Understanding the Rise of Risk-Based Vulnerability Management

A change is underway in the vulnerability management market. Traditional vulnerability management solutions are giving way or morphing into a new segment, called risk-based vulnerability management, or RBVM.

Addressing the scale of the vulnerability problem has been a growing concern, as first-generation vulnerability management tools have increasingly overwhelmed users with endless lists of vulnerable assets.

This version of alert fatigue led vendors to examine how a risk-based approach might inform better vulnerability prioritization and response. Instead of trying to figure out how to patch everything faster, RBVM vendors tackle the scale problem by calculating what to patch and what to ignore.

RBVM addresses more than just the scaling problem, however. For example, while legacy internal scanners remain important tools, many of today’s digital assets operate beyond the view of these tools. Similarly, the Common Vulnerability Scoring System (CVSS) is still of value, but is now just one of many data points to consider when assessing and prioritizing risk. Modern RBVM solutions leverage what has worked traditionally, while introducing new capabilities, including advanced analytics, as needed, to advance the discipline.

The Heart of RBVM

The goal of better understanding and assessing risk is at the heart of RBVM solutions. Not surprisingly, these products are chiefly marketed as providing prioritized risk rankings for vulnerabilities, with the goal of identifying the risk posed by each and determining the next best action.

A related benefit of this risk-based approach is a recognition of which actions can be delayed or ignored altogether. For example, software vulnerabilities can be categorized based on the risk they pose to the organization; those deemed low risk can be put off and addressed as time allows, enabling security and IT operations teams to focus efforts on high-risk vulnerabilities. RBVM solutions, therefore, address both effectiveness and efficiency.

RBVM solutions are designed to leverage existing IT infrastructure. For example, IT service management (ITSM) deployments have become much more prevalent in the past decade and often support patch management features. For RBVM solutions, this means that integration with these existing legacy solutions is often more important than providing an end-to-end vulnerability management solution.

Hence, Omdia believes the most impactful RBVM solutions will not only foster convergence of risk management and vulnerability management but also easily complement and enhance both new and existing enterprise vulnerability management programs.

RBVM is part of a broader rethinking of cybersecurity that emphasizes a more proactive approach to the problems practitioners face. The goal with RBVM is to avoid breaches by eliminating high-risk vulnerabilities and continuously reducing an organization’s attack surface.

To be sure, legacy vulnerability management aims to be proactive as well, but RBVM attempts to be both more efficient and effective. RBVM is a topic that enterprises will hear much more about in the months to come.

Note: Omdia Security Operations Intelligence Service subscribers may read Andrew Braunberg’s full report here: Fundamentals of Risk-Based Vulnerability Management.