Vulnerability management is tough. In fact, two-thirds (66%) of all organizations have a backlog of over 100,000 vulnerabilities. The number of critical vulnerabilities rose by 59% between 2021 to 2022, showing that the problem is only getting worse.
It’s essential for organizations to have an effective strategy in place to manage them, otherwise vulnerabilities will go unaddressed, leaving plenty of opportunities for malicious actors to cause a data breach and/or disrupt operations.
Two of the most common methods that organizations employ for vulnerability management are remediation and mitigation. In this article, we’ll discuss these different strategies, examine when to use each approach, and share best practices for them both.
Remediation vs. Mitigation: Two Sides of the Same Coin
Remediation and mitigation are two different methods for dealing with gaps in an organization’s security posture. Remediation fixes the problem at the source, through your supplier’s own security controls. Mitigation involves using your internal security controls to compensate for any gap that the vendor is unable or unwilling to fix.
Threat intelligence is an important part of both approaches. Security teams use it to access external data feeds with precise information about specific attack vectors and the intentions of malicious actors. This helps focus your remediation and mitigation processes and prioritize the highest-risk security gaps.
What is Remediation?
Vulnerability remediation refers to the process of identifying gaps in a vendor’s security controls, prioritizing them to be fixed, and ensuring that they are addressed. For example, you employ a vendor to deliver office supplies to the workplace, but this creates a risk of unauthorized access to your premises. You remediate the vulnerability by requiring the vendor’s employees to sign in at the front desk and wear a visitor’s badge upon arrival.
Remediation can often be the fastest way to deal with vulnerabilities. Suppose your organization has gone through the painstaking process of selecting a vendor, only to discover that the preferred vendor has several gaps in their security controls. Instead of starting over to hunt for a different vendor, you can work together on a remediation plan to achieve the desired security level.
But not all vulnerabilities and risks can be fixed. For example, there may not be a readily available software patch that fixes a given cyber vulnerability, or it may take time until the software can be updated. Sometimes, you have to accept the risk of leaving these vulnerabilities, because the vendor cannot fix them. That’s when you’d turn to mitigation.
4 Steps to Remediation
Remediation is considered to be more proactive than mitigation when it comes to vulnerability management, because it aims to permanently resolve the problem at its source instead of minimizing its impact. It achieves this through four basic steps:
- Find. Finding vulnerabilities at scale is best done through a vulnerability management solution or penetration testing exercise.
- Prioritize. Determining which vulnerabilities present a real and present security risk, and which are low priority or do not need to be addressed.
- Fix. Implementing patches, updating software, or blocking vulnerabilities to mitigate risk.
- Monitor. Utilizing automated tools that deliver real-time alerts and notifications about vulnerabilities, because remediation is an ongoing process.
What is Mitigation?
Unlike remediation, mitigation is the process of dealing with risk or vulnerabilities after the fact. It usually involves setting controls around a supplier, so that your organization can defend against those vulnerabilities internally.
Let’s take a company that has calculated that the inherent risk minus control effectiveness for a supplier equals a residual risk of 3 out of 5, which is not satisfactory. Mitigation helps them reduce that risk further, through internal controls that help protect them against the risk.
For example, a company might decide that a supplier presents too large a residual risk, but it wants to start doing business with it. The company elects to mitigate the risk by limiting data shared with the vendor, so it shares only 5,000 consumer records instead of 10,000, until the vendor puts more effective privacy controls in place.
Let’s take the example from above of vendor employees coming on site. Once the vendor’s employee is required to wear a security badge and sign up at the front desk, your organization can decide on mitigation tactics, like giving them limited access privileges. That means that an employee of the organization may need to escort them into the building or department, and this vendor would have limited access to the organization’s files and information.
What Are the Different Mitigation and Remediation Techniques?
Mitigation is often used as a way for an organization to buy time before a software update or patch is developed. This is particularly true for consumer-facing applications that need to avoid downtime. One common mitigation technique is Distributed Denial of Service (DDoS) mitigation. This technique helps route suspicious traffic to a centralized location, where it’s filtered to prevent service disruption.
The remediation process is more specific, depending on the type, scope and depth of the threat. Penetration testing is a common remediation technique that enables you to spot gaps and attacks, and address them as they occur. It helps you identify potential attack vectors that malicious threat actors can use to gain control of your network or system. It also analyzes attack patterns to help uncover ongoing attacks, or detect an advanced persistent threat to your network.
Bridging Remediation and Mitigation for Effective Security
Both remediation and mitigation have their place in a comprehensive vulnerability management strategy. They complement each other to ensure that external and internal security controls are robust and responsive.
While remediation works by directly fixing security gaps and other risks at the source, so that they are completely eliminated, mitigation reduces the impact of any risks that you can’t totally fix or that might go unnoticed. When you use both tactics together, mitigation serves as a safety net for anything that can’t be remediated.
Balancing the two strategies can lead to a more resilient security posture that adapts to evolving threats and aligns with an organization’s risk tolerance. Let’s explore how to decide which approach your organization should use in a given situation.
Use Remediation When:
If you have the time, expertise, and tools necessary to fully investigate the problem and apply a long-term fix, remediation is the best way to go. It’s the only way to guarantee that the same problem won’t arise to bite you further down the line, because mitigation is more of a temporary resolution. But it does require more resources, so it might not be a practical option in every situation.
Remediation is also the smart approach when you’re dealing with a long-term threat, one that could cause serious and lasting harm to your organization, and/or regulatory compliance requires you to resolve it. With remediation, you can be confident that the issue is completely resolved, you’re not at risk of regulatory penalties or fines, and that your systems, data, reputation, and operational continuity are all protected.
Use Mitigation When:
Remediation is definitely the gold standard for vulnerability management, but it’s not always the most appropriate approach. As the saying goes, perfect can be the enemy of good. Sometimes, you need to act fast to minimize an immediate risk, and you don’t have time for full remediation. You might also find that you don’t have the resources to carry out remediation work, but you still need to do something to protect your organization.
In these circumstances, it’s better to quickly mitigate the threat before it causes serious damage. You can return to carry out long-term remediation once you have the time and other resources to do a complete job. Mitigation is also a smart move as a temporary measure that defends your systems while remediation is under way.
Best Practices for Balancing Remediation and Mitigation
It’s not always easy to know which approach is the most suitable for any given situation. That’s where best practices come in, to help you decide how to use mitigation and remediation in tandem to build a robust and responsive risk management strategy. These should include:
- Running risk assessments to prioritize vulnerabilities for mitigation or remediation
- Using mitigation alongside remediation to harden your security posture
- Documenting and monitoring risks until they are completely resolved
- Implementing security tools and solutions for automated detection and response
- Collaborating across business units to align remediation and mitigation
Prioritize Risks
The first step in any risk management strategy is to gain a full understanding of the situation. It’s almost inevitable that your organization will be facing several vulnerabilities at the same time, so you need to know which ones are the most serious and urgent.
Thorough risk assessments enable you to evaluate the threats before you and gain insight into the severity of the threat they pose. Then you can decide which ones need immediate mitigation until remediation is available, which ones to prioritize for long-term remediation, and which ones can be mitigated and monitored to see how they evolve.
Combine Efforts
As mentioned above, you should always use both remediation and mitigation. They complement each other to bolster your security profile and protect your organization from threats. Mitigation should be viewed as a fast and urgent stopgap measure that prevents threats from actualizing, while you plan and execute your remediation work.
For this approach to be effective, you need to be able to roll out mitigation actions as fast as possible, preferably using automation so that there’s no significant time gap when malicious actors can take advantage of the vulnerability.
Document and Monitor
If you’ve chosen to mitigate a risk, either because you need more time for remediation or because it’s not serious enough for a full remediation effort, it’s vital to track it until it’s completely eliminated. You should keep a record of every risk, and the actions you take to address it.
Documenting and monitoring the risks that you mitigate and the steps you took to do so is crucial for overall risk management. Otherwise, it’s possible that the risks you mitigated could fly under your radar. If you forget to return to implement remediation, those risks could flare up again and cause serious harm.
Leverage Tools
In today’s fast-paced risk environment, threats and vulnerabilities are constantly emerging. It’s extremely difficult to stay on top of them without the help of security platforms and digital tools.
These solutions automate the processes of detecting risks, tracking their evolution and progress, and applying immediate mitigation efforts like security patches or shutting off access to certain users or devices. They can speed up mitigation tasks, and ensure that vulnerabilities that are awaiting remediation are dealt with at the right time.
Collaborate Across Teams
Like every aspect of risk management, remediation and mitigation is more effective when you involve more departments. IT teams, security units, and other business departments like compliance and legal should all be aligned on remediation and mitigation strategies.
This could involve quarterly meetings, a dedicated Slack channel, and/or a project management platform. What matters is that there are smooth communication channels for different units to report emerging threats and vulnerabilities, share best practices, and ensure that no risks go overlooked.
How Panorays Supports Remediation and Mitigation
Panorays helps organizations manage, mitigate and remediate risks with their third parties, suppliers and partners. Panorays’ automated third-party cyber risk management platform helps organizations foster effective risk remediation that aligns with their security posture and risk appetite.
The solution integrates threat intelligence feeds to detect emerging threats, tracks changes in vendor risk profiles that could indicate vulnerabilities, and automates mitigation actions to plug security gaps before malicious actors can exploit them, helping increase protection for your organization.
Want to learn more? Get started with a Free Account today to help mitigate and remediate risk with your third parties.
FAQs
-
When an organization remediates a risk, they decide how to best fix a vulnerability at its source. For example, if your organization chooses a vendor but identifies a number of security gaps in its security controls, the two of you can work together to remediate the risk and achieve the desired security level.
-
The four steps in remediation are:
- Find. This is best done through a vulnerability management solution or penetration testing.
- Prioritize. Determine which vulnerabilities present a real and present security risk, and which are low priority or cannot be addressed.
- Fix. This includes adding patches, updating software or blocking vulnerabilities to mitigate risk.
- Monitor. Vulnerability mitigation is ongoing. Finding automated tools that deliver alerts and notifications at scale will help.
-
Vulnerability remediation refers to the process of identifying gaps in a vendor’s security controls, prioritizing them to be fixed, and ensuring that they are addressed. For example, you employ a vendor to deliver office supplies to the workplace, but this creates a risk of unauthorized access to your premises. You remediate the vulnerability by requiring the vendor’s employees to sign in at the front desk and wear a visitor’s badge upon arrival.
Remediation can often be the fastest way to deal with vulnerabilities. Suppose your organization has gone through the painstaking process of selecting a vendor, only to discover that the preferred vendor has several gaps in their security controls. Instead of starting over to hunt for a different vendor, you can work together on a remediation plan to achieve the desired security level.
But not all vulnerabilities and risks can be fixed. For example, there may not be a readily available software patch that fixes a given cyber vulnerability, or it may take time until the software can be updated. Sometimes, you have to accept the risk of leaving these vulnerabilities, because the vendor cannot fix them. That’s when you’d turn to mitigation.
-
Unlike remediation, mitigation is the process of dealing with risk or vulnerabilities after the fact. It usually involves setting controls around a supplier, so that your organization can defend against those vulnerabilities internally.
Let’s take a company that has calculated that the inherent risk minus control effectiveness for a supplier equals a residual risk of 3 out of 5, which is not satisfactory. Mitigation helps them reduce that risk further, through internal controls that help protect them against the risk.
For example, a company might decide that a supplier presents too large a residual risk, but it wants to start doing business with it. The company elects to mitigate the risk by limiting data shared with the vendor, so it shares only 5,000 consumer records instead of 10,000, until the vendor puts more effective privacy controls in place.
Let’s take the example from above of vendor employees coming on site. Once the vendor’s employee is required to wear a security badge and sign up at the front desk, your organization can decide on mitigation tactics, like giving them limited access privileges. That means that an employee of the organization may need to escort them into the building or department, and this vendor would have limited access to the organization’s files and information.
-
Mitigation is often used as a way for an organization to buy time before a software update or patch is developed. This is particularly true for consumer-facing applications that need to avoid downtime. One common mitigation technique is Distributed Denial of Service (DDoS) mitigation. This technique helps route suspicious traffic to a centralized location, where it’s filtered to prevent service disruption.
The remediation process is more specific, depending on the type, scope and depth of the threat. Penetration testing is a common remediation technique that enables you to spot gaps and attacks, and address them as they occur. It helps you identify potential attack vectors that malicious threat actors can use to gain control of your network or system. It also analyzes attack patterns to help uncover ongoing attacks, or detect an advanced persistent threat to your network.
-
Both remediation and mitigation have their place in a comprehensive vulnerability management strategy. They complement each other to ensure that external and internal security controls are robust and responsive.
While remediation works by directly fixing security gaps and other risks at the source, so that they are completely eliminated, mitigation reduces the impact of any risks that you can’t totally fix or that might go unnoticed. When you use both tactics together, mitigation serves as a safety net for anything that can’t be remediated.
Balancing the two strategies can lead to a more resilient security posture that adapts to evolving threats and aligns with an organization’s risk tolerance. Let’s explore how to decide which approach your organization should use in a given situation
-
If you have the time, expertise, and tools necessary to fully investigate the problem and apply a long-term fix, remediation is the best way to go. It’s the only way to guarantee that the same problem won’t arise to bite you further down the line, because mitigation is more of a temporary resolution. But it does require more resources, so it might not be a practical option in every situation.
Remediation is also the smart approach when you’re dealing with a long-term threat, one that could cause serious and lasting harm to your organization, and/or regulatory compliance requires you to resolve it. With remediation, you can be confident that the issue is completely resolved, you’re not at risk of regulatory penalties or fines, and that your systems, data, reputation, and operational continuity are all protected.
-
Remediation is definitely the gold standard for vulnerability management, but it’s not always the most appropriate approach. As the saying goes, perfect can be the enemy of good. Sometimes, you need to act fast to minimize an immediate risk, and you don’t have time for full remediation. You might also find that you don’t have the resources to carry out remediation work, but you still need to do something to protect your organization.
In these circumstances, it’s better to quickly mitigate the threat before it causes serious damage. You can return to carry out long-term remediation once you have the time and other resources to do a complete job. Mitigation is also a smart move as a temporary measure that defends your systems while remediation is under way.
-
It’s not always easy to know which approach is the most suitable for any given situation. That’s where best practices come in, to help you decide how to use mitigation and remediation in tandem to build a robust and responsive risk management strategy. These should include:
Running risk assessments to prioritize vulnerabilities for mitigation or remediation
Using mitigation alongside remediation to harden your security posture
Documenting and monitoring risks until they are completely resolved
Implementing security tools and solutions for automated detection and response
Collaborating across business units to align remediation and mitigation.
