Using risk-based SLAs to set vulnerability remediation velocity

Risk-based vulnerability management (RBVM) is a cybersecurity strategy in which organisations prioritise remediation of software vulnerabilities according to the risk they pose to their own unique organisation, helping to automate, prioritise, and address those vulnerabilities

The net result is that teams patch less because not only is the organisation able to prioritise the riskiest vulnerabilities, but it can now identify those that are likely to become dangerous in the future. The company’s overall risk score is at an acceptable level, but perhaps more importantly, it is manageable.

However, as they say, the only guarantee in life is change. And that’s certainly true when it comes to vulnerability management. The reality is that new vulnerabilities appear every day and while most are harmless, occasionally something really serious will appear. This may well result in a jump in an organisation’s risk score.

And that’s where some adjustments need to be made to ensure the vulnerability management programme remains in line with the organisation’s maturing vulnerability management capabilities. What’s needed is for organisations to embrace a new concept: remediation velocity. And that’s where risk-based SLAs come in.

Risk-based what?

Setting SLAs for customers has always been a challenge, largely because they lack data on how to set those SLAs. A lot of organisations choose a 30/60/90 day structure which can be rather arbitrary – it roughly fits the monthly cycle but is not necessarily fine-tuned to meet an organisation’s unique needs. In contrast, risk-based SLAs provide meaningful data-driven recommendations for remediation, taking all the guesswork out of how quickly IT and security teams need to respond to newly discovered vulnerabilities in line with their organisation’s risk tolerance objectives.

Leveraging real life intelligence and benchmark data on Mean Time to Remediation (MTTR) and Median Time to Exploitation (MTTE), today’s modern risk-based management platforms are able to provide risk-based SLA recommendations that directly correlate to an organisation’s identified appetite for risk. The lower the organisation’s risk tolerance, the faster it will need to remediate.

How much risk can you take?

Organisations that leverage risk-based SLAs can better fine tune their response timeframes and better target resources to reduce risk more effectively. But first, it’s necessary to choose which risk category an organisation falls into. We consider these categories to be:

– Low risk – a company that is content to remediate as fast as their peers

– Medium risk – companies that want to remediate faster than their peers

– High risk – organisations with the least tolerance for risk, who want their remediation strategies to exceed the speed at which threat actors are able to ‘weaponise’ vulnerabilities.

In addition to an organisation’s risk tolerance, risk-based SLAs also evaluate two other factors – the asset priority upon which the SLA is being set, and the vulnerability risk score (high, medium, or low). It is the combination of all these risk-based variables that ultimately underpins the SLA timeframe recommendation that is set.

Metrics are shifting as vulnerability management comes of age

Over time, vulnerability management processes will mature as organisations move away from an ‘everything is a risk’ mindset to focus instead on fixing those vulnerabilities that pose the greatest risk first. There are some key characteristics that will mark the moment a vulnerability management programme comes of age. In most cases, IT operations can utilise a self-service model while security teams focus primarily on reporting, the oversight of mitigation efforts, and the handling of exceptions.

But to ensure the programme continues to remain stable and endures for the long term, security leaders will need to constantly realign the metrics they use to evaluate its performance and optimise how the organisation responds to new high risk vulnerabilities as they appear. And that means a shift in thinking that encompasses both risk-based SLAS and a move toward remediation velocity.


About the Author

Stephen Roostan is VP EMEA at Kenna Security. We pioneered risk-based vulnerability management, and now we’re doing the same for Modern Vulnerability Management.

Featured image: ©Sergey Nivens