Vulnerability prioritization is a business-specific process because not all vulnerabilities pose the same risk to organizations. It requires you to research the vulnerabilities in your environment, flagging and prioritizing the most potentially impactful vulnerabilities.
Prioritizing your vulnerabilities helps you strengthen your security posture by showing you each security vulnerability you need to address — and in what order. It also helps you weed out false positives and other low-priority vulnerabilities that add white noise to your day. (Raise your hand if you’ve been a victim of a vulnerability that you spent half a day analyzing, only to find out it was a great big fat nothing burger. ✋)
A to-do list that writes itself? Yes, please.
What is a vulnerability?
A vulnerability is a weakness or error in software, hardware, a network, or a system. Vulnerabilities pose a threat to businesses because threat actors often leverage them to launch cyberattacks. For example, in 2023, cybercriminals found and exploited a vulnerability (CVE-2023-27350) in the print management software PaperCut. As a result, hackers could execute malicious code remotely on vulnerable, unpatched systems.
In 2022, the National Institute of Standards and Technology (NIST) reported more than 13,000 vulnerabilities in its National Vulnerability Database, and 85% of those vulnerabilities were classified as medium or high severity.
1. Assess the criticality of each vulnerability in your environment
Experts categorize known vulnerabilities using the Common Vulnerability Scoring System, or CVSS. The beauty of relying on a CVSS score to assess vulnerability criticality is that it’s a standardized system that covers essentially every environment. The downside? ... it’s a standardized system that covers essentially every environment. 😬
In other words, CVSS scores are general rankings of how critical a vulnerability is for most environments — but not all. For example, a CVSS score of 10 (the most critical vulnerability) may not be an all-hands-on-deck situation for you if it only appears on air-gapped machines. Meanwhile, the vulnerability with a lower CVSS score might pose a higher risk to your environment if it’s used broadly on your public-facing servers.
I recommend using CVSS scores as a guide versus an end-all, be-all resource. Of course, you should analyze vulnerabilities with high CVSS scores before moving on to lower-ranking vulnerabilities. It’s far more likely that a critical vulnerability will impact you more than a vulnerability with a lower CVSS score, and it’s better to be safe than sorry.
2. Tally the number of machines each vulnerability impacts
Now that you know which vulnerabilities might prove to be critical in your environment, you can rank them based on the number of machines impacted. This step builds off the last one: If a critical (in your environment) vulnerability appears on most of your devices, you’ll want to bump that vulnerability up to the top to remediate. But that less critical vulnerability living on one or two devices? Eh, take lunch first.
Is automation sounding pretty great right about now?
PDQ Connect’s built-in vulnerability scanner shows you which devices are vulnerable — and which vulnerabilities you should care about based on the context of your unique environment. Let PDQ Connect do the grunt work for you. Try it free for 14 days.
3. Research how threat actors are weaponizing the vulnerabilities that exist in your environment
Let’s take a stroll down memory lane to the Log4j vulnerability. I know I reference this one a lot (it’s the trauma), but it serves as a perfect example of why exploitation is worth looking at.
As you may remember (perhaps also from the trauma), Log4j was particularly troublesome because the vulnerability impacted Java. According to SlashData’s State of the Developer Nation report, Java ranks second in terms of how many active developers use each programming language. Needless to say, the impact was truly unreal.
And that’s why it’s so important to examine how threat actors are weaponizing vulnerabilities. If security researchers report an influx of exploitations, you may want to bump those vulnerabilities to the top of your remediation list. And if a vulnerability happens to be a zero day, stop; drop (everything else); and roll (out any mitigations you can until a patch comes through). What would cybersecurity be without a fire-based analogy?
Bonus tip: Research who is exploiting these vulnerabilities
If you’re feeling froggy, consider the hacker behind the exploit. Is the vulnerability super complex, requiring skill and finesse to exploit, or is it so simple a script kiddie could do it? If the vulnerability is in script kiddie territory, consider elevating it on your list of remediations.
4. Consider risk-based vulnerability management
From your research so far, you know which vulnerabilities have the potential to wreak the most havoc on your environment. But unless your boss is Bill Lumbergh, it’s likely your boss cares less about what each vulnerability looks like on paper and more about how it could impact the business. This is risk-based vulnerability management, which is the type of management your boss is most likely to care about. So put on your business cap and let’s talk.
Out of your highest-ranking vulnerabilities, which one(s) would impact business-critical machines or operations? For instance, would that one unpatched vulnerability that enables the exfiltration of sensitive data end life as your company knows it? Or how about that other vulnerability that’s actively being exploited and allowing hackers to give themselves admin rights?
Asking these types of questions helps you focus on risk-based vulnerability prioritization (again, speaking your boss's love language). Because while all vulnerabilities pose risk, some could take down your business more easily than others.
“In a business context, all vulnerabilities stink, but some are stinkier than others — so stinky that they could halt business operations temporarily or permanently.” —George Orwell, probably, if he worked on a security team
5. Prioritize patches based on your findings
With all this info in tow, you can see which vulnerabilities you should address sooner rather than later. To be clear, you may have multiple vulnerabilities that scream, “Fix me now, or it’s all over.” Don’t let the different rankings give you analysis paralysis.
Instead, form a game plan, like Jake Costello, one of PDQ’s sysadmins, does:
“I prioritize by how many computers are affected, how critical [each vulnerability is], and how easy [each vulnerability] is to fix. Wipe out the easy stuff and then spend more time looking into the harder ones and testing fixes on a few computers.”
Prioritize patches in a way that makes the most sense for your business, and get to patching. Well, testing. Don’t deploy those patches to prod til you test them, please and thank you.
How to prioritize vulnerabilities FAQs
Why is it important to prioritize vulnerabilities?
Prioritizing vulnerabilities is important because it’s virtually impossible to remediate every single vulnerability that lurks in your environment. But some vulnerabilities require immediate or near-immediate attention, and you find those vulnerabilities during the prioritization process. In turn, this makes the patch management process more straightforward and easier to tackle.
Is there a vulnerability prioritization tool?
Yes, some vulnerability management software includes a tool that automatically prioritizes vulnerabilities for you. For the most effective vulnerability prioritization, find a vulnerability prioritization tool that contextualizes, groups, and prioritizes vulnerabilities for you.
What is vulnerability management?
Vulnerability management is the process of identifying, remediating, and monitoring vulnerabilities that impact your environment. Vulnerability prioritization is part of the vulnerability management process.
How does vulnerability management differ from patch management?
Vulnerability management includes identifying, classifying, and addressing vulnerabilities, whereas patch management focuses on administering software updates. While patch management is often a component of vulnerability management, vulnerability management also incorporates other functions.
Think of it this way: If we compare the difference between vulnerability management and patch management to baking a cake, vulnerability management includes finding a recipe, gathering the ingredients, measuring them, combining them, mixing them, putting the cake in the oven, taking it out, letting it cool, decorating it, serving it, and then reflecting on how the recipe turned out. Meanwhile, patch management is more akin to gathering and combining the ingredients.
What is a vulnerability scanner? What does it do?
A vulnerability scanner is a tool that searches for and flags vulnerabilities in your environment. At the risk of oversimplifying the process, vulnerability scanners search for vulnerable components — software, hardware, drivers, configurations, etc. — in your environment. Then, they flag them for review.
What is attack surface management?
Attack surface management seeks to analyze and reduce the potential entry points that threat actors could exploit. In short, it’s a fancy way of conceptualizing something you’re probably already doing — even if you don’t think of it as attack surface management.
How do you remediate vulnerabilities?
In most cases, vulnerability remediation consists of patching, or applying updates to vulnerable programs or systems. Vulnerability remediation is often automated, as it’s a tedious, time-consuming task that never ends. To automate vulnerability remediation, choose vulnerability management software that knocks out those repetitive tasks for you.
Looking for a patch management solution that does it all?* Look no further than PDQ Connect. Leverage Connect's real-time inventory and vulnerability data and let it prioritize vulnerabilities for you. Try it free for 14 days.
*Our devs have tried repeatedly to teach PDQ Connect to fetch Monsters and coffee, to no avail — yet. If they can figure out how to make it happen, we’ll announce it on our roadmap.