Maximizing the ROI of your Vulnerability Management Program with Attack Surface Management

Vulnerability Management at a Crossroads: As the number of digital assets and vulnerabilities grows, businesses are struggling to keep up with the constantly changing threat landscape. The gap between what organizations need to achieve in cybersecurity and what they can actually accomplish is widening, causing many teams to rethink their methods.

Here’s what needs to be improved:

• Better detection of unknown assets
• Enhanced prioritization of vulnerabilities
• Shift to risk-based reporting and metrics
• Increased automation and workflow integration

Despite increasing budgets for vulnerability management, many companies still struggle to manage the rising risks. Simply spending more money won't solve these issues; vulnerability management teams need to make their methods more effective.

This blog outlines three steps vulnerability managers can take today to reduce visibility gaps, improve prioritization, and increase the ROI of their programs using Attack Surface Management (ASM) solutions.

Step 1: Use Black-Box Reconnaissance to Conduct a Gap Analysis

In today's cloud-based, distributed, and SaaS environments, maintaining an accurate inventory of external assets and ensuring they are patched quickly is a daunting task. The world is moving too fast, and unknown risks always exist. However, understanding the size of the visibility gap is essential. Shadow IT poses a significant risk, as unknown, unmanaged assets are more likely to contain vulnerabilities or misconfigurations, making them more vulnerable to attackers.

To address this, companies must perform a gap analysis by comparing the list of known assets with the list found by ASM solutions and assessing the severity of the gap. The goal is not to find all assets but to understand the relative number of unknown assets and the severity of the problems they contain. Over time, this can become a key performance indicator (KPI) that vulnerability management teams monitor and strive to mitigate.

How to Conduct a Gap Analysis:

1. Gather a list of your known external-facing assets.

2. Use ASM to conduct a black-box assessment of your attack surface.

3. Compare IPs, subdomains, and services – flag any not previously known to IT.

4. Scan unknown assets to confirm vulnerabilities.

5. Prioritize remediation based on risk.

Step 2: Prioritize Likelihood, Not Severity

Vulnerability management teams face the challenge of prioritizing an increasing number of vulnerable systems. In 2023 alone, over 22,000 new vulnerabilities were discovered, with one-third receiving a high or higher CVSS score. As the number of attacks increases by more than 20% per year, it’s no wonder that vulnerability management teams feel overwhelmed.

Traditionally, prioritization has been based on the severity of the vulnerability and the business criticality of the asset. However, this often leads to prioritizing highly vulnerable assets that may not be targeted by attackers. With only 5.5% of vulnerabilities being exploited in the wild, prioritizing based on the likelihood of attack can significantly improve the ROI of vulnerability management efforts.

By using an attacker's perspective to enrich existing information about vulnerable systems, teams can assess not only the severity of the vulnerability but also the likelihood that a particular asset will be targeted. This approach helps prioritize high-severity vulnerabilities with a low exposure score and those that represent an adversary’s easiest targets.

How to Prioritize Based on Likelihood:

1. Evaluate factors beyond the vulnerability itself that an attacker might consider.

2. Prioritize assets with high exposure and low friction for initial access.

3. Focus on blocking targeted attacks that are more likely to cause significant damage.

Step 3: Report on Risk, Not Vulnerabilities

What you measure matters. Traditional vulnerability management metrics often focus on the number of vulnerabilities, which can be misleading. Data shows that 95% of vulnerabilities pose no real threat to the business, making it essential to focus on risk rather than raw numbers.

By shifting the conversation to risk, vulnerability management teams can have more strategic discussions with stakeholders about what is acceptable and what is not. This approach also allows teams to demonstrate the value of their work more effectively and avoid the constant pressure to respond to every new vulnerability.

Key External Risk Metrics to Report:

• Number of high-risk external assets (top targets)
• Percent of attack surface categorized as high risk
• Average time to remediation for high-risk assets
• Number of new unknown external assets discovered per week

Tracking and Reporting on external risk consistently can become a critical KPI, helping vulnerability management teams showcase both immediate and long-term value.