Cyber defense is moving to a risk management and operations paradigm (see previous posts on effective cyber risk management and policy based cyber risk management). One aspect of risk management as a cyber defense strategy is risk-based vulnerability management (RBVM). Risk-based vulnerability management is a proactive cyber defense strategy used to prioritize mitigation of cyber vulnerabilities according to the risk they pose to the organization. There are different types of relevant vulnerabilities that need to be taken into account:
- Publicly disclosed cybersecurity vulnerabilities (and exploits) that are usually remediated by updated software (aka CVEs) or patching.
- Misconfigurations that attackers can leverage to achieve inappropriate access, steal data or subvert a process
- Mismanaged credentials which can be obtained by bad actors and used for inappropriate authentication or authorization.
These vulnerabilities can be used to calculate the probability of an attacker utilizing them can harm an organization, and the impact of the harm they can result. Most vendor RBVM solutions focus on the first type of vulnerability, but true risk-based cyber defense needs to focus on all types of known vulnerabilities and threats.
The ingredients needed by a risk management and operations include:
- Threat intelligence that models known vulnerabilities and how they are applied – the risk actors
- A description of business constraints and context of various assets – aka the organizational security policies.
- A model of the organizational assets and connectivity – the risk factors.
These ingredients are combined into a “policy bowtie” that can generate automated attack and defense scenarios (aka an automated purple team) that continuously monitor your security posture and provides insights into enhancing your defense.