Measuring Vulnerability Remediation Strategies with Real-World Data

Explore data-driven measures for assessing vulnerability management programs in this 54-minute RSA Conference talk. Delve into four key metrics: coverage, efficiency, velocity, and capacity. Compare these measures across hundreds of organizations, learn from exceptional programs, and discover how to apply these metrics to your own vulnerability management strategy. Gain insights into the challenges of vulnerability remediation, including the vast number of vulnerabilities, large exposure scopes, and the time required for remediation. Examine performance factors such as overall VM maturity, assets under management, program budget, team structure, and prioritization criteria. Understand why CVSS scores may not be the best predictor of exploitation and explore alternative prioritization methods. Discover how strategic choices in vulnerability remediation can significantly impact performance and learn about additional resources for effective prioritization.

Intro
Data-driven cybersecurity research
Core questions for vulnerability remediation
There are A LOT of vulnerabilities
Scope of exposures can be large
On average, firms fix 1 in 10 vulnerabilities
Weaponization happens quickly
Exploitation unfolds gradually
Remediation takes time
Maybe "ALL" vulns isn't the best measure of success
How do we measure "better" or "worse" performance?
Identifying performance factors
Overall VM maturity
Assets under management
VM program budget
VM team structure
Prioritization criteria
CVSS is an objectively poor predictor of exploitation
Remediation deadlines
Process complexity
Patch deployment methods
Summary of performance factors
Strategy makes a huge difference
What do you mean by strategy?
Strategic choices in vulnerability remediation
Exploit prediction improves prioritization
Additional resources for prioritizing vulnerabilities