Home Features Risk-based Vulnerability Management – Time to Move Away From the Whack-a-Mole Model

Risk-based Vulnerability Management – Time to Move Away From the Whack-a-Mole Model

Traditionally, vulnerability management was like a whack-a-mole game. However, with the changing complexion of the modern threat landscape, it’s time to move away from it and take the path of a risk-based vulnerability management approach.

actively exploited vulnerabilities, Vulnerabilities, risk-based vulnerability management

Technologies like AI, ML, and IoT are experiencing explosive growth in the digital world. But do you know what is the source of inspiration for these disruptive technologies? Sci-fi books and movies. An  example of IoT’s influence can be found in the 1977 classic film “Demon Seed.” The movie plot revolves around the AI-based computer ‘Proteus IV,’ which was developed by the male protagonist, Dr. Alex Harris. The AI-based computer initially works exceedingly well, but soon things get out of hand as it falls for its creator’s wife, Susan. Proteus IV downloads itself on the home computer and virtually controls all devices, from lights and locks to bells and alarm systems. Sounds like today’s smart home, right?

The movie might have inspired people to design futuristic smart homes nearly five decades later, but the creators of the modern tech seem to have forgotten essential learnings from it – implementing a risk-based approach. Dr. Harris only concentrated on innovation without considering the possibility that things might get out of control. Only after he learned about Proteus’ intentions, Dr. Harris realized his mistake. By then, it was too late.

By Doug Drew – Client Solutions Advisor, Americas, Optiv


Modern cybersecurity is treading in a similar space. Patching after something has happened or simply going after threats that are designated as high severity by a CVE Numbering Authority (CNA) is a whack-a-mole game.

The Vulnerability Management Whack-a-Mole

This seismic shift in recent times towards digital transformation due to factors like e-commerce, cryptocurrency, and COVID-19 has only increased the attack surface and, subsequently, the number of vulnerabilities that businesses are exposed to. Threat actors are feasting on these gaps by exploiting them to the fullest.

Everyone knows that an unpatched vulnerability is one of the most common causes of data breaches and security compromise. In fact, industry research has highlighted that 60% of breaches are linked to vulnerabilities left unpatched even after a patch was available. Who should we hold accountable for this challenge?

We need to understand that new vulnerabilities are found every day. Legacy scanning tools return hundreds or thousands of vulnerabilities in every scan. These numbers are overwhelming and stretch the capacity of already-stressed security teams to the limit, forcing them to simply prioritize their vulnerability management based on traditional CVSS severity levels.

Also Read: Risk Based Vulnerability Management – Let’s Begin With the “Why?”

The Delusional CVSS

Though useful, CVSS is essentially risk-unaware. Its theoretical value is based on algorithmic calculations, but it doesn’t consider the degree of threat or how it could be exploited in the wild. Worse, CVSS doesn’t even differentiate between business-critical and legacy, or general vulnerabilities. It simply rates a vulnerability as ‘critical’ or ‘severe’ and then security teams rush to patch them, often without the context of risk or criticality to the business.

With the explosive growth of known vulnerabilities and the growth of attack surfaces (phones, tablets, cameras, and other IoT devices), applying an understanding of the real-world basis for the possibility of exploit and the corresponding attendant risk becomes ever more important. According to Tenable research, attackers have a seven-day head start on remediation teams. This means that true visibility and speed of discovery are crucial to staying ahead of hostile threat actors. To take your game to the next level of vulnerability management, you need to implement a risk-based vulnerability management (RBVM) approach.

Why a Risk-Based Vulnerability Management Approach?

For organizations looking to improve remediation and lower risk exposure, or for organizations who are moving to cloud and/or IoT, new techniques are needed. This could mean agents for data acquisition, or API state retrieval from a cloud provider, or IoT-specific data acquisition tools. Ideally, all the vulnerabilities should be centralized and managed through a single console. This allows true enterprise-wide rationalization of exposure, and risk-based vulnerability management accomplishes just this.

Also, the RBVM approach answers the 4Ws and the H of vulnerability management:

  1. What is my attack surface?
  2. Which are the most critical assets?
  3. Where are the gaps?
  4. When can a vulnerability be possibly threatening?
  5. How will the said vulnerability impact my business?

To begin with, fixing unknown issues is nearly impossible. Thus, RBVM helps you first gauge the operational landscape, including traditional assets, mobile, web apps, cloud, container, IoT, and OT, to give total visibility into the corresponding threat landscape. Doing so, RBVM identifies the critical assets in your system’s periphery that, if exploited, could steamroll the entire business. Unlike legacy vulnerability management tools, RBVM adds asset criticality and, more importantly, probability of exploitation in the wild. Further, based on the impact of these vulnerabilities, RBVM prioritizes patching so that security teams don’t waste time and labor on something that has a low probability of being exploited.

Focus on the Vulnerabilities, Not the Severities

Legacy vulnerability management tools are reactive, focusing on traditional infrastructures, CVSS scores, and system silos. However, risk-based vulnerability management is a dynamic, proactive, and continuously evolving approach. Using forward-looking technologies powered by AI and ML allows your business to optimize, view, detect and automate your traditional vulnerability management processes all under a single roof.

Integrating risk-based vulnerability management into your business reaps significant benefits, and it’s easier than it probably sounds.

Want to learn more? Click here and talk to an Optiv representative today.