Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Risk-based vulnerability management: what changes for security teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: CISA’s BOD 26-04 shifts vulnerability prioritization away from CVSS-only scoring toward exploit likelihood, internet exposure, known in-the-wild activity, automation potential, and impact, reflecting the growing gap between disclosed vulnerabilities and what attackers actually target, according to Proofpoint. Severity is no longer a sufficient control signal when exploit windows compress quickly and remediation capacity remains finite.

NHIMG editorial — based on content published by Proofpoint: CISA BOD 26-04 and the shift to risk-based vulnerability management

Questions worth separating out

Q: What breaks when vulnerability management is based only on CVSS scores?

A: CVSS-only prioritisation breaks when several lower-scoring flaws can be combined into a complete exploit path.

Q: Why do exploited systems create more identity risk than patching teams usually expect?

A: Exploited systems often hold credentials, privileged accounts, or trust relationships that are more valuable than the original flaw.

Q: How do security teams know if exploitation-based prioritisation is working?

A: Look for a shorter must-fix list, fewer exposed KEV items, faster closure of actively exploited CVEs, and clearer ownership for the devices or applications that stay open longest.

Practitioner guidance

  • Rebuild patch triage around exploitability Rank vulnerabilities by internet exposure, evidence of exploitation in the wild, and automation potential before using CVSS as a secondary tie-breaker.
  • Link vulnerability queues to IAM and PAM controls When a vulnerable asset can expose accounts, tokens, or administrative paths, require access restriction or step-up controls before patch completion.
  • Use compensating controls during patch windows Apply segmentation, filtering, and temporary hardening to reduce exposure while updates move through distributed environments.

What's in the full article

Proofpoint's full blog covers the operational detail this post intentionally leaves for the source:

  • How Active Exploits Protection correlates observed attacker behaviour with vulnerability priority decisions across email and network traffic.
  • The article's explanation of how first-mile visibility helps teams reduce exposure during patching windows before payload execution.
  • The operational framing behind CISA BOD 26-04 and why exploit intelligence changes security operations triage.
  • Proofpoint's examples of how teams can distinguish urgent exposures from lower-priority scanner findings.

👉 Read Proofpoint's analysis of CISA BOD 26-04 and risk-based vulnerability management →

Risk-based vulnerability management: what changes for security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Risk-based remediation is now an identity governance issue, not just a vulnerability management issue. Once an exploit turns into credential theft, session compromise, or privilege escalation, the relevant control surface is no longer only patching. It becomes the interaction between exposure management, authentication, and privilege boundaries. That is why security leaders should treat exploit intelligence as input to IAM and PAM decisions, not as a separate operations feed.

A question worth separating out:

Q: Who is accountable when a known exploited Office vulnerability remains unpatched?

A: Accountability sits with the owners of endpoint patching, email security, and privileged workstation governance, because the exposure spans all three. When a CVE is in KEV and patches are available, delayed remediation becomes a governance failure as well as a technical one. CISA deadlines and internal patch SLAs should be aligned to that reality.

👉 Read our full editorial: Risk-based vulnerability management now outranks severity scores



   
ReplyQuote
Share: