Threat Management, Vulnerability Management

Security intelligence fosters vulnerability management based on prioritized risk

Analysis of the NIST National Vulnerability Database shows that security teams were under siege in 2020 and into the first part of 2021 defending against an unprecedented number of flaws. Today’s columnist, Ed Bellis of Kenna Security, cautions that CVSS scores don’t always tell the full story.   shioshvili is licensed under CC BY-SA 2....

Managing cybersecurity for an organization today requires a lot of skill and patience. It’s not a job for the faint of heart. A single vulnerability can result in the theft of everything the enterprise truly values. At the same time, the number of potential adversaries the company faces outnumbers its own team by orders of magnitude. And the hackers are not constrained by the forces that limit most security teams: Time, money, and fatigue.

Even worse, attackers have the advantage. Like the white side in a game of chess, the attackers move first – and too many defenders are willing to accept a reactive posture.

This often results with a vulnerability management (VM) team that’s overwhelmed and demoralized by the need to play catch-up with a ceaseless flood of vulnerabilities. It's simply impossible to patch everything that needs patching. And it’s a state of affairs that may persist indefinitely.

But we’re not here to harp on the problem – we want to propose a solution: Using security intelligence to enable risk-prioritized vulnerability management.

Prioritize through a risk and security intelligence lens

On the battlefield medics are often overrun and overstretched -- and unlike VM teams, they have to do their job under fire. Yet both parties have some similarities in terms of how they operate.

A combat medic or military surgeon may suddenly have more injured soldiers than he or she can treat. Medical people will triage: Allocating treatment in a way designed to maximize the number of survivors. Soldiers who are seriously injured -- but not critically wounded -- may have to wait for treatment, while those in worse shape are prioritized.

VM teams are continually bombarded by new alerts, many of the high or critical variety. Yet unlike in medicine – where critical means critical – not every severe vulnerability should get prioritized in the same way. Sometimes a severe vulnerability poses no real risk to the most important, sensitive systems and assets. If security teams follow a vulnerability management strategy rooted in CVSS scoring without any regard for critical risk context, they often end up having the team devote precious hours toward patching security gaps that pose almost no real risk. In medical terms, the team does the equivalent of sending a soldier with a hangnail to the front of the triage line.

That's obviously a situation that everyone wants to avoid. Fortunately, there’s a straightforward answer to the problem: Apply real-time threat intelligence and attack-centric risk context to ensure the team prioritizes protection of the company’s crown jewels.

How to ensure optimal prioritization

Start with a better understanding of threat intelligence. While the number of breaches and threats continues to surge each year, malicious actors are leveraging the same relatively small set of vulnerabilities. They are also moving faster. Gartner has found that the time span between the identification of a vulnerability and the appearance of an exploit has shrunk from 45 to just 15 days over the last decade. However, research also shows vulnerabilities that have not been exploited after three months likely won’t get attacked.

Understanding the broad strokes of the threat landscape can help teams begin  prioritizing according to risk. It's critical to focus on exposures that are exploitable, and that pose the greatest risk to sensitive systems and assets. Assessing internal vulnerability scanning data with external intelligence -- and gaining a grasp of which vulnerabilities hackers are targeting and why -- can also offer much needed context.

VM teams need better software tools

Security teams need to consign the scan-and-patch approach to vulnerability management to the trash heap of information security history. Instead, we need tools that focus on the continuous identification, assessment, reporting and remediation of security gaps using critical risk context.

Organizations need to know more than the severity of a vulnerability. They need to know its relationship to critical assets and how that vulnerability can potentially get exploited. They need visibility into the most likely attack paths and tactics through which the attackers will target. They need to know the likely consequences of a successful exploit. They need a process for accomplishing this that’s automated and continuous – one that begins to even the deeply slanted playing field on which defenders and attackers are perched.

Such characteristics are found only in attack-centric exposure prioritization platforms that offer deep threat intelligence and precision-targeted prioritization of the vulnerabilities that pose the greatest risk to crown jewels.

Tools such as these let VM teams focus on the 1 percent of exposures that are exploitable. By doing this, they eliminate 99 percent of the risk to business-sensitive systems – and no longer have to worry about wasting inordinate resources on patching vulnerabilities that pose no real problem.

The takeaway

Risk-prioritized vulnerability management isn’t a luxury. Security team should make it an absolute imperative for all organizations. Without risk context, VM teams are fighting this battle with one hand tied behind their backs – and are often focused on the wrong foe. Deploy the right attack-centric exposure prioritization tools, and the security team will find itself in a far better position to defend in an intelligent and successful manner.

Gus Evangelakos, director, field engineering, XM Cyber

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.