How to Turn 10,000 Vulnerabilities into a Manageable Cyber Risk Problem

October 7, 2021  Chad Weinman

Recently, we have helped clients in a situation familiar to big organizations: Vulnerability scans or pen testing turn up 10,000 cybersecurity vulnerabilities and they’re overwhelmed by the challenge of vulnerability management. 

Even if they try to prioritize vulnerability assessment with a traditional scoring method like CVSS, they are still left with thousands of vulnerabilities to remediate.

Chad Weinman - VP Professional Services - RiskLensChad Weinman is Vice President of Professional Services for RiskLens.  Learn about RiskLens Services

RiskLens consultants have developed a way to radically reduce this problem to a manageable level by a combination of critical thinking, Factor Analysis of Information Risk (FAIR™) and the RiskLens platform for quantitative analysis of cyber risk. We accomplish this by shifting focus from a vulnerability-focused approach to an asset-based approach.

This begins by defining “asset profiles,” which are a group of systems that support a critical process; for instance, the four or five systems that are all key to manufacturing. The underlying idea is that if you can understand the business impact at the asset level, you can prioritize vulnerability remediation that way. 

Learn the FAIR approach to cyber and technology quantitative risk analysis with instruction by the RiskLens Academy

Our large customers have tens of thousands of individual assets, but they already understand which asset profiles are the most critical. Typical examples of asset profiles include manufacturing systems, CRM, billing and so on.

Then we ask, for an asset profile, what are we most worried about for impact to the business? For manufacturing systems that could be an outage vs. a data breach. So, now we have a list of the most material loss events for each profile. 

Next, we run those risk scenarios for our 8-10 asset profiles through the RiskLens platform to see the level of risk (or probable frequency and financial impact) of each scenario. Leveraging data helpers, our plug-and-play collections of risk data, analyses can be completed quickly.

The final step is to then cross-reference and see what vulnerabilities are living on any of these systems that can be exploited to affect availability of our manufacturing profile or steal data from our CRM profile, etc.  

We can just quickly do a mapping to show we have 20 vulnerabilities that we believe could lead to a data breach on this asset profile vs. another 2,000 vulnerabilities that are on other systems but because they are in different asset profiles, a breach doesn’t really matter.

The result: A ranking of asset profiles by risk that guides us to prioritize the related vulnerabilities. It’s a great first step and a scalable way to prioritize. And it’s showing a business prioritization of vulnerabilities that can be easily communicated to the rest of the organization in non-technical terms.