Blog post

We Scan and We Patch, but We Don’t Do Vulnerability Management

By Anton Chuvakin | May 14, 2018 | 0 Comments

vulnerability managementsecurity

Lately, we’ve been flooded with calls about vulnerability management (VM). Many of the calls seem to be from organizations of medium to low security operations maturity, that are just starting with vulnerability management [and that’s OK – a wise mentor once told me always remember that ‘90% of people are not in the top 10 percentile!’” :-)]

Many of them say something similar to we scan and we patch, but we don’t do vulnerability management.” Essentially, they are coming to a realization that I often like to summarize as “VA is easy, but VM is hard.”

Of course, we have a lot of excellent research written on this topic:

The first paper has a lot of juicy and usable VM advice for all levels of security maturity, and this post is a reminder about these great resources. However, I also want to ponder one specific bit.

Imagine the following situation:

You have… …and you can …to get …
1000 vulnerabilities fix all 1000 A WIN [but no organization is in this position, NONE, 0]
1000 vulnerabilities fix any 10 of them Nothing, since your overall risk posture is probably unchanged
1000 vulnerabilities fix any 100 of them Unknown and likely small risk reduction
1000 vulnerabilities fix some 900 of them Significant risk reduction, but very likely at a significant cost
1000 vulnerabilities fix 100 of them that are called CRITICAL (via CVSS, vendor, etc) Some risk reduction, for sure. But often not as much as expected
1000 vulnerabilities fix 100 of them that are of absolute highest risk to this organization I’d argue that there is a decent chance that this delivers the best risk reduction / cost!

Note that in no situation “JUST PATCH FASTER!” is the right advice! IMHO, most organizations should “patch smarter” (which really means “prioritize what to patch better”), because frankly most cannot patch faster.

The tough question is of course: how *EXACTLY* do we rank the vulnerabilities for maximum risk reduction for your particular organization at this time? We have seen many methods come and go, some effective, but onerous, some both ineffective and onerous, and some effective but unrealistic…. while some based on wishful thinking (read: AI) 🙂

Past posts on vulnerability management:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed