Forrester’s Unified Vulnerability Management (UVM) – What it Means and Why it Matters

Forrester recently published their new market guide for Unified Vulnerability Management (UVM), and we are excited that XM Cyber has been recognized in this new report.

But before we jump into what this means for us, we need to address this new category of UVM. UVM solutions make it easier for organizations to create tactical reports by using common methods like CVSS, EPSS, and CISA’s KEV Catalog to prioritize issues. These solutions also help manage and track the progress made in fixing vulnerabilities, all while keeping things organized and focused on the task at hand.

According to Forrester, UVM is “a solution that serves as the primary book of record for all organizational vulnerabilities and improves and facilitates remediation workflows.” Organizations are using UVM solutions to aggregate vulnerability findings from multiple sources to “orchestrate and augment vulnerability response and track remediation status.”

At this point, you wouldn’t be faulted for thinking that this sounds a lot like vulnerability management. Well, that’s because it is essentially an evolution of vulnerability management. Forrester has updated the market name from Vulnerability Risk Management (VRM) to Unified Vulnerability Management (UVM), due to their belief that the risk-based approaches used by VRM solutions will be replaced by a hybrid combination of both exposure management and continuous security testing.

Although these newer markets offer real benefits, they currently lack the same widespread adoption and are perhaps less effective at enhancing vulnerability remediation and response. Instead, they primarily focus on two of the three principles of proactive security: visibility and prioritization.

So What’s Driving This Trend Towards a Unified Approach?

The changes aim to address challenges of siloed security solutions around visualization, prioritization, and remediation. In the words of Forrester, “Vulnerability management is essential for achieving proactive security, but today’s proactive security strategies encompass more than vulnerability management.” Forrester also says they have seen a significant increase in customers looking to understand how their attack surface management, exposure management, and continuous security testing capabilities will play a role in their proactive security strategic roadmap.

The Importance of Unified Vulnerability Management

An effective vulnerability patch management program is essential to address specific weaknesses in an organization’s attack surface, as part of an ongoing and continuous proactive security strategy. This is driven by both compliance regulations and businesses’ reliance on their digital services. Although CVEs aren’t the only weaknesses in an attack surface, they continue to influence the way IT operations teams focus their time and efforts, due to the ever-increasing number of CVEs and the diverse set of discovery techniques that can be deployed to discover them. The typical flaw in this approach is how to deal with the overwhelming number of critical issues those tools report. Hence the need for a new approach to unification and prioritization discussed in the Forrester report.

From conversations with organizations across the globe about the success of their vulnerability management programs, there is a common viewpoint that the intent of their program doesn’t always align with the outcome they are trying to achieve. Even when buying multiple discovery tools and having the intent to gain far greater visibility than ever before, the outcome results in even longer lists of critical vulnerabilities to address, with the same suggested action of applying a patch to the system, which is not a simple task.

The UVM landscape highlights the much-needed evolution of these tools and the vulnerability management programs they support. It goes on to highlight both the primary and extended use cases for UVM and how this will help streamline an organization’s vulnerability management processes and improve overall security posture, which in turn should lead to increased efficiency, better risk management, and improved collaboration between security and IT teams.

Varying Approaches to Unified Vulnerability Management

The primary use cases highlighted in the report are about the ability to prioritize, respond to, and report on vulnerabilities across the full attack surface. It’s due to this, along with some extended capabilities, that XM Cyber has been recognized in this report.

In addition to our Continuous Exposure Management Platform, the Forrester Landscape also includes a wider variety of vendor solutions, each taking varying approaches to address this same challenge and focusing on different extended use cases that build on top of the three primary use cases.

My interpretation of these different vendor capabilities included in the landscape falls under three distinct approaches: Aggregation, Integrated, and Interconnected.

Aggregation is an approach taken by Cyber Asset Attack Surface Management (CAASM) tools, which typically don’t offer any native discovery capabilities but rely completely on the ingestion of vulnerability data from other 3rd party sources. They utilize deduplication of CVEs by asset, with normalization of scoring to aid prioritization, and do a great job of centralizing the reporting of CVEs so you have all your vulnerabilities reported on a single list. 

This aggregation approach can provide pretty good time to value, and although easy to set up, it doesn’t replace the need for any of the underlying tools and data sources. The approach also doesn’t discover anything new; you only see the data you already know from those other tools, just nicely sorted into what in theory becomes a single source of truth. The intent is to gain additional visibility and awareness, but the outcome is only as good as the sum of its parts, which also results in you paying twice to see the same information!

The next approach is an integrated approach. This is similar to aggregation but typically gathers vulnerability data from multiple components of the vendor’s own brand solutions and tools. This is usually the approach for vendors who have acquired many other companies and technologies and stitch the different sensor types and discovery methods together under a single unified license or management interface. 

These solutions do offer all of their own discovery, and if fully deployed across an environment, they will find all the vulnerabilities you are looking for. They will use additional context regarding the assets and devices the CVEs are associated with in order to influence and adjust their risk score calculations. For example, if the CVE is discovered on a database server or if a vulnerable laptop is used by the CISO, it will typically be given a higher criticality weighting than a standard workstation. 

As this integrated approach does all its own discovery, there are benefits of cost savings in replacing other disparate tools, but operationally they can still be cumbersome to deploy, operate, and manage. Their prioritization logic can also be somewhat flawed as they often only measure risk as a standalone score for each asset, which may help understand the compromise risk likelihood for that individual asset but doesn’t have any awareness of lateral movement or factor in the potential blast radius or business impact if said vulnerability was actually exploited.

This brings us to the third approach, and the one more akin to how XM Cyber addresses the UVM challenge: the interconnected approach. I like to think of this as a threat-led approach to vulnerability management, but for now, I’ll summarize it as interconnected, as it builds on the prioritization logic of the integrated approach but combines the awareness of the interconnectivity risk of lateral movement across different exposures on the same asset. This is correlated using attack path modeling and the real-world attack techniques that could be used to compromise the asset and move laterally towards your business-critical systems. 

This approach incorporates the extended use cases highlighted by Forrester for vulnerability enrichment, attack surface and exposure management, cyber risk quantification, and emergency or celebrity vulnerability response. The enrichment comes from the correlation of threat intelligence, the risk quantification is powered by XM Attack Graph Analysis(™) that factors in both the adversarial complexity of a specific attack technique, along with the percentage of critical assets at risk by each vulnerability or vulnerable device, to give a more holistic and flexible logic for prioritization. 

The XM Cyber research team also prides itself on their time to action for newly announced celebrity CVEs and works to update the XM Attack Arsenal with new techniques to validate the exploitability of these emergency CVEs within a 72-hour SLA.

UVM is a Moving Target!

When discussing market maturity, Forrester goes on to explain that UVM is an evolution of the previous VRM landscape, but it’s not the end state for proactive security. In associated reports and blogs, such as “The Three Principles of Proactive Security” and “Strengthen Proactive Security with Continuous Security Testing,” it’s clear that UVM is only a step along the journey to a new future security methodology and technology categories that will go on to drive a more effective approach to proactive security and exposure management.

XM Cyber is grateful for the recognition in Forrester’s UVM Landscape Report. We know that the future of cybersecurity is in the approach. Organizations need to combine technology, people, and processes together in a unified strategy to prevent high-impact attacks through continuous discovery of exposures and a prioritization logic that understands the interconnectivity risk of all exposure types. This helps them gain remediation efficiency through the identification of choke points and a comprehensive set of remediation guides that offer flexibility for how to address vulnerabilities more effectively and elevate executive confidence through detailed reporting of cyber risk and security posture.