The Terrible, Horrible, No Good, Very Bad Truth About Vulnerability Management

March 3, 2020 | 9 min read | Vulnerability Management

You have a vulnerability management program which is perhaps the cornerstone of your cybersecurity strategy. Your vulnerability scanner runs once a month (or more/less depending on how cybersecurity-mature your organization is). Each time a scan is run, it spits out a mile-long list of vulnerabilities and then you start questioning yourself:

  • Are these noise, or are they real?
  • Did this scan cover all my assets including mobile devices, cloud services and IoT?
  • Am I at greater risk of compromise from something other than unpatched software or misconfiguration?
  • Am I being protected against zero-days?
  • What is the riskiest area of my attack surface?
  • How do I fix these vulnerabilities?
  • Which ones should I fix first?
  • What’s my real risk?

Sound familiar? You’re not alone. Across the board, irrespective of the vulnerability management tool being used, information security folks have the same pain.

While almost all popular frameworks like the NIST Cybersecurity Framework or CIS Controls advocate a layered, defense-in-depth approach with vulnerability management at its foundation, they neglect to disclose the terrible, horrible, no good, very bad truths about vulnerability management.

Truth # 1

“Vulnerability management only covers about 5% of your attack surface and misses a number of important risks that should be on your radar.”

According to MITRE’s CVE website, a vulnerability is an issue in software code that provides an attacker with direct access to a system or network. If it goes undetected, it could allow an attacker to pose as a super-user or system administrator with full access privileges.

Vulnerability management, by its very definition, only considers an application defect as a vulnerability so traditional tools only look at Common Vulnerabilities and Exposure (CVEs) –known security vulnerabilities and exposures in publicly released software packages – due to unpatched software.

However, if you consider the broader, dictionary definition of a vulnerability, it is anything that exposes you and puts you at risk. The enterprise attack surface is exploding with assets including thousands of devices, apps and users, susceptible to hundreds of attack vectors, ranging from simple things like weak passwords, to more complex things like phishing, unpatched software, encryption and configuration issues, etc. Known vulnerabilities are only a small subset of most enterprises’ overall breach risk. So, what are these other attack vectors that vulnerability management tools do not cover?

Password issues

According to the 2019 Verizon Data Breach Investigations Report, 80% of hacking-related breaches involved compromised and weak credentials and 29% of all breaches, regardless of attack type, involved the use of stolen credentials. And this has been the case for years. This serious vulnerability is not related to software or applications at all, but rather human beings and our cyber hygiene, or lack thereof.


Misconfigured devices and apps present an easy entry point for an attacker to exploit and numerous misconfigurations in application, cloud, and OS settings exist across the enterprise.  According to Gartner, through 2025, 99% of cloud security failures will be the customer’s own fault, owing to misconfigurations and mismanaged credentials, not cloud provider vulnerabilities.

Weak or missing encryption

Missing / poor encryption leads to sensitive information, such as credentials, being transmitted either in plaintext or using weak cryptographic ciphers or protocols. This implies that an adversary intercepting data storage, communication, or processing could easily get access to sensitive data using brute-force approaches to break weak encryption.

Truth # 2

“Vulnerability management does not prioritize output by business criticality, leaving you drowning in a sea of vulnerabilities with no idea how to proceed.”

Conceptually, a typical vulnerability management program consists of 4 steps:

  • Identify software vulnerabilities
  • Sort them in some order of priority
  • Mitigate them by patching or accepting risk
  • Rinse and repeat in a continuous cycle

Understanding and acting on data output from your vulnerability tool is a critical component of your vulnerability management program. However, if your tool is spewing out vulnerabilities in the thousands every time a scan completes, your team is bound to be left overwhelmed and struggling with how to proceed.

Moreover, legacy vulnerability tools use primitive risk metrics to prioritize vulnerabilities. Their calculation is typically based on CVSS scores and a simple business impact model (high, medium, low), which leads to untold amounts of effort being spent on solving low impact issues.

For comprehensive risk-based prioritization of vulnerabilities, you need to factor in 5 elements— vulnerability severity, threat level, business criticality, exposure due to usage and the risk-negating effect of compensating controls.

Truth # 3

“Vulnerability management output is typically more than 30 days out of date.”

Your enterprise asset inventory is dynamic with devices being added and retired, physical machines migrating to virtual and various stakeholders constantly installing and updating software. Traditional vulnerability management scanners are typically configured to run periodically – quarterly, monthly, or weekly – which makes managing compliance and cyber-risk very difficult. Enterprises should strive for continuous monitoring of all assets to keep pace with their dynamic environments. Continuous monitoring not only helps organizations determine whether they are actually fixing the flaws they discover, but also helps security teams identify trends in the performance of the vulnerability management program.

Vulnerability management needs a refresh

Traditional vulnerability management is the approach many security teams rely on to keep their organizations safe. Yet it falls woefully short in a number of important areas. It misses many assets because of poor discovery. It’s periodic rather than continuous, which means that it’s almost always out of date. It produces a list of potential vulnerabilities that is miles long, leaving security teams scratching their heads on where to even begin. And perhaps the most serious of all, it only covers about 5% of the attack surface because out of 100+ attack vectors – all very real and scary – it only covers unpatched software vulnerabilities.

In order to truly enhance cybersecurity posture and improve resilience, organizations need a risk-based vulnerability management approach that not only identifies vulnerabilities across all assets and attack vectors, but also prioritizes based on business criticality and risk. Prescriptive insights into what to fix first can help security teams maximize breach risk reduction in the most efficient manner possible.