Implementing Risk Based Vulnerability Management Trurisk
Implementing Risk Based Vulnerability Management Trurisk
Implementing Risk-Based
Vulnerability Management
February 2023
GUIDE
Table of Contents
3 Foundational Vulnerability Management Framework
7 Use Qualys TruRiskTM to Prioritize and Remediate the Most Critical Threats
10 References
Identify Protect
Detect Respond
Identify
Develop an understanding of information assets that are used to meet business needs
and the risk to business operations
9 Inventory assets, software, and applications
Protect
Implement safeguards to limit the impact of a malicious event
9 Document a vulnerability management plan to include policies, processes, procedures,
and controls
Detect
Implement solutions to identify vulnerabilities
9 Perform vulnerability scans and continually assess the effectiveness of the scans
Respond
Implement activities to act on new vulnerabilities
9 Investigate and remediate findings
9 Certain vulnerabilities identified are accepted within risk tolerance or subject to risk reduction
through mitigation where remediation is not possible
In addition to these key objectives, successful VM programs have a defined scope, exception tracking, reporting,
and metrics. These functions and objectives are supported by the NIST Cybersecurity framework.1
While these elements serve as an important foundation for vulnerability management the sheer number of
vulnerabilities disclosed daily creates a challenge for Cybersecurity and IT teams seeking the most expedient
way to reduce risk to the organization. Organizations should therefore pivot to a risk-based approach to
address the most significant flaws to reduce risk to critical systems and make efficient use of limited resources.
Instead of using arbitrary methods to prioritize remediation organizations should refine their remediation
methods to enrich vulnerability data with business context, threat intelligence, data science, and machine
learning to prioritize vulnerabilities that are most likely to be exploited thereby causing the most harm to
a given organization. This requires vulnerability management programs to use more accurate methods of
assessing risk to keep pace with evolving threats.
2 Context
Use business context to assign criticality to assets e.g., production assets hosting
critical information vs dev systems. Use threat intelligence to enrich understanding of
vulnerabilities e.g., which ones are exploited in the wild, have an exploit available, and the
ease with which they can be exploited. These are vulnerabilities that are more likely to be
exploited.
3 Assess
Perform continuous vulnerability assessment to maintain an accurate picture of risk as
often as possible. Perform secure configuration assessments to validate system hardening
is consistent with adopted security controls based on industry standard guides such as
Centre for Internet Security (CIS) or DISA STIGs.
4 Remediate
Use the combination of asset criticality assignment and threat intelligence to prioritize
the remediation of vulnerabilities that pose the most significant risk to the business and
mission-critical applications. Implement automation where possible to proactively patch
and configure systems to reduce resource constraints on remediation teams. Automate
ticket creation to assign vulnerability triage tasks to remediation teams for action.
5 Monitor
Implement actionable metrics to convey risk to operational and executive teams. These
metrics will aid in decisions on allocating resources to tackle risk items and measure
program effectiveness.
Qualys VMDR with Qualys TruRisk™ helps organizations quantify cyber risk so that they can accurately measure
it, take steps to reduce exposure, track risk reduction trends over time, and better measure the effectiveness
of their cyber security program. The chart below illustrates at a high level how teams can use VMDR to
operationalize their risk-based vulnerability management program against the five pillars of RBVM.
Identify Inventory Assets and Automate attack surface discovery using the Qualys
Services Exposed to Internet Scanners and Qualys Cybersecurity Asset
the Public Internet Management (CSAM) with External Attack Surface
Management (EASM)2 to discover blind spots for
internet-connected assets
Context Assign Criticality Assign criticality to assets using Qualys TruRisk™ or directly
to Assets import and assign business criticality to assets using Global
AsssetView or CSAM from a CMDB such as ServiceNow3
Remediate Prioritize Vulnerability Pinpoint vulnerabilities that pose the most risk to the
Remediation organization by using Qualys TruRisk™ Qualys Detection
Scores on critical assets. Automate remediation using
Qualys Patch Management and dispatch tickets to
remediation teams with Qualys VMDR for IT Service
Management (ITSM) integration4
Monitor Use Metrics to Evaluate Monitor asset posture in real time using Qualys dashboards
Program Efficacy that aggregate risk data with near real-time visibility
2. Introducing CyberSecurity Asset Management 2.0 with Natively Integrated External Attack Surface Management
3. Implement Risk-Based Vulnerability Management with Qualys TruRisk™: Part 1
4. Close the Gap Between IT & Security with Our New App: Qualys VMDR for ITSM
Qualys begins by assessing over 185K known CVEs including those that do not have a registered QID based on
external threat and exploit intelligence and assigns it a Qualys Vulnerability Score (QVS).6
Each vulnerability registered as a QID in the Qualys knowledge base is assigned a Qualys Detection Score
(QDS) ranging from 0-100. The QDS score combines the QVS score with applied mitigation controls for a given
vulnerability. In the case where multiple CVEs are assigned to a QID, the highest QVS is selected.6
The platform uses a weighted average of all identified vulnerabilities identified by QDS on an asset and ACS
to compute a score of 0-1000.6 Organizations can quickly identify assets that are in most critical need of
remediation with TruRisk™.
Cybersecurity programs calculate risk by applying the basic risk formula (Risk = Likelihood x Impact) to allow
decision-makers to apply limited IT resources effectively.
Use Qualys Dashboards with prioritization data to review organizational risk posture with near real-time
visibility. The dashboards use prioritization data by gathering information from across the Qualys platform
captured by the suite of sensors to a single place for visualization. Customize TruRisk™ dashboard widgets with
trending enabled to demonstrate risk reduction over time and measure the effectiveness of the vulnerability
management program.7
Figure 2 Customize trending Qualys dashboards to monitor and trend risk posture
9 High Value Assets with an ACS of 4 or 5 with a vulnerability score (QDS) >= 90
9 Remediate client-side vulnerabilities in browsers (Google Chrome, Firefox) with a score of 90 or higher
Read the following blogs for more information on implementing a risk-based vulnerability management
program with VMDR.
References
A Deep Dive into VMDR 2.0 with Qualys TruRisk™
Introducing CyberSecurity Asset Management 2.0 with Natively Integrated External Attack Surface Management
Close the Gap Between IT & Security with Our New App: Qualys VMDR for ITSM
About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance, and IT solutions with more than 10,000 subscription
customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance
solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings. Qualys, Qualys VMDR®, and the Qualys logo are proprietary
trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.