On this episode of our continuing X-Force Red in Action podcast series, we’re joined by Krissy Safi, IBM X-Force Red global lead, routes to market, to tackle the growing challenge of vulnerability management for enterprises. With data volumes skyrocketing and scanning solutions reporting thousands or even millions of potential vulnerabilities, how can organizations identify high-priority threats and reduce total risk?
Why Current Evaluation Methods Aren’t Up to Par
As Safi notes, vulnerability management is a three-step process:
- Identify vulnerabilities.
- Prioritize them for remediation.
- Fix them to remove the threat.
Right now, many companies use standard evaluation methods, such as the common vulnerability scoring system (CVSS), which provides a numerical threat score based on a variety of factors, including the type of attack, level of access required and overall complexity. But while this approach offers a generalized outlook, it doesn’t account for asset criticality or how attackers weaponize vulnerabilities in the wild.
Moreover, most companies have no problem identifying network vulnerabilities, but, according to Safi, the rise of connected technologies combined with the sheer volume of data organizations process every day makes it impossible to eliminate every threat. As a result, companies are looking for better ways to prioritize vulnerabilities and mitigate those that can’t be fixed.
Assess Your Vulnerabilities With a Risk-Based Approach
For Safi, the solution is a risk-based approach to vulnerability assessment that incorporates threat activity and asset criticality during the vulnerability identification process to determine total impact. Recent Gartner research puts it simply: “A vulnerability is only as bad as the threat exploiting it and the impact on the organization.”
Opting for a risk-based strategy enables companies to differentiate threats based on their specific impact to the organization, deploy remediation strategies where needed and implement mitigating controls such as web application firewalls (WAFs) to limit the impact of less critical threats.
Prioritize Threats With the Help of X-Force Red
The X-Force Red Vulnerability Managment System (VMS) includes a new algorithm that combines generalized threat data with corporate asset criticality to create actionable priority lists for organizations. Instead of devoting hundreds of IT man-hours and countless resources to continuously monitor vulnerability lists and adjust priorities, the VMS streamlines risk assessment, reduces false positives and eliminates the potential for human error. In addition, new remediation management services interface with existing ticketing systems and corporate spreadsheets to provide expert red team support.
Enterprises can no longer remediate every vulnerability. Risk-based, automated management solutions are required to prioritize threats and reduce of impact of attacks.
Never miss a new episode of X-Force Red in Action! Subscribe to the SecurityIntelligence Podcast on iTunes or your favorite podcast platform.