As cyber threats continue to grow in complexity and frequency, vulnerability management requires more than just patching systems; it demands a dynamic, threat-adapted approach. As part of Cyber Rhino Threat Week (9-13^th of December 2024) which aimed to inform, sharing threat intelligence insights and best practices with our customers, partners and industry ecosystem, we held a session that explored how integrating Threat Intelligence into Vulnerability Management can transform the way organisations prioritise and respond to risks.

Vulnerability management is a continuous, proactive process that keeps systems, networks, and enterprise applications safe from cyberattacks and data breaches. As such, it is an important part of an overall security program. The panel discussion explored how vulnerability management has changed over the years and how in the past it simply involved patching servers and endpoints, which working in collaboration with the IT team is what drove the patching cadence. Today it is a lot more complex with the Internet of Things (IoT), kiosks, mobile devices, display screens and much more. There are many assets involved in the vulnerability management cycle that increase the attack surface potential for adversaries to gain access to an infrastructure. Now teams need to understand every asset connected to the network, they need to make sure they are up to date on firmware, and they understand when to patch, how to patch and whether this will cause any disruption to the business.

The role of vulnerability management teams is to disseminate all this information to system owners so they can understand why they need to patch and what to prioritise. But this is easier said than done with an enterprise comprising hundreds of thousands of employees across multiple geographic locations.

Breaking down silos

The discussion delved into how important it is to break down silos between teams such as system information management teams, incident response teams and cyber threat intelligence teams and how there is a lack of data sharing across these silos. That’s often because there isn’t an automated way to get a bidirectional flow of information, and this is one area that a threat intelligence platform can really help to address.

This is one of the reasons why a threat-adapted approach is so important. Such an approach analyses behaviors and events in readiness to adapt to threats before they happen. An organisation can continuously assess risk and provide appropriate enforcement using an adapted approach. That said, if the team hasn’t operationalised their threat intelligence and it doesn’t have processes in place to bring everything together overlaying their vulnerability posture, then all the threat intelligence collected is wasted. One of the panelists likened this to having an external library card or an encyclopedia Britannica about all your threat actors that provides information but doesn’t activate a robust response. Teams need a way to contextualise and prioritise based on what threat actors are targeting and this process needs to be automated.

The key question is how you take that expensive library card and plug it into the vulnerability management program so that the team can easily and quickly prioritise information. They need context about what an asset does, what business value it delivers and how it functions in order to proactively prioritise risk and make the CTI program relevant. All panelists agreed that if all you are doing is building a giant library without context and integration to drill down into what’s important to the organisation then your CTI program simply becomes a cost centre.

The importance of compensating controls

This is where it is important to work with teams, business and system owners and any other stakeholders to understand requirements and what’s important to them and what they need to action so they can proactively push and escalate. To achieve this, organisations must break down the silos working with all teams involved in security, such as the governance, risk and control teams, to understand where their concern lies and what technologies they are tracking. This is not just about understanding the organisation’s cyber hygiene, but it is also about understanding the layers that an attacker would have to get through to exploit and cause potential nefarious activities within the organisation. Once this insight is gained, teams are enabled to work through requirements and align the CTI program for specific stakeholders.

Ultimately there is always the desire to patch, but it's not always possible to patch. This is where compensating controls are important, in other words finding another way to protect the organisation while preparing to get a patch. One panelist asked how you achieve this and whether it should be left up to the vulnerability management team or can the CTI team assist in helping to make those all-important decisions?

All agreed that you must have both offense and defence teams working together. This means mapping out the attack path and gaining a better understanding of defence, which will provide a better understanding of offense as teams scout to look at what would be effective, going to the next layer to consider what might be vulnerable and whether there are mitigating controls in place to provide any additional prevention.

Teams need to move at the speed of business and act fast while doing this safely. To achieve this comes down to having a holistic program with a good knowledge of both offensive and defensive strategies.

A fusion of threat intelligence, risk and vulnerability management

The tools required for a threat adapted approach include an inventory of all assets as well as an understanding of the frequency of vulnerability scanning so that the team knows how frequently it can expect to get new information. Any data and external threat intelligence needs to be operationalised into the threat intelligence program.

Looking at the future of vulnerability management, the group discussed how CTI teams need to champion vulnerability teams, working together with bidirectional communication, presenting to stakeholders together. How vulnerability management needs to expand to the external attack surface, understanding cloud environments, analysing configurations and misconfigurations and default credentials.

Ultimately, all agreed that there will be a fusing of threat intelligence, vulnerability management and risk - coordinating all three will be critical for cyber hygiene and planning, prioritising, and mitigating threats.