeat this weekly. Visibility is key to identifying dark spots. Once you understand your vulnerabilities, you can prioritize remediation using a risk-based approach. Take a holistic approach and leverage all known factors to make an informed assessment of an asset’s risk and vulnerability, supported by threat intelligence. We can help you calculate this and convert it into a numerical value, known as a risk score.

Such a risk assessment needs to be dynamic because threats can change quickly. By applying this to all devices and vulnerabilities, we can rank the greatest risks and focus our efforts where they matter most. For example, perhaps it is not CVSS 9.0 that requires our immediate attention because this vulnerability targets a device that is connected to the network and cannot be accessed by an attacker. Instead, CVSS 6.7 might be more interesting because this vulnerability is on a web server that can be easily exploited from the Internet.

Vulnerability management is of strategic importance

Unaddressed vulnerabilities could have serious consequences if someone manages to breach our aforementioned city walls. That’s why it’s crucial that you raise awareness at all levels and ensure everyone is involved – from the system owner and users to the boardroom. Understand that a threat is always aimed at the entire organization and that a breach has consequences for the entire company. Decide to change and get a comprehensive view of the risks in your organization. Ultimately, understanding these risks will ensure that you can make the right strategic decisions to improve your security.

This is a contribution by Simen Van der Perre, strategic advisor at Orange Cyberdefense.