{"id":15143,"date":"2021-02-15T08:00:24","date_gmt":"2021-02-15T07:00:24","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=15143"},"modified":"2021-02-09T19:26:25","modified_gmt":"2021-02-09T18:26:25","slug":"hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/","title":{"rendered":"Hackuity | Shake&#8217;Up &#8211; The future of vulnerability management: towards new approaches based on risk and prioritization (2\/2)"},"content":{"rendered":"<p><em>We have recently opened the contributions to this blog to start-ups accelerated by our Shake&#8217;Up project. Hackuity rethinks vulnerability management with a platform that collects, standardizes and orchestrates automated and manual security assessment practices and enriches them with Cyber Threat Intelligence data sources, technical context elements and business impacts. Hackuity enables you to leverage your existing vulnerability detection arsenal, to prioritize the most important vulnerabilities, to save time on low-value tasks and reduce remediation costs, to gain access to a comprehensive and continuous view of the company&#8217;s security posture, and to meet compliance obligations.<\/em><\/p>\n<p><em>After having seen in a first article the state of the threat and the current issues related to vulnerability management, we will see in this second article the new approaches to be considered to better manage vulnerabilities, in particular through the prioritization of vulnerability remediation proposed by Hackuity.<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>The advent of Risk-Based Vulnerability Management (RBVM)<\/h2>\n<p>Risk Based Vulnerability Management (RBVM) is an approach that treats each vulnerability according to the risk it represents for each company.<\/p>\n<p>In this context, the classic formula for calculating a risk applies:<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15089 media-15089\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15089\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-3.1.png\" alt=\"\" width=\"943\" height=\"57\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-3.1.png 943w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-3.1-437x26.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-3.1-71x4.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-3.1-768x46.png 768w\" sizes=\"auto, (max-width: 943px) 100vw, 943px\" \/><\/figure>\n<p>&nbsp;<\/p>\n<p>The first part of the formula, vulnerability \u00d7 threat, can also be considered as a probability. This probability describes the chances that a given vulnerability will be discovered and used by a threat actor in the specific technical context of the organization.The last part of the formula describes the consequences, or impact, of a successful attack by a threat actor in the company&#8217;s business context.<\/p>\n<p>This is in synthesis the approach adopted by CVSS, a standard developed by FIRST (Forum of Incident Response and Security Teams), initially to quantify the technical severity of a vulnerability. Through 3 metrics (basic, temporal, environmental), the full CVSS score (now in its version 3.1) is supposed to reflect the real risk of each vulnerability, in the context of each company.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15091 media-15091\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15091 aligncenter\" src=\"http:\/\/riskinsight-prepro.s189758.zephyr32.atester.fr\/wp-content\/uploads\/2021\/02\/Image-5.png\" alt=\"\" width=\"721\" height=\"275\" \/><\/figure>\n<p style=\"text-align: center;\">Source: FIRST (<a href=\"https:\/\/www.first.org\/cvss\/specification-document\">https:\/\/www.first.org\/cvss\/specification-document<\/a>)<\/p>\n<p>&nbsp;<\/p>\n<p>Our purpose here is not to describe CVSS, so we assume that the reader is familiar with the concept. The CVSS score has <strong>many advantages<\/strong>, among the main ones:<\/p>\n<ul>\n<li>The only standard on the market available to quantify the criticality of a vulnerability,<\/li>\n<li>A detailed and transparent algorithm,<\/li>\n<li>A scoring widely adopted by the industry,<\/li>\n<li>Several world-wide reference databases available (in particular to qualify the criticality of CVE).<\/li>\n<\/ul>\n<p>However, it has many limitations, the main ones of which can be listed here:<\/p>\n<ol>\n<li><span style=\"text-decoration: underline;\">Its low granularity:<\/span> each of the metrics is composed of categorical values with predetermined values (e.g., low, medium, high) which limits its discrimination capabilities.<\/li>\n<li><span style=\"text-decoration: underline;\">Its vocation to unitarily qualify vulnerabilities:<\/span> it is thus impossible to evaluate the criticality of a complete attack scenario with CVSS. For example, some cyber-attacks exploit several low vulnerabilities to compromise an entire perimeter. However, the CVSS assessment will only cover each of the vulnerabilities independently; it is necessary for the auditor to present a global scenario to highlight the overall risk, and they cannot rely solely on CVSS to do so since it was not designed to be aggregated.<\/li>\n<li><span style=\"text-decoration: underline;\">Its arbitrary nature:<\/span> the weights in the algorithm sometimes seem to be composed of <span style=\"text-decoration: underline;\">arbitrary figures<\/span> making the interpretation of these values complex. In the end, there is sometimes a significant margin of error in the CVSS quantification of the same vulnerability by two professionals.<\/li>\n<\/ol>\n<p>On the other hand, should it be reminded, the public CVSS scores, such as those referenced in the NVD, are only <strong>base scores<\/strong>. They represent the intrinsic criticality of a vulnerability, but do not reflect the risk that this vulnerability represents for the company. In other words, they answer the question \u201cIs it dangerous?\u201d but not \u201cIs it dangerous for my company right now?\u201d.<\/p>\n<p>Effective vulnerability management must take into account not only the base score, but also temporal and environmental metrics. The FIRST provides the framework, but the NIST cannot compute the CVSS score for the enterprise, as it requires knowledge of the criticality of the assets, identification of controls in place, the exploitability of the vulnerability in this specific context, or the intensity of the actual and current threat.<\/p>\n<p>In the field, however, we note that nearly 45% of the companies surveyed &#8211; of all sizes &#8211; only use the CVSS base score as the sole metric for quantifying the criticality of vulnerabilities.<\/p>\n<p>Beyond the relevance of this approach, the use of this single metric does not solve the major problem of the industry, which remains the <strong>volume of vulnerabilities to be addressed.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15093 media-15093\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-15093 aligncenter\" src=\"http:\/\/riskinsight-prepro.s189758.zephyr32.atester.fr\/wp-content\/uploads\/2021\/02\/Image-6.png\" alt=\"\" width=\"635\" height=\"413\" \/><\/figure>\n<p>&nbsp;<\/p>\n<p>Of the 123,454 vulnerabilities (CVE) identified as of 01\/15\/2020, more than 16K had a CVSS base score (V2.0) deemed critical (i.e., more than 13% of the total).<\/p>\n<p>&nbsp;<\/p>\n<h2>Beyond CVSS ?<\/h2>\n<p>The objective of prioritization is therefore to reduce the stock of vulnerabilities by discriminating the most critical in order to allow the teams and means of remediation to focus on the vulnerabilities that matter the most.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15106 media-15106\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-15106 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-7.png\" alt=\"\" width=\"1337\" height=\"309\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-7.png 1337w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-7-437x101.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-7-71x16.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-7-768x177.png 768w\" sizes=\"auto, (max-width: 1337px) 100vw, 1337px\" \/><\/figure>\n<p>&nbsp;<\/p>\n<p>On the other hand, there is no doubt that the daily flood of new vulnerabilities brought up by the detection arsenal <strong>can no longer be managed manually<\/strong>. It is totally unrealistic to manually examine, analyze and prioritize all identified vulnerabilities.<\/p>\n<p><strong>Automation<\/strong> should enable teams to work more efficiently, reducing repetitive and\/or low value-added manual tasks and processes.<\/p>\n<p>To meet these needs and respond to the limitations of CVSS, the RBVM players are introducing:<\/p>\n<ul>\n<li>New risk metrics (scores) &#8211; proprietary &#8211; that complete, overload or replace CVSS,<\/li>\n<li>Automation of analysis and measurement tasks, including correlation with threat sources (CTI) to continuously qualify the threat intensity associated with each vulnerability.<\/li>\n<\/ul>\n<p>More generally, the RBVM approach takes into account numerous evaluation metrics to establish a score based on context and threat. There seems to be a consensus on 4 main categories of criteria:<\/p>\n<h3>1\/ The vulnerability or the individual &#8211; intrinsic &#8211; characteristics of the vulnerability itself.<\/h3>\n<p>Through these criteria, the aim is to measure the severity of a vulnerability by taking into account metrics that are constant over time and regardless of the environment, such as the privileges required to exploit the vulnerability or its attack vector (remotely, on the same local network, with physical access, etc.).<\/p>\n<p>For this category, the CVSS base score (generally taken in its version 2.0 to ensure anteriority) is a solid starting point for analyzing the intrinsic criticality of the vulnerability. This is the score used by most solutions on the market.<\/p>\n<h3>2\/ The external threats that will be used to quantify the current intensity of the threat associated with each vulnerability.<\/h3>\n<p>The metrics used reflect characteristics that may change over time but not from one technical environment to another.<\/p>\n<p>\u201cIs the vulnerability associated with hot topics on discussion forums, the darknet and social networks? Does it have an exploitation mechanism been published or is it currently being exploited by a particularly virulent ransomware?\u201d<\/p>\n<p>The availability of an \u201cexploit\u201d associated with a vulnerability is, for example, an important factor taken up by most risk-based vulnerability management solutions. According to a Tenable Research study, <strong>76% of vulnerabilities with a CVSS baseline score &gt; 7 do not have an exploit available.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15108 media-15108\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-15108 aligncenter\" src=\"http:\/\/riskinsight-prepro.s189758.zephyr32.atester.fr\/wp-content\/uploads\/2021\/02\/Image-8.png\" alt=\"\" width=\"728\" height=\"310\" \/><\/figure>\n<p style=\"text-align: center;\">Source: (<a href=\"https:\/\/fr.tenable.com\/research\">https:\/\/fr.tenable.com\/research<\/a>)<\/p>\n<p>&nbsp;<\/p>\n<p>This means that companies that are focusing on fixing all their vulnerabilities with a \u201chigh\u201d or \u201ccritical\u201d risk according to CVSS would spend three thirds of their time filling in holes that ultimately represent little risk. For better operational efficiency, it is therefore appropriate to focus remediation efforts on vulnerabilities for which an exploit has already been released.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15110 media-15110\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-15110 aligncenter\" src=\"http:\/\/riskinsight-prepro.s189758.zephyr32.atester.fr\/wp-content\/uploads\/2021\/02\/Image-9.png\" alt=\"\" width=\"852\" height=\"358\" \/><\/figure>\n<p>&nbsp;<\/p>\n<p>But this is far from being the only relevant criteria. Without known exploit, the age of the vulnerability can be taken into account to compute its probability of exploitation, using a statistical approach based on the occurrences of exploitation measured. Some initiatives such as EPSS (Exploit Prediction Scoring System<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a> ) even try to predict the \u201cweaponization\u201d of vulnerabilities.<\/p>\n<p>Like the age of the vulnerability, the age of the exploit is also a factor that will highly influence the probability of exploitation. For example, the CVE exploitation rate skyrockets as soon as an exploit is published, and then progressively decreases.<\/p>\n<p>More generally, the threat intensity is an important metric in the prioritization algorithm. Beyond statistical approaches, it can be measured by monitoring CTI sources, social networks or various publications, such as quantifying the number of occurrences of these vulnerabilities in cybercriminal forum discussions. It will thus be possible to determine that a new or particularly active malware exploits a vulnerability and therefore to increase its criticality score.<\/p>\n<p>Many other indicators can be integrated to refine the relevance of vulnerability prioritization. The Hackuity solution takes into account more than 10 criteria in addition to the CVSS metrics to compute its \u201cTrue Risk Score\u201d:<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15112 media-15112\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-15112 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-10.png\" alt=\"\" width=\"1310\" height=\"629\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-10.png 1310w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-10-398x191.png 398w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-10-71x34.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-10-768x369.png 768w\" sizes=\"auto, (max-width: 1310px) 100vw, 1310px\" \/><\/figure>\n<p>&nbsp;<\/p>\n<p>In addition to the relevance of the choice of these criteria and the algorithm itself, the type and quality of the CTI sources monitored to continuously feed these metrics represent an important issue.<\/p>\n<p>Some of the sources used include the numerous open sources (OSINT) on vulnerabilities and threats (NIST-NVD, Exploit-db, Metasploit, Vuldb, PacketStorm, &#8230;), some of which are consolidated through open-source initiatives such as VIA4CVE (<a href=\"https:\/\/github.com\/cve-search\/VIA4CVE\">https:\/\/github.com\/cve-search\/VIA4CVE<\/a>).<\/p>\n<p>There are also a large number of private and commercial players offering CTI feeds with virous levels of specialization in vulnerability intelligence.<\/p>\n<h3>3\/ The technical context or the unique characteristics of the environment in which the asset is located.<\/h3>\n<p>This category is used to measure the probability \/ difficulty to exploit a vulnerability in the specific context of each organization.<\/p>\n<p>\u201cIs the asset exposed on the Internet or hidden somewhere in the company&#8217;s datacenter? What are the technical measures (protection, detection) that make it more or less vulnerable to attacks?\u201d<\/p>\n<p>If some market actors just determine that an asset is exposed on the Internet based on its IP addressing scheme, others like Hackuity will seek to measure the depth of the attack trees needed to exploit the vulnerability in the company&#8217;s IS.<\/p>\n<p>These characteristics are by definition specific to each environment. It is therefore necessary to have, take from, or determine such information, in particular by feeding the prioritization formula with contextual data linked to the assets. For example, the data may exist and therefore be extracted from internal repositories.<\/p>\n<h3>4\/ The business criticality of the asset.<\/h3>\n<p>This involves measuring the consequences, or impact, of a successful attack by a threat player in the business context of the company.<\/p>\n<p>\u201cIs the asset impacted by the vulnerability critical to the organization in one way or another? Does it host sensitive or nominative information? What are the impacts for the company in terms of financial, reputation or compliance if the vulnerability is exploited?\u201d<\/p>\n<p>As much as for the technical context, these characteristics are specific to each environment. They may be manually entered or derived from risk analysis results such as Business Impact Analyses.<\/p>\n<p>To conclude on RBVM, whatever the degree of automation brought by the Solution, it will only take its full strength with the contribution of contextual elements that the tool cannot guess (business impacts, technical environment of the assets, organization, processes, etc.).<\/p>\n<p>&nbsp;<\/p>\n<h2>Beyond RBVM: Vulnerability Prioritization Technologies (VPTs)<\/h2>\n<p>While the major market leaders in vulnerability detection have adopted a risk-based approach to Vulnerability Management, they have not addressed the main problem associated with the \u201cbest-of-breed\u201d approach to detection: companies use multiple detection tools and practices to ensure complete and effective coverage of their technical perimeter.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15114 media-15114\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15114 aligncenter\" src=\"http:\/\/riskinsight-prepro.s189758.zephyr32.atester.fr\/wp-content\/uploads\/2021\/02\/Image-11.png\" alt=\"\" width=\"746\" height=\"270\" \/><\/figure>\n<p style=\"text-align: center;\">Average number of detection tools by company size \/ Hackuity &#8211; Panel of 93 companies<\/p>\n<p>&nbsp;<\/p>\n<p>As mentioned above, this necessary use to a heterogeneous arsenal promotes a fragmented and unconsolidated view of the situation, which limits the ability to scale and, with the growing volume of vulnerabilities, leads to an explosion of costs.<\/p>\n<p>To address this problem, emerging market players named VPTs (Vulnerability Prioritization Technologies) by Gartner, such as Hackuity, agnostically exploit existing sources of vulnerability.<\/p>\n<p>They collect and centralize vulnerabilities from any company&#8217;s detection arsenal: multiple practices (pentest, bug-bounty, red team, etc.), vulnerability detection solution providers (vulnerability scans, SAST, DAST, IAST, SCA, etc.) and vulnerability watch feeds. The main features of VPT solutions are described below.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15116 media-15116\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-15116 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-12.png\" alt=\"\" width=\"1298\" height=\"384\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-12.png 1298w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-12-437x129.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-12-71x21.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-12-768x227.png 768w\" sizes=\"auto, (max-width: 1298px) 100vw, 1298px\" \/><\/figure>\n<p style=\"text-align: center;\">Functional diagram of the Hackuity solution<\/p>\n<p>&nbsp;<\/p>\n<h3>A comprehensive view of the state of the stock of vulnerabilities<\/h3>\n<p>Automating the collection of vulnerabilities enables security teams to have, sometimes for the first time, a consolidated and centralized view of the company&#8217;s stock of vulnerabilities, regardless of the solutions or detection practices implemented.<\/p>\n<p>A crucial operation &#8211; and one that is very rarely performed &#8211; is the conversion of proprietary formats into a normalized format. This allows clones of the same vulnerability, which have been identified by several sources, to de deduplicated (e.g. the same SQL injection identified during an intrusion test and during a vulnerability scan).<\/p>\n<p>As such, Hackuity&#8217;s vulnerability\u2019s meta-repository is a multilingual knowledge base that provides a unified and standardized description of all vulnerabilities, including corrective actions, patches, remediation costs, or exploitability, with no loss of information from the original source.<\/p>\n<h3>The establishment and enrichment of an inventory of assets<\/h3>\n<p>In the field, there are only rare exceptions of companies that have an inventory of their assets that is considered complete or at least reliable (CMDB, ITAM, &#8230;). This is an endemic problem in the practice and sometimes the main obstacle to the implementation of an efficient vulnerability management policy in companies. In order to solve this problem, some solutions integrate into their operations the <strong>dynamic and continuous establishment of the repository of the company&#8217;s assets<\/strong> inventory. This inventory is established by analyzing and correlating the technical data collected (e.g. the software stack installed on a server, its various aliases, etc.) and provides an asset database that is continuously kept up to date with data from multiple sources.<\/p>\n<p>Asset criticality is also a key element in the vulnerability risk measurement process and accounts for nearly 50% in a prioritization approach. Without an accurate inventory of assets and an assessment of their criticality in the company&#8217;s business environment, it is impossible to accurately compute the real risk associated with each vulnerability. Some solutions, such as Hackuity, will compensate for the absence or non-completeness of risk analyses by <strong>automatically assessing the criticality of assets<\/strong> based on their technical and operational properties (types and families of tools installed, density of interconnections, hosted databases, etc.).<\/p>\n<p><strong>In the end, to have consolidated information about vulnerabilities or the company\u2019s assets, you no longer need to master dozens of tools or formats: the cost and workload associated with managing disparate tools is significantly reduced.<\/strong><\/p>\n<h3>The missing link between detection and remediation of vulnerabilities<\/h3>\n<p>Finally, the bidirectional link with the teams in charge of remediation or security supervision provides a collaborative approach in managing the stock of vulnerabilities.<\/p>\n<p>Indeed, while automation has become a key lever for vulnerability management, the human factor remains at the heart of the process.<\/p>\n<p>In most companies, Vulnerability Management involves 3 actors who must work together:<\/p>\n<ol>\n<li>The security teams in charge of operating the detection tools and managing remediation plans,<\/li>\n<li>The business managers who arbitrate or clarify the remediation plans in the light of business constraints,<\/li>\n<li>Operational staff in charge of deploying corrective measures (patch management, configuration, development, etc.).<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15118 media-15118\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-15118 aligncenter\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-13.png\" alt=\"\" width=\"1336\" height=\"579\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-13.png 1336w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-13-437x189.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-13-71x31.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-13-768x333.png 768w\" sizes=\"auto, (max-width: 1336px) 100vw, 1336px\" \/><\/figure>\n<p>&nbsp;<\/p>\n<p>The efficiency of the process is therefore not limited to the automation of vulnerability collection. In the downstream part of the process (remediation management), play-books can be used to mobilize the resources needed to implement corrective measures: identification of the person in charge of the task, automatic creation of incident tickets, generation of scripts for Infrastructure as Code solutions, etc.<\/p>\n<p>Upstream, the CISO finally has, and often for the first time, a real-time perception of the progress of remediation plans.<\/p>\n<p>The vulnerability management solution is then the <strong>orchestrator of the ecosystem<\/strong> of solutions aiming at detecting, qualifying, correcting and monitoring vulnerabilities affecting the company.<\/p>\n<p>&nbsp;<\/p>\n<figure id=\"post-15120 media-15120\" class=\"align-none\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-15120 aligncenter\" src=\"http:\/\/riskinsight-prepro.s189758.zephyr32.atester.fr\/wp-content\/uploads\/2021\/02\/Image-14.png\" alt=\"\" width=\"792\" height=\"511\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-14-295x191.png 295w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-14-60x39.png 60w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Image-14-768x497.png 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n<p>&nbsp;<\/p>\n<p>Designed as an open system, it also allows third party tools and processes (SIEM, GRC, Compliance, Forensics, &#8230;) to be fed with consolidated and structured data on vulnerabilities, assets and threats affecting the business.<\/p>\n<p>&nbsp;<\/p>\n<h2>Conclusion<\/h2>\n<p>As a true cornerstone of corporate cyber security, vulnerability management can finally be synonymous with a scalable, effective practice for which it is now possible to have factual indicators reflecting the efforts made by security teams and teams in charge of remediation.<\/p>\n<p>Besides the direct impact on the company&#8217;s security posture, through a reduction in the vulnerability exploitation window, or even the mobilization of experts on high added-value tasks, the integration of a vulnerability management orchestration solution can also have indirect benefits, such as better understanding the information system thanks or even a tenfold increase in the commitment of the teams thanks to the quantification of the impact of their actions on the company&#8217;s security.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> <a href=\"https:\/\/arxiv.org\/pdf\/1908.04856.pdf\">https:\/\/arxiv.org\/pdf\/1908.04856.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have recently opened the contributions to this blog to start-ups accelerated by our Shake&#8217;Up project. Hackuity rethinks vulnerability management with a platform that collects, standardizes and orchestrates automated and manual security assessment practices and enriches them with Cyber Threat&#8230;<\/p>\n","protected":false},"author":1400,"featured_media":15144,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2777,3273],"tags":[3807,3810,3156,3582,2878,3806],"coauthors":[3799,3801],"class_list":["post-15143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-digital-trust","category-ethical-hacking-indicent-response-en","tag-hackuity-en","tag-prioritization","tag-risk-management-en","tag-shakeup","tag-vulnerabilities","tag-vulnerability-management"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>The future of vulnerability management - Hackuity (2\/2)<\/title>\n<meta name=\"description\" content=\"After having seen in a first article the problems of vulnerability management, Hackuity presents its solutions to solve them.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The future of vulnerability management - Hackuity (2\/2)\" \/>\n<meta property=\"og:description\" content=\"After having seen in a first article the problems of vulnerability management, Hackuity presents its solutions to solve them.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-15T07:00:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"881\" \/>\n\t<meta property=\"og:image:height\" content=\"360\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Patrick Ragaru, R\u00e9my Houselstein\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Patrick Ragaru, R\u00e9my Houselstein\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/\"},\"author\":{\"name\":\"Patrick Ragaru\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/9f8a48ad14527a546bb8a53c4158c6e0\"},\"headline\":\"Hackuity | Shake&#8217;Up &#8211; The future of vulnerability management: towards new approaches based on risk and prioritization (2\/2)\",\"datePublished\":\"2021-02-15T07:00:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/\"},\"wordCount\":2803,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png\",\"keywords\":[\"hackuity\",\"prioritization\",\"risk management\",\"shake'up\",\"Vulnerabilities\",\"vulnerability management\"],\"articleSection\":[\"Cybersecurity &amp; Digital Trust\",\"Ethical Hacking &amp; Incident Response\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/\",\"name\":\"The future of vulnerability management - Hackuity (2\/2)\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png\",\"datePublished\":\"2021-02-15T07:00:24+00:00\",\"description\":\"After having seen in a first article the problems of vulnerability management, Hackuity presents its solutions to solve them.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png\",\"width\":881,\"height\":360},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hackuity | Shake&#8217;Up &#8211; The future of vulnerability management: towards new approaches based on risk and prioritization (2\/2)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/9f8a48ad14527a546bb8a53c4158c6e0\",\"name\":\"Patrick Ragaru\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/patrick-ragaru\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The future of vulnerability management - Hackuity (2\/2)","description":"After having seen in a first article the problems of vulnerability management, Hackuity presents its solutions to solve them.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/","og_locale":"en_US","og_type":"article","og_title":"The future of vulnerability management - Hackuity (2\/2)","og_description":"After having seen in a first article the problems of vulnerability management, Hackuity presents its solutions to solve them.","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/","og_site_name":"RiskInsight","article_published_time":"2021-02-15T07:00:24+00:00","og_image":[{"width":881,"height":360,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png","type":"image\/png"}],"author":"Patrick Ragaru, R\u00e9my Houselstein","twitter_misc":{"Written by":"Patrick Ragaru, R\u00e9my Houselstein","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/"},"author":{"name":"Patrick Ragaru","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/9f8a48ad14527a546bb8a53c4158c6e0"},"headline":"Hackuity | Shake&#8217;Up &#8211; The future of vulnerability management: towards new approaches based on risk and prioritization (2\/2)","datePublished":"2021-02-15T07:00:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/"},"wordCount":2803,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png","keywords":["hackuity","prioritization","risk management","shake'up","Vulnerabilities","vulnerability management"],"articleSection":["Cybersecurity &amp; Digital Trust","Ethical Hacking &amp; Incident Response"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/","name":"The future of vulnerability management - Hackuity (2\/2)","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png","datePublished":"2021-02-15T07:00:24+00:00","description":"After having seen in a first article the problems of vulnerability management, Hackuity presents its solutions to solve them.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/02\/Hackuity-Shake-Up-1.png","width":881,"height":360},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2021\/02\/hackuity-shakeup-the-future-of-vulnerability-management-towards-new-approaches-based-on-risk-and-prioritization-2-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Hackuity | Shake&#8217;Up &#8211; The future of vulnerability management: towards new approaches based on risk and prioritization (2\/2)"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/9f8a48ad14527a546bb8a53c4158c6e0","name":"Patrick Ragaru","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/patrick-ragaru\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/15143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1400"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=15143"}],"version-history":[{"count":2,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/15143\/revisions"}],"predecessor-version":[{"id":15147,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/15143\/revisions\/15147"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/15144"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=15143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=15143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=15143"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=15143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}