What is risk-based vulnerability prioritisation?

Not all vulnerabilities pose an equal threat to a company.

---

Risk-based vulnerability prioritisation automates vulnerability analysis based on severity, exploitability, asset importance and network exposure.

This method goes beyond traditional vulnerability management approaches, which typically involve scanning for weaknesses and patching them in order of discovery or based on severity. Risk-based prioritisation considers the business-specific context of each vulnerability, including its potential impact on critical assets, likelihood of exploitation and network exposure and accessibility of the vulnerability.

Risk-based vulnerability prioritisation recognises that not all vulnerabilities pose an equal threat to an organisation. It focuses efforts on vulnerabilities that, if exploited, could cause the most damage or are most likely to be exploited by adversaries. This approach requires a comprehensive understanding of an organisation’s assets and network, the value of those assets, the vulnerabilities affecting them and the potential impact of those vulnerabilities being exploited.

For nearly 20 years, severity has been determined by the Common Vulnerability Scoring System (CVSS), offering a standardised way to capture the principal characteristics of a vulnerability and assign a severity score. This score considers factors like the potential impact on a system's confidentiality, integrity and availability, along with the likely attack vector and how complex it would be to exploit the vulnerability. Once calculated, the final CVSS score is set for the vulnerability as a numeric value.

The prioritisation process can be refined further by factoring in exploitability, measuring the extent to which a vulnerability is currently exploited in the wild. Effective vulnerability management employs threat intelligence to analyse exploitability, detecting existing exploits like malware and proof of concept (POC) code for each vulnerability.

This process can be augmented by assessing the likelihood of a vulnerability being exploited over a given future timeframe. Organisations such as First.org provide an Exploit Prediction Scoring System (EPSS) to achieve this. A modern vulnerability management solution will use EPSS machine learning models and data analysis to predict the probability of observing any exploitation attempts against a given vulnerability in the next 30-day period. The result of the exploitability check is a numeric value to feed into the risk-based vulnerability assessment, indicating whether an exploit is likely to be available for a vulnerability and whether that exploit will soon be used in the wild, thus increasing the vulnerability’s risk priority.

To assess vulnerabilities, organisations must evaluate customer-specific risks, such as the business impact of asset loss and the extent to which an asset could be exposed to attack across the network.

The business impact of the loss of an asset due to a vulnerability is a critical element in risk-based vulnerability prioritisation. Assigning values based on asset importance, possibly through automation (eg, two for a test database, five for a production database), is a great way to factor the business impact of the loss of the asset into the risk-based prioritisation calculation.

Another critical aspect of customer-specific risk assessment is network exposure, determining how easily an attacker could access a vulnerability-hosting asset across the network. To truly understand customer-specific exposure, organisations need a detailed understanding of their attack surface, including the assets, underlying network infrastructure, access routes and all the relevant security data from scanners and threat intelligence feeds.

Armed with this knowledge, a risk-based prioritisation calculation can assess the exposure of an asset hosting a vulnerability based on possible threat origins, including external, internal, partner and cloud, and take into consideration factors such as whether the asset is inaccessible or protected, for example, by a firewall rule, indirectly accessible via an intermediary asset, or directly accessible.

Business impact and network exposure are crucial for quickly identifying vulnerabilities on assets that represent the highest risk to the organisation, while deprioritising inaccessible ones due to underlying security controls despite their potential high severity.

A modern vulnerability management solution automatically prioritises vulnerabilities using industry-wide and customer-specific factors, offering a risk score that integrates both. Using a dynamic security model to inform the assessment, the solution can continuously analyse severity, exploitability, business impact and exposure, delivering tailored risk scores to address the organisation's unique circumstances.

This solution provides crucial insights to the network and security team, ensuring they understand the risks posed by the latest vulnerabilities, can assess them in the context of their network and critical business assets, and use multi-factor risk scoring to prioritise and inform the remediation program.

Learn how Skybox can help you better manage vulnerabilities: Speak with an expert.

Get the VTM Buyer's Guide to help you choose modern vulnerability management technologies.