Among them, the Risk-based Vulnerability Management Project, which was formally proposed in 2018, was called the “Vulnerability Management Project in line with CARTA methodology” in 2018 and 2019, and was updated to its current more suitable name in 2020.
A Vulnerability can include vulnerabilities, as well as other aspects that can cause business risks, such as insecure configurations and information leaks. In addition, vulnerability management is not just detection, and also find weaknesses, such as vulnerability scanning, penetration testing, configuration, inspection and so on all belongs to find weaknesses, but here the “management”, is more of a need for vulnerability detection and assessment, and treatment of prioritization, and some weaknesses compensation control column to form closed loop.
Gartner is proposing VPT (Vulnerability Priority Technology) in 2020 to replace and upgrade TVM (Threat and Vulnerability Management). This is also the core technology and tool of the “Risk-based Vulnerability Management Project”. The project needs to use VPT to serialize the discovery, assessment, prioritization, workflow, disposal methods and effects, automation measures, etc., to form a closed loop and iterative improvement of the entire risk management.
Vulnerability management is an essential component of secure operations. Patches should never be treated equally and should significantly reduce risk by identifying and compensating for prioritized weaknesses based on risk priority management.
From the point of view of vulnerabilities, reality has shown that there are so many vulnerabilities that it is unrealistic to deal with every significant one. Instead, focus on the ones that can be exploited first. Further, how do you know if a vulnerability is exploitable? Vulnerability intelligence is needed, not about the vulnerability itself, but about vulnerability exploitation (EXP) and vulnerability proof (POC).
According to the X-Force Threat Intelligence Index 2020, 90% of real cyber attacks come from phishing attacks, vulnerability attacks, weak passwords and unauthorized attacks. Vulnerability attacks account for about 30 percent.
As a weakness based on the risk management program the core technology of VPT, should focus on the weakness of the main threat to collect, and combining with the system of importance, threatened with ease, and emergency situations, such as priority allocation and processing, combined with the experience and process to form automatic b disposal (including but not limited to patch, mitigation, transfer, accept, etc.), The results and effects of disposal are verified and evaluated.
VPT products are security risk management products for vulnerability priority projects and solutions to such problems. Its strong and rich vulnerability priority management capabilities can help enterprises to immediately manage the most urgent and thorny security threats.
Perfect vulnerability statistics and disposal status analysis:
Detailed vulnerability information and convenient vulnerability disposal operations: