Implementing a Risk-Based Vulnerability Management Strategy

Posted: January 21, 2021

Effective cybersecurity is a continuous process. There is no such thing as absolute or perfect security—but even if you could achieve it, it would be fleeting. New vulnerabilities are discovered, and new exploits and attack techniques are developed every day. Just because you were secure yesterday, doesn’t mean you’re still secure now. It’s important to be vigilant and proactively identify and resolve vulnerabilities.

That is not a trivial task, though. A year-in-review report from Tenable Security revealed that there were more than 18,000 CVEs (Common Vulnerabilities and Exposures) discovered in 2020. That is an average of more than 50 vulnerabilities per day. Few—if any—organizations have the resources necessary to keep up with that pace of vulnerabilities. Fortunately, not every vulnerability will impact every organization, and the vulnerabilities that do affect you are not necessarily the same criticality. A risk-based approach to vulnerability management enables you to prioritize the vulnerabilities that are the most urgent or have the greatest potential impact to minimize your exposure to risk.

Tenable Security is a leader in managing exposure to cyber risk. They prescribe a risk-based approach to vulnerability management designed to give organizations the visibility, information, and context required to determine which vulnerabilities attackers are most likely to exploit in the near term and focus remediation and mitigation efforts there first.

Discovery and Classification

The first step to effective cybersecurity is having comprehensive visibility into the assets that are on your network. It is a simple truth that you can’t protect what you can’t see. If there are rogue IoT devices connected to your network, or a server you’re not aware of, it may contain vulnerabilities that expose your network and data to risk, but you can’t address the issue because you don’t know it exists.

You can use to conduct Asset Discovery and Asset Classification scans. Discovery detects and identifies all of the assets on your network, so you have a current, accurate inventory of what you need to protect. Asset Classification assigns an Asset Criticality Rating (ACR) to each asset to represent its relative criticality. The ACR scale goes from 1 to 10, with 1 being not critical and 10 being the most critical. The ACR provides crucial context that is necessary to prioritize vulnerability management activities.

Vulnerability Assessment, Analysis, and Prioritization

With Discovery and Classification taken care of, the next step is to conduct continuous vulnerability scans of the environment to assess the vulnerabilities that exist within your network. A list of vulnerabilities by itself, however, may be overwhelming and offers very little actionable insight. You need to understand the vulnerabilities within the context of your network and business and prioritize them accordingly. performs vulnerability analysis and prioritization as a unified process within the standard workflow. Vulnerabilities are assigned a dynamic metric called a Vulnerability Priority Rating (VPR), which represents the severity of a given vulnerability and the likelihood of it being exploited. VPRs fall into one of four categories: Critical, High, Medium, and Low.

Mitigating Risk

At this point, you have the information you need to take action. The goal is to focus your resources to address the vulnerabilities that pose the greatest risk. Using the information from, you should start with the vulnerabilities with a Critical VPR—and then focus first on the vulnerable assets that have the highest ACR. Following this strategy for mitigating risk allows you to quickly reduce your exposed attack surface and ensure your crucial networks, devices, and data are protected against the vulnerabilities most likely to pose an immediate risk. Once you address those, you can continue to work to remediate or mitigate vulnerabilities with less urgent VPRs and assets with lower ACR scores.

A risk-based strategy for vulnerability management makes sense. Not all vulnerabilities pose the same risk, and it is not feasible in most cases to try and patch or mitigate all of them. Having complete visibility of the assets on your network, and the context to understand what assets or data are the most critical and which vulnerabilities pose the greatest risk enables you to implement and maintain effective cybersecurity with limited resources.

The next part of the Vulnerability Management blog series will detail the real-life lessons learned from risk-based approach to vulnerability management. It will draw upon my personal experiences of using various vulnerability assessment tools—from designing a vulnerability assessment program to managing a maturing vulnerability management program. The tools such as Tenable and Rapid7 are a good start to building a risk-based vulnerability management program, but there are many other factors to making such tools successful in an organization.


This blog was written by Chandresh Patel,  Sr. Solutions Architect at Set Solutions.