Unified Vulnerability Management (UVM) has undergone a significant evolution in recent years, driven by technological advancements, changing threat landscapes, and increased regulatory demands. In this post, we explore how UVM has evolved and where we believe it’s headed in the next few years.
What is Unified Vulnerability Management (UVM)?
UVM provides a centralized, comprehensive approach to identifying, prioritizing, mitigating, and remediating vulnerability across a company’s digital footprint. As opposed to managing the vulnerability lifecycle throughout multiple tools and consoles, UVM delivers a unified view into all discovered vulnerabilities - whether they’re found on hosts, in source code, cloud infrastructure, and more.
What are the advantages of Unified Vulnerability Management vs traditional vulnerability management?
Traditional vulnerability management tools and reporting has been often fragmented across different solutions and teams. By unifying all vulnerabilities across multiple detection tools, UVM solutions bring a lot of advantages compared to traditional vulnerability management tools and processes. These include:
- Improved data integrity: Good UVM solutions will normalize and deduplicate vulnerabilities, including key details like first seen, status, SLA date, and more. This can resolve data integrity challenges when these values are often conflicting or incomplete across numerous solutions.
- Faster prioritization: By delivering one list of all unique vulnerabilities and findings, security teams can prioritize issues more efficiently than referencing multiple consoles and teams.
- Enhanced compliance and service level agreement (SLA) reporting: Reporting on all vulnerabilities, including fix status, whether they were fixed within SLA, or reasons for risk acceptance streamlines reporting for audit and compliance initiatives.
- Faster remediation: By gleaning context from security, business logic (i.e. CMDB), and infrastructure tools, UVM solutions can provide actionable remediation guidance and fixes for vulnerabilities detected across the environment.
- Improved security posture: Because UVM solutions improve prioritization and remediation, most SOC teams notice a measurable improvement in mean-time-to-remediation (MTTR), average vulnerability age, and many other metrics which indicate a stronger company security posture.
The first wave of Unified Vulnerability Management solutions (2018-2022)
The first wave of UVM solutions solved some of the easier vulnerability management challenges. These were:
- Infrastructure vulnerability aggregation: The first wave of UVM solutions started by ingesting all discovered vulnerabilities from vulnerability assessment solutions such as Qualys, Rapid7, Tenable, and more.
- Vulnerability deduplication: Once vulnerabilities were ingested, UVM solutions could then deduplicate based on simple characteristics, such as repeat CVE identifiers, host names, and more. This helped to reduce the noise and help SOC focus their analysis efforts more.
- Threat intelligence: Some UVM solutions integrated threat intelligence - whether proprietary or through third parties to assist with prioritization. By correlating vulnerabilities with threat actor and exploit activity, SOC teams could prioritize efforts based on vulnerabilities with a higher likelihood of being exploited in their environment.
- Ticketing: The first wave of UVM solutions created integrations into popular ticketing systems, such as ServiceNow and Jira so that owners responsible for analysis, mitigation, and remediation could be notified in the platforms they work out of most.
The new era of Unified Vulnerability Management (2022-present)
While the first wave of Unified Vulnerability Management solutions made major gains over traditional vulnerability management, they began to break because of a few technology megatrends. These are:
1. The rise of cloud adoption
The first wave of UVM solutions primarily ingested vulnerabilities predominantly for on-premise IT assets. The dynamic and ephemeral nature of cloud infrastructure requires UVM to understand cloud infrastructure, pull this data frequently, and incorporate cloud infrastructure data into its common data schema. Older UVM solutions still struggle in this area.
2. Expanding from CVEs to broader exposures
Many UVM solutions primarily ingested CVEs and CWEs from tools, but didn’t have a data model for handling broader exposures, such as infrastructure misconfigurations, exposed secrets and more. Newer UVM solutions not only ingest this information; they also created a data schema that allows these exposures to be triaged and prioritized alongside CVEs and CWEs.
3. Application context
While the first era of UVM solutions ingested findings from Application Security Tools (AST), they did so in isolation without classifying applications at large. This made it very difficult to answer basic questions such as:
- Which application does this finding map to?
- Who works on the corresponding codebase?
- Where is the application hosted?
Without being able to answer these questions, ingesting application vulnerabilities in UVM solutions delivered very little value.
By connecting to source code management (SCM) and CI/CD platforms, new era UVM solutions now connect application vulnerabilities with the corresponding application and infrastructure they affect.
Where is Unified Vulnerability Management headed in the near future?
Beyond accounting for application and cloud context, new-era UVM solutions are quickly innovating in a few areas.
- Attack path analysis: By correlating the underlying application and infrastructure context for any given vulnerability with vulnerability context, leading UVM solutions can generate attack path analysis visualizations that help analysts better understand impact, exploitability, and mitigation.
- Mitigating controls: The first era of UVM solutions did not account for mitigating controls, and prioritization was limited as a result. Leading UVM solutions are moving beyond ingesting vulnerabilities from detection tools and are now fetching data around how detection tools themselves are configured. This allows analysts to revise how any given vulnerability is prioritized based on mitigating controls. For instance, does a critical infrastructure vulnerability become less exploitable since firewall and EDR protection lessens the likelihood of exploitability? Mapping controls to with vulnerability context allows teams to center in on vulnerabilities most likely to be exploited based on their specific environment.
- Remediation: When a vulnerability is easily exploited regardless of mitigating controls, it must be remediated. The first wave of UVM solutions created ticketing integrations and said “that’s remediation”. However, this approach hasn’t led to a measurable reduction in vulnerabilities.
Leading UVM solutions will take vulnerability context, identify a root cause, and generate a remediation plan based on your environmental context.
Measuring the success of Unified Vulnerability Management
The beauty about Unified Vulnerability Management is that it can be measured with many metrics that security teams have used for years. A successful UVM deployment will show a large reduction in:
- Mean time to remediate (MTTR): identifying the mean time takes to remediate a vulnerability, from the point of visibility to a fix applied
- Average vulnerability age: the average time a vulnerability exists before it is either fixed, or risk accepted
- SLA adherence: the percentage of vulnerabilities that are resolved within defined SLA dates
- Vulnerability recurrence: the rate of repeat vulnerabilities that occur because of insufficient fixing at the root cause level