Is traditional vulnerability management dead?

by | Feb 23, 2021 | AI in Automated Pen Test

Like death and taxes, security breaches are inevitable in life. When the world has moved to the cloud, and people have been working from home, security vulnerabilities prevail and persist in the headlines, just like those pesky and pervasive “weight loss” ads.

Managing risk and vulnerabilities in a highly dynamic environment is not easy; many of the practices, policies, and tools used by security teams – especially vulnerability management – are often the product of the previous era, no longer adaptable to “cloud native” environments, and today’s complex business dynamics.

Limitations of Traditional Vulnerability Management

Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving vulnerabilities in software and applications.

Vulnerability assessments need to be conducted periodically to assess existing security posture and whether vulnerability management plans need to change.

Vulnerability scanning is perhaps the best-known vulnerability management tool. Automatic scanners are popular tools of the moment because they work efficiently, are repeatable and easy to use.

However, there are some major flaws in regular vulnerability scanning:

  • They usually miss active threats outside the database or more complex threats beyond their capabilities.
  • They produce false positives, which make defenders’ radars less sensitive to critical threats.
  • They don’t provide a true understanding of the risk. The highly ranked vulnerabilities are not necessarily high business risks to organizations if there are no exploits to that vulnerability in that particular environment and vice versa.

According to research from the analyst firm Gartner, about 8,000 vulnerabilities a year were disclosed over the past decade. The number has risen only slightly from year to year, and only about 1/8th was exploited. As the exploited or exploitable vulnerabilities present immediate business risks to organizations, they will be prioritized and addressed right away.

The traditional scanner can’t tell organizations which vulnerabilities are exploitable in their particular network environments, which forces security teams to equally spend their efforts across all vulnerabilities. That approach keeps them busy and ineffective. 

Understanding the scope of threats and assessing the severity and impact of business operations based on specific scenarios is a daunting task that traditional scanning tools cannot address because they lack the necessary depth and complexity.

Risk-Based Vulnerability Management

While traditional vulnerability management struggles to address some of the core challenges of today’s environments, organizations can make some simple changes to address this. The fundamental and impactful approach is to deploy more powerful and advanced tools that not only discover the vulnerabilities but also associate them with business risks.

This is what Risk-Based Vulnerability Management would do, and RidgeBot is a perfect example.

RidgeBot is an automated penetration testing system. Unlike scanning, penetration testing goes far beyond identifying superficial threats. Penetration testing can identify vulnerabilities and exploit them to provide a more complete picture of the state of the security environment, detailing all the damage an attacker could cause in the event of a breach. And like scanning, RidgeBot makes this penetration testing process efficient, repeatable and easy to use.

The RidgeBot works by launching a series of uninterrupted simulated attacks against a secure environment. These simulations replicate possible attack paths and techniques used by APT and other adversaries. Unlike manual penetration testing, the computer-based RidgeBot works in an automated and continuous manner.

RidgeBot defines the exploited vulnerabilities as business risks. It provides detailed risk information such as attack paths, kill chain information, attack techniques, associated vulnerabilities and affected assets, based on which organizations are able to make an accurate estimate on potential dollar and resource impact and form a concrete and effective defending strategy.

Risk-based vulnerability management has been growing fast, and many organizations view it as a must-do upgrade from traditional vulnerability management.  To reduce the number of and potential loss attributed to major security incidents, organizations must create a vulnerability management process that truly reflects the real security challenges businesses face today. Choosing the appropriate tool is only one of the many important steps towards this goal.