Determining Remediation Thresholds in Vulnerability Management

Vulnerability management has two massive challenges.

‍

The first is volume. For the average enterprise, there are simply too many vulnerabilities to fix now or anytime soon. No organization of any meaningful size will ever reach “vulnerability zero.” Not even close. And that is fine. Only about 1% of all known CVEs have ever been exploited in the wild. Trying to patch everything would be impossible and cost-prohibitive.

‍

That leads directly to the second challenge: prioritization. With limited remediation resources, we need to know which vulnerabilities actually matter. The ones where fixing them measurably reduces risk.

‍

That is the purpose of a prioritization model. Tell you what to fix, in what order, and just as importantly, where to stop. In other words, which vulnerabilities you don’t need to fix right now, or maybe ever.

‍

Here’s the catch. No matter how you look at it, there will always be a cut-off point. Either you run out of remediation capacity, or the model itself has to draw the line. And as far as I can tell, no proprietary or open-source model is willing to define that line.

‍

Take CVSS. Do you stop at 10s and 9s? Do you draw the line at 8, 7, or 6? EPSS does not make that choice either. Same goes for the prioritization models from Tenable, Qualys, Rapid7, and every other vulnerability management provider I’ve seen. Which means in practice, these models are either assuming you should fix everything, or worse, leaving the hardest decision entirely up to you. That means companies are stuck using some subjective arbitrary number as a cutoff.

‍

Now here is where it gets interesting. There is one part of the market that does define a cut-off point for remediation, but it is not vulnerability management.

‍

It is cyber-insurance.

‍

Many cyber-insurance carriers will scan your environment, hand you a list of vulnerabilities you must fix before they will insure you, and that is it. If you are later breached through a remotely exploitable CVE that is on that list, they pay the claim.

‍

Think about that for a moment. Cyber-insurance carriers are confident enough to define a cut-off point and back it with real financial liability. Meanwhile, in vulnerability management, everyone has entirely avoided that responsibility and necessity.

‍

So the real question becomes: are the cyber-insurance carriers being reckless, or do they know something that everyone in vulnerability management does not? One thing we do know is this: one side is paying out real money if they’re wrong, and the other is not. This difference will be contended with one way or another.