Vulnerability Prioritization is Not a One-Size Fits All Approach


By Victor Gamra, CISSP, Founder and CEO of FortifyData

System vulnerabilities are ever increasing as adoption of new and emerging technologies are implemented. Security professionals struggle to keep up with remediation efforts presented by a variety of new technologies and the lack of vulnerability prioritization. In 2022, we have already surpassed 22,000 recorded Common Vulnerabilities and Exposures (CVEs), which exceeds the previous record set in 2021 with 20,170, according to the National Vulnerability Database. Security teams are already stretched and are drowning in a sea of vulnerabilities. With new ones popping up each day, plus a shortage of IT security staff, mitigating them all would be impossible. So, security teams must do their due diligence to prioritize them.

Historically, a de facto prioritization method relied on Common Vulnerability Scoring System (CVSS) scores, combined with regulatory guidance on which level of vulnerability should be remediated in a certain time frame. CVSS ratings do a good job at looking for opportunistic vulnerabilities (i.e. can they be exploited remotely?), but they were never meant to be used to prioritize because they lacked the association to asset criticality to an organization.

According to a 2021 publication by CISA, “CISA has observed that risk scores, based on the Forum of Incident Response and Security Teams’ Common Vulnerability Scoring System (CVSS), do not always accurately depict the danger or actual hazard that a CVE presents. Attackers do not rely on “critical” vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included multiple vulnerabilities rated “high,” “medium,” or even “low.”

“Since CVSS was never intended to provide risk prioritization within each enterprise’s unique environment, this has led to goal misalignment. SLAs such as ‘Patch all critical CVSS scores within 30 days’ do not weigh the business context of asset criticality, whether exploits are published and active for that vulnerability, and if there are compensating controls that can protect against that exploit,” wrote Erik Nost, Senior Analyst at Forrester, in the Forrester blog, “Vulnerability Programs Must Regain Trust to Inspire Action.”

It’s time to be smarter about how we prioritize vulnerabilities because there is no one-size fits all approach. To do this, we need to bring more meaning to the vulnerability data with contextualized risk intelligence that incorporates threat intelligence and impact to the business. You need data to tell you what the vulnerabilities mean for your specific organization.

  • Do you know your assets?
  • Is the vulnerability present on mission critical asset?
  • Are there threat actors currently exploiting this vulnerability within my industry?
  • Do we have compensating controls in place?
  • What is the likelihood of a threat being realized?

This is how vulnerability management is evolving – into Risk-Based Vulnerability Management – and it will solve a major problem for a lot of organizations. But to get there, you need to take a few steps.

Step 1: Discover Your Assets

We see a lot of organizations experience issues with asset detection, and that’s no surprise given the increasing number of assets and entry points that each organization has. Not to mention shadow IT – where organizations are spinning up resources or signing onto technologies that the IT teams don’t know about.

Keep in mind that attackers are scanning your environment to try and discover your assets.

So being able to map your entire attack surface is very important. Start with your on-prem assets, as well as assets with external facing IPs. Then make sure to discover mobile devices, and dynamic assets, like cloud infrastructure, web applications and containers. Automating the continuous identification of assets is fundamental to developing a risk base vulnerability management program. CISA recently published a Binding Operational Directive on Improving Asset Visibility and Vulnerability Detection on Federal Networks calling attention to the importance of knowing the assets and managing them accordingly.

Step 2: Classify Your Assets

Once you’re able to gain that initial view, you need to be able to classify those assets because they will all have varying degrees of criticality to your business. Correct asset classification enables vulnerability prioritization.

To understand which are the most valuable resources, you need to understand what type of data is stored, processed or transmitted on them, that tells you how important specific asseets are to the business. We suggest doing a business impact analysis and making sure that you have agreement from the C-suite.

Make sure to also do an analysis of compensating controls, which can help you de-prioritize certain vulnerabilities. And finally, you must automatically discover new assets on a continuous basis and ensure those new assets are classified according to business impact.

Step 3: Automate Your Process

Automation is the key to making vulnerability prioritization work effectively. The volume of vulnerabilities is way too high and security teams are way to lean to go through each vulnerability one-by-one. Automation is done with risk-based vulnerability management married with threat intelligence and controls analysis. Whatever platform you choose should be able to:

  • Continuously monitor with live assessment data
  • Auto-discover assets and classify them
  • Auto-sync updates from the National Vulnerability Database
  • Prioritize findings that include currently exploited vulnerabilities from sources like CISA
  • Present remediation guidance on how to remediate critical risks

Risk-based vulnerability management powered with automation enables your team to prioritize remediation of the most impactful vulnerabilities. You will become more effective by knowing what to remediate and how to remediate the identified vulnerabilities to reduce the critical risks to your organization.

About the Author

Victor Gamra, CISSP, is a former CISO and the Founder and CEO of FortifyData. FortifyData is an automated cyber risk management platform that provides risk-based vulnerability management, third-party risk management, security ratings and cyber risk quantification. Visit www.fortifydata.com for more information.



Source link