Accounting for mitigated risk?

In some cases we will not be able to remediate vulnerabilities on a given asset. In these cases we put measures in place to lower risk such as client firewall, vlans, and configuration changes.

My question is how are others accounting for this in InsightVM? It doesn’t seem to be a way to accept the residual risk for the asset as a whole. Is everyone just leaving the vulnerabilities reporting as-is, excepting all vulnerabilities on that asset, deleting the asset from the platform, or some other method to accurately reflect the mitigation? Any ideas are welcome, thank you.

We use exceptions in Nexpose and use the measures you mentoned (Firewalls,ACL, etc) to justify the exceptions.
I’ve seen others disabling checks for certain vulnerabilities. For example, disable checks for MS defender vulnerabilities if you already have third party endpoint security and EDR/XDR on your devices.

You could use the appropriate reason " Compensating controls" when defining the vulnerability exception. From a risk management perspective, you could then say that the risk is mitigated. But from a vulnerability management perspective, that vulnerability would still exist. So in my opinion it is a bad practice to remove the vulnerability from the report, but instead, prevent it from affecting the risk scores. Can this be achieved in IVM? Good question

1 Like