Vulnerability management is tough. With more than half of organizations (66%) having a backlog of over 100,000 vulnerabilities and an increase of 59% in critical vulnerabilities from 2021 to 2022, it’s essential that organizations have an effective strategy in place to manage them. Two of the most common methods organizations employ for vulnerability management are remediation and mitigation.
Remediation vs. Mitigation: Two Sides of the Same Coin
Remediation and mitigation are two different terms for dealing with gaps in an organization’s security posture. While remediation fixes the problem at the source, in the supplier’s own security controls, mitigation overcomes any gap that the vendor is unable or unwilling to fix through the organization’s internal compensating security controls.Threat intelligence can assist security teams by providing access to external data feeds. These feeds deliver precise information about specific attack vectors and the intentions of malicious actors, supporting the remediation and mitigation processes with focus and prioritization for security gaps in a context-rich manner.
What is Remediation?
Vulnerability remediation refers to the process of identifying the gaps in a potential vendor’s security controls and prioritizing the vulnerabilities that your organization would like to fix. For example, an organization decides to employ a vendor to deliver office supplies to the workplace. Since the organization wants to reduce security risks posed by the vendor, it requires the vendor’s employees to sign in at the front desk and wear a visitor’s badge upon arrival.
However, not all vulnerabilities and risks need to or can be fixed. For example, there may not be a readily available software patch or it may take time until the software can be updated. Sometimes we must accept the risk of vulnerabilities because the vendor cannot fix them.
At other times, remediation is the preferred approach to save time. For example, suppose your organization has gone through the painstaking process of selecting a vendor, and it found that the preferred vendor has several security gaps in their security controls. Instead of going through the process of finding a different vendor, you can work together with the vendor on a remediation plan to achieve the desired security level.
4 Steps to Remediation
Although mitigation can be effective, remediation is considered a more proactive strategy for vulnerability management as it can occur before a vendor relationship takes place.
Vulnerability remediation includes four basic steps:
- Find. Finding vulnerabilities at scale is best done through a vulnerability management solution or penetration testing exercise.
- Prioritize. Determine which vulnerabilities present a real and present security risk, and which are low priority or do not need to be addressed.
- Fix. Implement patches, update software or block vulnerabilities to mitigate risk.
- Monitor. Since the process of vulnerability mitigation is ongoing, you’ll need to find automated tools that deliver alerts and notifications at scale.
What is Mitigation?
Mitigation versus remediation: Which one should your organization use? The answer depends on the context. Unlike remediation, mitigation is the process of dealing with risk or vulnerabilities after the fact and setting controls around a supplier so that your organization can defend against those vulnerabilities internally.
Let’s take a company that has calculated that the inherent risk minus control effectiveness for a supplier equals a residual risk of 3 out of 5, which is not satisfactory. Mitigation offers a method for reducing that risk through an internal process of setting controls around a supplier to internally defend against any risk presented.
For example, a company might decide that a supplier presents too large of a residual risk but it wants to start doing business with it. The company then elects to mitigate the risk by limiting data shared with the vendor. As a result, it decides to share 5,000 consumer records instead of 10,000 until the vendor puts more effective privacy controls in place.
Let’s take another example from above of the vendor coming on-site. Once the vendor is now required to wear a security badge and sign up at the front desk, your organization can decide on which mitigation tactics it should implement.
One of the most widely practiced mitigation tactics is giving vendors limited access privileges. That means that an employee of the organization may need to escort them into the building or department, and this vendor would have limited access to the organization’s files and information.
What Are the Different Mitigation and Remediation Techniques?
Mitigation is often used as a way for an organization to buy time before a software update or patch is developed. This is particularly true for consumer-facing applications that need to avoid downtime.
One common mitigation technique is Distributed Denial of Service (DDoS) mitigation. This technique helps route suspicious traffic to a centralized location where it is filtered and prevents service disruption.
The remediation process, in contrast, is specific, depending on the type, scope and depth of the threat. Penetration testing is a common remediation technique that helps organizations identify potential attack vectors that malicious threat actors can use to gain control of your network or system. It also analyzes attack patterns to help uncover ongoing attacks or identify if there is an advanced persistent threat to your network. With penetration testing, organizations can more effectively identify gaps and address attacks as they occur.
Bridging Remediation and Mitigation for Effective Security
The understanding and application of both remediation and mitigation as parts of a comprehensive vulnerability management strategy is crucial. These distinct but complementary approaches work together to ensure both external and internal security controls are robust and responsive. While remediation works by directly fixing security gaps at the source, mitigation provides a safety net, putting in place compensating controls to handle risks that cannot be immediately or completely eradicated. Both approaches utilize threat intelligence to focus their efforts, prioritizing risks based on accurate and timely information about the threat landscape. Balancing the two strategies can lead to a more resilient security posture that adapts to evolving threats and aligns with an organization’s risk tolerance.
How Panorays Helps Your Remediation
Panorays helps organizations manage, mitigate and remediate risks with their third parties, suppliers and partners. Using Panoray’s automated third-party cyber risk management platform helps organizations foster effective risk remediation that aligns with their security posture and risk appetite.
Want to learn more? Get started with a Free Account today to help mitigate and remediate risk with your third parties.
FAQs
When an organization remediates a risk, they decide how to best fix a vulnerability at its source. For example, if your organization chooses a vendor but identifies a number of security gaps in its security controls, the two of you can work together to remediate the risk and achieve the desired security level.
The four steps in remediation are:
1) Find. This is best done through a vulnerability management solution or penetration testing.
2) Prioritize. Determine which vulnerabilities present a real and present security risk, and which are low priority or cannot be addressed.
3) Fix. This includes adding patches, updating software or blocking vulnerabilities to mitigate risk.
4) Monitor. Vulnerability mitigation is ongoing. Finding automated tools that deliver alerts and notifications at scale will help.
Remediation in risk management is a process for controlling identified vulnerabilities, such as misconfigured software or a missing patch in the system, from negatively impacting your system or network.
