What is Threat-Led Vulnerability Management?#

Threat-Led Vulnerability Management (TLVM) is a security approach that focuses on prioritizing and managing vulnerabilities based on the current threat landscape and the specific risks posed to an organization. Rather than treating all vulnerabilities equally, TLVM emphasizes understanding which vulnerabilities are most likely to be exploited by malicious actors, correlated with the configuration state and security posture of the organization’s unique infrastructure and business processes.

Why Now?#

The notion of adopting a Threat-Led Vulnerability Management (TLVM) approach has grown in popularity, particularly in the face of the escalating volume and sophistication of cyber threats, which are increasingly frequent and offer a lower cost attack alternative when supported by AI tools. The dynamic nature of the threat landscape requires organizations to stay agile in their vulnerability management processes, prioritizing efforts based on real-world risks and available threat intelligence. In an environment where resources are often limited, TLVM allows organizations to maximize security investments by focusing on the most critical vulnerabilities. 

Additionally, shifting to cloud computing and remote work has broadened the attack surface, emphasizing the need for a nuanced understanding of vulnerabilities specific to these environments. With new tools and technologies enhancing asset discovery and risk assessment, organizations can implement TLVM more effectively. Moreover, heightened awareness of high-profile breaches results in CISOs across the globe wanting to ensure they are doing everything they can in a proactive approach to better protect the business. By prioritizing vulnerabilities according to current threats, organizations can minimize the opportunity for adversaries to exploit their vulnerabilities and ultimately strengthen their overall security posture during this pivotal moment in cybersecurity.

What are the Key Components of a Threat-Led Approach?#

By adopting a threat-led approach to vulnerability management, organizations aim to direct their resources more efficiently, improve their security posture, and reduce the risk of successful cyberattacks.

  1. Threat Intelligence Integration: Organizations collect and analyze threat intelligence to understand current trends in cyberattacks, including the tactics, techniques, and procedures (TTPs) used by attackers. This information helps identify which vulnerabilities are actively being targeted in the wild.
  2. Risk Assessment: TLVM assesses the risk associated with each vulnerability by considering factors like the exploitability of the vulnerability (often scored by exploitability predictions such as EPSS) within the context of the organization’s environment and if the other configuration factors exist that expose the assets to a real-world risk of compromise.
  3. Enhanced Prioritization: By leveraging threat intelligence, attack path modelling, and end-to-end risk assessments, TLVM allows organizations to prioritize their vulnerability management efforts. This means focusing resources on addressing vulnerabilities that pose the highest risk to critical assets or are actively being exploited.
  4. Continuous Monitoring: The threat landscape is dynamic, so TLVM typically involves a shift to continuous monitoring for emerging vulnerabilities and threats. This allows organizations to adjust their vulnerability management strategies in response to celebrity and emergency vulnerabilities from this new intelligence.
  5. Collaboration: Effective TLVM often involves collaboration across different teams within an organization, including security operations, IT, risk management, and compliance, to ensure a holistic and informed approach to vulnerability management.
  6. Response Planning: TLVM also includes developing and updating incident response plans based on potential exploits of known vulnerabilities. This ensures that organizations are prepared to respond swiftly if a vulnerability is exploited.

How to Transition to This New Approach:#

At core, a threat-led approach mimics the tactics, techniques, and procedures of real-life threat actors, allowing organizations to understand the vulnerabilities that pose a genuine risk to their systems. It leverages threat intelligence to simulate adversarial behaviors and aims to identify which weaknesses in the attack surface could be exploited. Solutions such as XM Cyber's Continuous Exposure Management platform leverage advanced techniques like XM Attack Graph Analysis™ to correlate exposures across all entity types and validate exploitability against proven attack techniques. This dynamic and continuous assessment helps organizations prioritize vulnerabilities based on real-world threats.

With a continuous approach to Exposure Management, organizations can transition to this new approach in the following stages.

Stage 1: Understanding and Awareness of Exploitability #

First, you need to start to look past legacy severity levels and the CVSS scoring system, and assess the real-world exploitability of each vulnerability, which requires knowing the exact configuration state of the device it resides on, and whether other configuration parameters exist that would result in the CVE being exploitable. By correlating these parameters with an extensive attack arsenal you can begin to validate the exploitability of vulnerabilities tailored to your environment and then evaluate the inbound risk towards the device to raise awareness of how likely they are to be compromised by an attacker, or as a result of an attack path from an alternative breach point.

Stage 2: Focus on Business Impact#

After you’ve gained the situational awareness of exploitability and understand how likely a device is to be compromised, you can take the next step in your transformation and start to quantify the business impact risk, outbound from the device along attack paths towards your critical assets. You can choose to leverage automatic classification of critical assets based on technical factors, or implement custom labels to help define your own asset criticality context based on your business processes. 

Integration with a CMDB like ServiceNow can also be used to build on existing asset context. Using Attack Graph Analysis, you can calculate the total number of critical assets at risk from an individual CVE or an exploitable device and visualize all attack paths to understand exactly how an attacker would move laterally around your environment towards your crown jewels during a breach.

Stage 3: Focus your Remediation Efforts#

Rather than trying to meet unrealistic SLAs for CVE remediations, dictated by outdated compliance requirements, TVLM enables you to establish a more realistic risk appetite, with clear understanding of risks posed by a vulnerability, and then base your remediation strategy on this comprehensive prioritization logic. Yes, you still need to address the critical CVEs, but you can now make threat-informed decisions as to when expectations can be made to your standard SLA’s with a clear picture on when it’s possible to simply accept the risk.

If you have the right platform in place, it should also provide detailed remediation guides for the steps to address the risk presented by each CVE and vulnerable device.

Using insights gleaned from Attack Graph Analysis, you’ll start to understand that there may be multiple ways to reduce your risk posture rather than just patching a CVE.

Of course, if a patch is available and viable to install, a patching guide is provided, but additional guides will also be available to harden infrastructure and limit the inbound compromise likelihood. There will also be guides for how to implement vendor and industry best practices, such as micro-segmentation, to restrict the potential for onward threat propagation during a breach. Integrating XM Cyber into your existing ITSM, SIEM, and SOAR platforms will also help ensure that the right guides are sent to the right teams, to accelerate remediation and help foster a culture of collaboration between teams, ensuring that everyone can act quickly and efficiently.

What Are the Benefits of This New Approach?#

  1. Proactive Risk Mitigation: Address vulnerabilities based on their actual risk, allowing for proactive defenses against known threats.
  2. Enhanced Decision-Making: Make informed decisions about prioritizing remediation actions tailored to your specific environment.
  3. Reduced Remediation Time: Focus time and resources on vulnerabilities that pose immediate threats, shortening potential windows for exploitation.
  4. Improved Security Posture: Gain a holistic view of vulnerabilities in relation to business-critical processes, bolstering overall security measures.
  5. Cost-Efficiency: Optimize security investments by addressing the most pressing vulnerabilities first.
  6. Continuous Monitoring and Adaptation: Stay responsive to evolving threats, ensuring robust security measures remain relevant.
  7. Compliance and Regulatory Alignment: Demonstrate proactive risk management that aligns with modern compliance frameworks, enhancing organizational reputation.

Conclusion: Embracing Innovation for Enhanced Cybersecurity#

Adopting a threat-led approach to vulnerability management empowers organizations to stay one step ahead of cyber adversaries. By following the suggestions outlined above and leveraging advanced technologies, businesses can enhance their ability to detect, prioritize, and remediate vulnerabilities effectively. As the cyber landscape continues to evolve, this proactive, intelligence-driven methodology becomes essential for maintaining a resilient cybersecurity posture.

If you're interested in transforming your vulnerability management approach and bolstering your cybersecurity defenses, check out this on-demand webinar, "How to Adopt a Threat-Led Approach to Vulnerability Management," or visit our Vulnerability Risk Management product page to learn more about how XM Cyber can help secure your critical assets.

Note: This article is expertly written by Dale Fairbrother, Director of Product Marketing at XM Cyber.

Dale Fairbrother — Director of Product Marketing, XM Cyber https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheV8EYJMeZf-eAd35wcXXj5b0BhGqMBRpRUe8HIDNCLyXyeLBolYEOTAA2MHmK-72MZEZIBWp7lYPHW2Z4HtCGAJEl5uAQuh_QhQDrxlLZFOQMXA-lSBhkyK2Qsx87oobdUG2049LNdU-Ep1nNwy8ffBLTW_p38FLj64Ab8bPZMoUyn9gBqausCNL8GfY/s100-rw-e365/Dale.png
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.