Another Type of Correlation – Vulnerability Correlation
- Oct 27, 2012
- Guest Author
The other day I was thinking about the concept of “event correlation” embedded into various SIEM products. Security events can be verified and false positives eliminated via correlation with other information such OS fingerprinting, netflows, vulnerability information, etc. It is the value proposition of SIEM and their added value even though it does not work all the times.
NopSec implemented what we call “vulnerability correlation” to address this concept for vulnerability risk management.
Let’s say we found a number of vulnerabilities on a web application. The web application sits on top of a certain operating system, web server, database server stack. On top of web application code vulnerabilities found through application crawling and fault injection, our software-as-a-service correlates those with vulnerabilities found by other Unified VRM modules, such as operating system vulnerabilities, web server vulnerabilities, database vulnerabilities that are present on the host as the web application code.
In other words, vulnerabilities found on the web application code are correlated with network and operating system vulnerabilities found on the same host. So we can avoid the situation where all web application vulnerabilities found are remediated but the host where the application sits can be compromised at the network or database level.
Unified VRM Web Application Module identifies vulnerabilities, you are able to see vulnerabilities related to the same web application host but found by other Unified VRM modules, for example the external or internal network modules.
The end result is verified and prioritized vulnerabilities based on business risk and impact. And that means faster and more efficient remediation, which is the ultimate goal of vulnerability risk management!
Learn about NopSec’s unique approach to vulnerability risk management. Get our Best Practices Guide: Vulnerability Management for more information!