It’s Time to Rethink the 30/60/90-Day Approach to Vulnerability Management

Over the years, the value that organizations derive from the classic approach to fixing vulnerabilities has diminished. Once a staple of vulnerability management policies, the 30/60/90 day approach involves addressing critical and high-risk vulnerabilities within 30 days, medium-risk vulnerabilities within 60 days, and low-risk vulnerabilities within 90 days. 

This construct was a logical approach in an era where threats and enterprises were more static and less complex. But this approach has (more than) started to show its age and has left many of us, including myself, looking for a better way. 

In this blog, I’ll explore why this approach is no longer sufficient and look at ways orgs can effectively address the issues that actually do impact them. 

Let’s start by understanding what’s changed; In 2023, 28902 new vulnerabilities were identified, 3821 more than were identified in 2022. This is a trend that has been repeated year after year, with more CVEs identified in 2022 than in 2021 and so on. Moreover, CVEs only represent a fraction of the issues that can put assets at risk. Issues such as weak credentials, misconfigurations and other weaknesses account for the vast majority of  issues that can put organizations at risk. 

Addressing this ever-growing mountain of security exposures and vulnerabilities organizations face each day can be very challenging, to say the least. With so many factors contributing to the vast increase in issues that need to be addressed, such as an ever-expanding attack surface, relentless attackers, and the increasing complexity of cloud environments, it often seems like defenders have limited ability to keep up with the onslaught of issues to be remediated. And while approaches like the 30/60/90-day approach have played a part in taming this beast, the shortcomings of this approach become more apparent all the time. 

And as business and threats grow in complexity, how we respond to these risks must also change. 

It’s time we understand that the evolving landscape of cybersecurity exposures extends far beyond software patches. Our cyber risk mitigation capabilities must evolve to address increasingly complex exposures in a way that is effective and relevant to today’s risks and realities. This is why the 30/60/90 model no longer fits the much more dynamic threat landscape of today’s attack surface. 

The Limitations of the 30/60/90 Plan

•  Reactive Nature: The 30/60/90 plan is inherently reactive. It responds to vulnerabilities after they are discovered and reported, often leaving critical windows of exposure that attackers can exploit.
• Lacks Context: This approach doesn’t account for the context and potential impact of vulnerabilities. Not all vulnerabilities are created equal; some might pose more significant risks to critical business assets than others, regardless of their CVSS scores. Some might not be exploitable or there’s extremely low likelihood of reachability.
• Inefficient Resource Allocation: By adhering to a rigid timeline, organizations often waste resources addressing vulnerabilities that are less likely to be exploited while neglecting those that could lead to severe breaches.

The Shift to Continuous Threat Exposure Management (CTEM)

So what now?

In 2022, Gartner introduced the Continuous Threat Exposure Management (CTEM) framework. CTEM represents a paradigm shift from the traditional periodic assessment model to a more dynamic, continuous approach to vulnerability and exposure management. CTEM is based on the implementation and continuous maintenance of 5 steps:

1. Scoping, which defines business-critical assets, systems, and processes requiring protection.
2. Discovery of all inventory exposures across the infrastructure including vulnerabilities, misconfigurations, risky identities, etc.
3. Prioritization, to analyze exposures based on exploitability, prevalence, and potential business impact to guide the improvement plan.
4. Validation, which confirms that exposures could truly be exploited through simulations.
5. Mobilization, to drive collaboration between teams to implement controls, processes, and technology with a goal of reducing risk.

It’s going to take time for enterprises to implement this improved model, but once adopted, my bet is that security leaders will be asking themselves why they didn’t jump on this sooner.

 Here’s why CTEM is a game-changer:

• Proactive Identification: CTEM continuously monitors and identifies threats before they can be exploited. This proactive stance significantly reduces the risk of breaches.
• Contextual Prioritization: CTEM assesses vulnerabilities in the context of the organization’s specific environment. It prioritizes remediation based on the actual risk to critical business processes, rather than following a generic timeline.
• Integrated Approach: CTEM integrates with various security tools and processes, providing a holistic view of the threat landscape. This integration allows for more accurate and efficient vulnerability management throughout the business.

  Conclusion

While the classic 30/60/90-day vulnerability remediation model served its purpose in a different era, it is no longer sufficient to protect against the sophisticated and fast-evolving threats and additional attack surface we face today. The Continuous Threat Exposure Management framework offers a more effective, proactive, and comprehensive approach to cybersecurity. As CISOs, it is our responsibility to adopt these advanced strategies to ensure our organizations remain resilient in the face of ever-changing cyber threats. By doing so, we can move from merely managing vulnerabilities to truly managing risk.

Learn more about how the XM Cyber Continuous Exposure Management platform can support a more effective cybersecurity strategy. https://xmcyber.com/platform/