Unified Remediation vs. Risk-Based Vulnerability Management (RBVM)

As technologies become more complex and attacker techniques become more advanced, vulnerability management is becoming increasingly difficult.

For years, vulnerability management solutions have been good at identifying vulnerabilities for known third party software and hardware vulnerabilities. Later, newer tools emerged to add additional context, making prioritizing these vulnerabilities easier.

Now that nearly every company creates proprietary software in some capacity, staying on top of vulnerabilities in native software applications is of utmost importance for security and development teams. Finding, prioritizing, and fixing issues as quickly as possible is critical; however, many of yesterday’s tools don’t help with this problem today because they aren’t built with modern software development and cloud services in mind.

Read on to learn more about the difference between unified remediation platforms and risk-based vulnerability management platforms. If you’re interested in seeing unified remediation in action, reach out to us here.

What is Risk-Based Vulnerability Management? (RBVM)?

Risk-based vulnerability management (RBVM) platforms are tools designed to help organizations identify and prioritize vulnerabilities in their IT systems based on risk.

These platforms typically integrate vulnerability scanning solutions, threat intelligence, and various sources to assess the severity and potential impact of vulnerabilities, allowing organizations to focus their resources on addressing the most critical risks first.

Key features of RBVM platforms include:

Vulnerability Scanning: RBVM platforms may offer their own vulnerability scanning capabilities to identify vulnerabilities in IT systems, in addition to popular third-party vulnerability assessment tools like Qualys, Tenable, and Rapid7. These scans can be performed on a scheduled basis or on-demand.
Risk Assessment: RBVM platforms assess the risk posed by vulnerabilities based on factors such as severity, exploitability, and potential impact on the organization's assets and operations.
Prioritization: RBVM platforms may deliver out of the box risk scores, or the ability for customers to program custom prioritization logic based on the vulnerability severity, the assets impacted, the business criticality, and more.
Workflows: RBVM platforms may provide workflows for managing the remediation process, which often takes the form of integrating with helpdesk and ticketing platforms.
Reporting: RBVM platforms often include out of the box reporting on vulnerability metrics, like average vulnerability age, mean-time-to-remediate (MTTR), and more.

Example providers of risk-based vulnerability management platforms include: Kenna Security, Brinqa, Avalor, and Nucleus.

Who is Risk-based Vulnerability Management for?

Companies that have no software development teams and a minimal cloud footprint may be a good fit for risk-based vulnerability management platforms. This is especially true if vulnerabilities are only a concern for on-premise assets - not custom applications and cloud infrastructure.

Teams

The teams that get the most use out of risk-based vulnerability management platforms are vulnerability and threat management (VTM) teams, and general information security teams.

RBVM is the place where vulnerability management and risk management meet.

What is Unified Remediation?

Unified Remediation platforms unify, prioritize, and streamline remediation efforts for code, cloud, applications, and on-premise IT infrastructure vulnerabilities. Since many vulnerability management teams are now working with Application Security and Cloud Security teams in an effort to centralize vulnerability management, Unified Remediation gives all three teams shared visibility into how vulnerabilities are being identified and fixed.

As opposed to Risk-based Vulnerability Management solutions, Unified Remediation platforms can not only understand where application vulnerabilities originate, but also identify the actual code that needs to be fixed and identify the owner able to make the fix.

Key features of a Unified Remediation platform include:

Vulnerability prioritization across code, clouds, applications, and infrastructure: Unified Remediation platforms integrate the entire security stack including vulnerability scanners, threat intelligence, application security, and cloud security. In addition, Unified Remediation platforms connect to the development environment to map where vulnerabilities and security issues originate and what resources are impacted.
Automated root cause analysis and triage: Since application-based vulnerabilities can be trickier to triage than vulnerabilities for traditional IT infrastructure, Unified Remediation automatically provides the root cause of detected issues, down to the lines of code, files where code lives, and developer associated with the commits.
Assistive and automatic remediation actions: With the end goal being on actually making the fix rather than prioritizing, Unified Remediation platforms deliver assistive and automated remediation actions to program depending on the type of vulnerability, the impact to the business, and the best remediation path
Unified reporting: Unified Remediation platforms deliver custom reporting that makes it easier for different audiences to understand their current vulnerability state. This includes Engineering and application development, vulnerability management teams, application security teams, and cloud security teams

Who is Unified Remediation for?

Companies that have software development teams and a growing cloud footprint are a good fit for Unified Remediation platforms.

This especially true if vulnerability management is increasingly becoming a cross-functional effort, and not an effort solely managed by vulnerability and threat management teams.

Teams

Many teams get value out of Unified Remediation platforms, including:

Vulnerability and Threat Management: who are responsible for monitoring issues the the progress of fixing all vulnerabilities in the environment
Application Security: who are responsible for deduplicating findings across Application Security Testing tools and fixing issues
Cloud Security: who are responsible for understanding the root cause of cloud misconfigurations and vulnerabilities and remediating them
DevOps & Engineering: who are responsible for viewing all security risks by application, product owner, and more, and making sure the backlog is being addressed.
Security Operations: who need to unify vulnerability and exposure data with threat and IOC to support investigations and prioritization of issues.

Comparison

Capability	Unified Remediation	Risk-based Vulnerability Management (RBVM)
Vulnerability coverage and pipeline visibility: unify and deduplicate vulnerabilities for code, cloud, applications, and on-premise infrastructure	✅	Often lacks coverage into applications and cloud infrastructure
Threat intelligence: integrate CISA KEV, EPSS, and 3rd party threat intelligence	✅	✅
Prioritization: use out of the box and custom-defined prioritization	✅	✅
Automated root cause analysis: trace application vulnerabilities to the artifacts, lines of code, and code owner that introduce vulnerabilities	✅	⛔
Prioritize based on risk, business logic, and fix impact: prioritize findings based on exploitability, business criticality, internet exposure, and shared root causes to make each fix matter	✅	Often lacks a view into shared root causes to derive fix impact for code/application vulnerabilities
Remediation orchestration and automation: automatically trigger assistive and automatic actions based on custom logic and conditions	✅	Often lacks automatic remediation actions for code/application vulnerabilities