The Future of Vulnerability Risk Management (VRM) – What Does it Look Like?

Vulnerability Risk Management: A Top Security Challenge And Priority

There are more devices connected to the internet than ever before and the number of connections is growing daily at a phenomenal rate. The overall Internet of Things (IoT) market is projected to be worth more than one billion U.S. dollars annually from 2017 onwards. As more and more devices become internet connected, the greater the opportunities for hacker to exploit vulnerabilities in these connected electronic devices and machines for nefarious purposes.  Many of these devices, such as printers and cameras, are not designed with in-built security to protect against attacks.  Organizations and individuals need to rethink the safety and protection of their networks, now and into the future. With more devices connected to the internet than ever, vulnerability risk management is a top IT security challenge and priority.

Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions)

The above Statista chart shows the number of connected devices (Internet of Things; IoT) worldwide from 2015 to 2025. For 2020, the installed base of Internet of Things devices is forecast to grow to almost 31 billion worldwide.

Priority #1: Securing Business Assets

The ultimate goal of any cyber security program is to protect your assets – your people, property, and information. As the number of IoT devices grows, so too does the challenge of securing every device and protecting your network and other valuable assets.  An asset can be tangible (e.g. property, employees, customers) or intangible (e.g.reputation and proprietary information, databases, software code, company records etc.).  In corporate networks, tangible assets can include databases, the servers that host these databases, and the networks that provide connections to the server.  To fully understand the risks to your organization, it is important to understand the dangers that are being posed and to distinguish between vulnerabilities, exploits and threats.

Vulnerabilities, Exploits, Threats and Risk

Common terms that are used when discussing cyber risks are vulnerabilities, exploits, and threats. It is necessary to understand the difference between these terms and what they mean in terms of risk and in terms of prioritizing what to do to keep your systems safer. Knowing the difference can empower defenders to effectively use their scarce time wisely, by prioritizing remediation actions and efficiently allocating resources to protect against those exploitable vulnerabilities that actually pose the most danger to the organization.

Vulnerabilities

A vulnerability is a weakness or flaw in the measures you take to secure an asset. They can expose your assets to harm and exist in operating systems, applications or hardware.  Vulnerabilities are what make threats possible. Examples of vulnerabilities could be a software flaw or insecure programming, insecure configuration of IT infrastructure, insecure business operations, risky behavior by internal staff or other people, conducted maliciously or unintentionally. Weaknesses should be identified and proactive measures taken to correct them.

Exploits

An exploit is an attack that takes advantage of vulnerabilities. To exploit is to try to turn a vulnerability (a weakness) into a way to breach a system, usually with the goal of gaining control over an asset. Most commonly, an exploit is used to describe a software program specifically developed to attack an asset by taking advantage of a vulnerability. Exploits are also developed to attack an operating system or application vulnerability to gain remote administrative or “run” privileges on a laptop or server – this is a common objective of malware.

Note that not all exploits involve software, or hackers – scams like those that involve tricking or “socially engineering” an individual or employee into disclosing personal or sensitive information is a kind of exploit that does not require hacking skills.  In these cases, attackers are taking advantage (exploiting) people’s nature to be trusting, or other emotions (vulnerabilities).

A data breach is an example of the successful exploit of a database vulnerability providing the means for an attacker to gain access to records from that database.  Exploits are used for a number of different reasons, from gaining financial information to tracking a user’s location.

Threats

Threats are possible dangers that you’re trying to protect against. A threat is something that may or may not happen, but is anything that might exploit a vulnerability to breach security and potentially cause serious harm or damage. Threats can lead to attacks on computer systems, networks and more.  Threats need to be identified, but typically, security professionals have no direct control over threats: they often can’t be stopped and remain outside of your control.

Risk

Cyber risk is “the potential of loss or harm related to technical infrastructure or the use of technology within an organization.” The exposure to harm or loss could be financial loss, disruption or damage to the reputation of the organization resulting from breaches of, failure of, or attacks on information technology systems. Risk can be mitigated and managed to either lower vulnerability or the overall impact on the business.
For a security incident to occur a vulnerability must be present in some form and a threat must exploit that vulnerability.

VRM: A Fast Growing Market

Security teams have their plates full keeping up with scanning and patching vulnerabilities, and identifying threats.  With vulnerability risk management a top challenge and priority for IT security and risk personnel, it’s no surprise that many security and risk professionals are turning to VRM vendors to help manage their vulnerabilities and reducing cyber risk.

58% of enterprise organizations suffered a breach at least once in the past year, according to Forrester Research. Over 41% of those external breaches exploited some manner of software vulnerability.  In cases involving an external breach, 42% were carried out via a web application and 41% via a software vulnerability.

The VRM market is a fast growing one. Security and risk professionals are increasingly relying on VRM providers when it comes to addressing the top challenges in managing vulnerabilities and making strategic risk decisions.

Forrester Research independently reviewed and evaluated the strengths and weaknesses of the top VRM vendors currently in the market. Based on a 22-criteria evaluation of vulnerability risk management (VRM) providers, Forrester assessed how each provider measured up against the criteria.

Rapid7 – A Visionary VRM Leading the Way for Tomorrow

Forrester positioned Rapid7’s InsightVM as a leader amongst VRM vendors in its Q1 2018 Wave for Vulnerability Risk Management (VRM).  As can be seen in the below chart, Rapid 7 appears in the top right hand in the darker blue section, indicating it is the stronger current offering with the strongest strategy.

“Rapid7 has already implemented what VRM will look like in the future” ~ Forrester Wave

According to the Forrester Wave report, Rapid7 has already implemented what VRM will look like in the future. Rapid7’s InsightVM solution has a dashboard that not only breaks out risk exposure quantitatively but also includes a prioritized list of active campaigns to which customers are exposed. This allows strategic patching in response to actual threat intelligence.  Rapid7 leverages the same agent for endpoint detection and response (EDR) as well as VRM to ease deployment, management, and, most importantly, to marry all your endpoint data at the point of collection.

As illustrated in the above chart, Rapid7 was given the highest score in the Current Offering and Strategy categories, and the highest score possible in the Market Presence category in the Forrester Wave™: Vulnerability Risk Management, Q1 2018 Tools And Technology: The Security Architecture And Operations Playbook

Forrester states in its report that VRM vendors that can provide risk-aware intelligence; superior remediation capabilities; and clear, meaningful reporting position themselves to successfully deliver clarity, oversight, and control to their customers will be the market leaders.

See the Forrester Wave™: Vulnerability Risk Management, Q1 2018 report to learn how Rapid7’s InsightVM performed in the evaluation against other industry counterparts.

About the Forrester Wave

The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

About Rapid7

Rapid7 InsightVM is a powerful solution for helping businesses meet their vulnerability management goals. Combining traditional network scanning with the Rapid7 Insight platform, customers build a modern vulnerability management program that keeps up with constantly shifting modern networks of cloud, virtual, and containerized risk.

Rapid7 transforms data into action, empowering IT and security professionals to progress and protect their organizations. They make it easy to collect data, transform it into prioritized and actionable insight, and get it to the people who can act on it-all in an instant. Their solutions are powered by advanced analytics and an unmatched understanding of the attacker mindset.

Find Out How Rapid7's InsightVM Solution Can Fit Into Your Cyber Security Program

Advanced security operations teams use threat intelligence to gain insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate threats. Gain a holistic view of your organization’s potential exposure to internal security flaws in the context of external threats.

Leave a Reply