As cyberthreats grow in complexity and frequency, vulnerability management requires more than just patching systems; it demands a dynamic, threat-adapted approach. As part of Cyber Rhino Threat Week ( December 9-13, 2024) which aimed to inform, share threat intelligence insights and best practices with our customers, partners and industry ecosystem, we held a session that explored how integrating Threat Intelligence into Vulnerability Management can transform the way organizations prioritize and respond to risks. 

Vulnerability management is a continuous, proactive process that keeps systems, networks and enterprise applications safe from cyberattacks and data breaches. As such, it is an important part of an overall security program. The panel discussion explored how vulnerability management has changed over the years and how in the past it simply involved patching servers and endpoints, which working in collaboration with the IT team is what drove the patching cadence.  Today it is a lot more complex with the internet of things (IoT), kiosks, mobile devices, display screens and much more. There are many assets involved in the vulnerability management cycle that increase the attack surface potential for adversaries to gain access to an infrastructure.  Now teams need to understand every asset connected to the network, make sure they are up to date on firmware, and understand when to patch, how to patch and whether this will cause any disruption to the business.  

The role of vulnerability management teams is to disseminate all this information to system owners so they can understand why they need to patch and what to prioritize. But this is easier said than done with an enterprise comprising hundreds of thousands of employees across multiple geographic locations.  

Breaking Down Silos 

The discussion delved into how important it is to break down silos between teams such as system information management teams, incident response teams and cyberthreat intelligence teams and how there is a lack of data sharing across these silos. That’s often because there isn’t an automated way to get a bidirectional flow of information, and this is one area that a threat intelligence platform can help to address. 

This is one of the reasons why a threat-adapted approach is so important. Such an approach analyzes behaviors and events in readiness to adapt to threats before they happen. An organization can continuously assess risk and provide appropriate enforcement using an adapted approach. That said, if the team hasn’t operationalized its threat intelligence and doesn’t have processes to bring everything together overlaying their vulnerability posture, then all the intelligence collected is wasted. One of the panelists likened this to having an external library card or an Encyclopedia Britannica about all your threat actors that provides information but doesn’t activate a robust response. Teams need a way to contextualize and prioritize based on what threat actors are targeting and this process needs to be automated.  

The key question is how you take that expensive library card and plug it into the vulnerability management program so that the team can easily and quickly prioritize information. They need context about what an asset does, what business value it delivers and how it functions to proactively prioritize risk and make the CTI program relevant. All panelists agreed that if all you are doing is building a giant library without context and integration to drill down into what’s important to the organization then your CTI program simply becomes a cost center. 

The Importance of Compensating Controls   

This is where it is important to work with teams, business and system owners and any other stakeholders to understand requirements and what’s important to them, and what they need to action so they can proactively push and escalate. To achieve this, organizations must break down the silos working with all teams involved in security, such as the governance, risk and control teams, to understand where their concern lies and what technologies they are tracking. This is not just about understanding the organization’s cyber hygiene, but it is also about understanding the layers that an attacker would have to get through to exploit and cause potential nefarious activities within the organization. Once this insight is gained, teams are enabled to work through requirements and align the CTI program for specific stakeholders.   

Ultimately there is always the desire to patch, but it’s not always possible to patch. This is where compensating controls are important, in other words finding another way to protect the organization while preparing to get a patch. One panelist asked how you achieve this and whether it should be left up to the vulnerability management team or can the CTI team assist in helping to make those all-important decisions.    

All agreed that you must have both offense and defense teams working together. This means mapping out the attack path and gaining a better understanding of the defense, which will provide a better understanding of offense as teams scout to look at what would be effective, going to the next layer to consider what might be vulnerable and whether there are mitigating controls in place to provide any additional prevention. 

Teams need to move at the speed of business and act fast while doing this safely.  To achieve this comes down to having a holistic program with a good knowledge of both offensive and defensive strategies. 

A Fusion of Threat Intelligence, Risk and Vulnerability Management  

The tools required for a threat-adapted approach include an inventory of all assets and an understanding of the frequency of vulnerability scanning so that the team knows how frequently it can expect to get new information. Any data and external threat intelligence needs to be operationalized into the threat intelligence program.  

Looking at the future of vulnerability management, the group discussed how CTI teams need to champion vulnerability teams, work together with bidirectional communication, and present to stakeholders together: How vulnerability management needs to expand to the external attack surface, understand cloud environments, analyze configurations and misconfigurations and default credentials.  

Ultimately, all agreed that there will be a fusing of threat intelligence, vulnerability management and risk – coordinating all three will be critical for cyber hygiene and planning, prioritizing and mitigating threats. 

This article was also written by Will Baxter, security engineer at Team Cymru.