5 Signs it's Time to Fire Your Vulnerability Management Solution

Rich campagna
June 2, 2020 | 6 min read | Vulnerability Management

It may sound strange, but when we purchase a product or service, we do so because we expect it to do a job. We “hire” it. As long as it fulfills the need, it continues in our employ. If, at some point, the product no longer fulfills that need, or if that job no longer needs to be done, we “fire” it.

For example, in my 20’s, my main mode of transportation was a motorcycle. The job I hired it for was to get me from point A to point B quickly despite LA traffic, and I had to look cool too. In my 30’s, when I started a family and I no longer needed to be cool, I still needed to get from point A to point B, but cargo and passenger space became a priority, so I begrudgingly “fired” the sport bike and “hired” a more practical SUV. Perhaps at some point my transportation needs will evolve to include the ability to work while driving, and I’ll hire an autonomous vehicle. Or maybe I’ll want to be cool again and get another motorcycle…

Regardless, this same concept applies to products we hire at work, products like Vulnerability Management (VM) solutions. These products were initially launched in the 1990’s. Their job was to improve enterprise security posture. They initially did this job by identifying unpatched software, eventually adding misconfiguration and compliance to their charter as customer needs changed. That said, today’s enterprise attack surface is far more complex and dynamic than it was in the 1990s, and there are several signs that your vulnerability management solution isn’t fulfilling the needs of the job you need it to do.

5 Signs It’s Time to Fire Your Vulnerability Management Solution

  1. It analyzes only a small portion of your attack surface. Unpatched software and misconfiguration is important, but there are hundreds of attack vectors that an adversary can use to infiltrate your network. Specifically, there are 9 major types of vulnerabilities that your vulnerability management solution needs to analyze if it’s going to do its job and help you improve your security posture.
  2. A small portion of its output pertains to real threats. There are thousands of CVEs reported each year with a “high” or “critical” CVSS Score. Only a minority of those will ever be exploited, yet the primary prioritization mechanism for most vulnerability management solutions is severity. A strong security posture requires protection against real threats, not the theoretical.
  3. It doesn’t prioritize by business criticality. A database containing sensitive customer data or trade secrets is far more critical than the guest check-in kiosk at your corporate headquarters. You need your VM solution to reflect this reality, because it might be more important for you to patch a medium severity CVE on the database than a critical severity on the kiosk.
  4. It does not consider investments in compensating controls. Sometimes, a vulnerability becomes less important because you’ve invested in compensating controls that render that vulnerability difficult or impossible to exploit. The job of keeping your security posture strong requires a solution that reflects the impact of those compensating controls.
  5. It relies on periodic vulnerability assessments. The enterprise attack surface is incredibly dynamic. New assets, and new threats, arise on a daily basis. If your VM solution relies on periodic scans, the results are likely out of date by the time you get them. To improve your security posture, you need real-time results so that your visibility is as dynamic as your attack surface.

Ultimately, you want your business become more cyber resilient and recover from cyber attacks quickly and with minimum disruption. A vulnerability management solution can help you do that, but only if it’s fulfilling the needs of today’s job. If any (or all) of the above apply to your current solution, it might be time to fire it and move on.