Vulnerability Management Prioritization: Defense Wins Championships
- Sep 20, 2022
- Guest Author
Vulnerability Management is one of the less flashy or exciting parts of your cybersecurity department maintenance routine – but is definitely one of the most important to protect your environment. Part of protecting yourself is obviously remediating vulnerabilities in your network, but the looming question is “What should I remediate first?”
There are some basic ways of gauging vulnerabilities, but they’re becoming outdated and/or inaccurate as environments become both more unique and dynamic. In today’s world, where new vulnerabilities and exploits are coming out everyday, you need to know which vulnerabilities pose risk – and which ones pose the most risk to you and your environment to keep yourself safe.
Foundationally speaking, many organizations rely on frameworks like the Common Vulnerability Scoring System (CVSS) to prioritize the remediation of vulnerabilities. Most known vulnerabilities receive a CVSS score from the National Vulnerability Database, giving companies a baseline on which to evaluate the criticality of each vulnerability.
While still industry standard, CVSS score is becoming an unreliable sole source due to its rigidity and lack of contextual factors brought into the risk score. While CVSS is a good starting point, it’s similar to how the basics of the Model T car are still used today… Vulnerability Management has evolved far enough away that CVSS, while a baseline, is not wholly reliable.
A CVSS score largely ranks vulnerabilities on the average system in the average environment. This does not take into account other important factors that may change vulnerability criticality to cater to your environment and target the true risk. Other methods of vulnerability scoring may come from the scanners themselves; however, these often heavily rely on CVSS with only small additions like the availability of an exploit kit or the OS on which the device is running.
The common issue across these types of scoring methodologies is that they don’t take into account important factors such as:
Part of having a healthy network environment is knowing which types of devices are important and where they sit within your network so that you can best protect yourself. Obviously, not all devices on your network should be treated at equal importance.
For example, taking down an application or core server that is integral to your environment could cause millions of dollars and a massive amount of disruption to business. For this reason, you’ll need to patch devices that fall into a critical category like external devices, core routing equipment, or high use application servers at a much higher rate than average as a threat actor could potentially use them to gain additional privileges or even total control over parts of your network. As part of a quarterly review, a project between the networking and security team should be to figure out what your most and least important types of equipment are and get an inventory of those categories across your network so you’re able to keep a closer eye on key infrastructure.
Additionally, you should also take into consideration the work you’ve already done. If you’ve already set up policies, or set up other measures in your environment, some of the vulnerabilities that may have been considered critical before should be re-evaluated, as they may now be a lesser risk or even need to be taken off the board completely. Depending on the vulnerability, this may even be a preferable option as you could potentially resolve multiple vulnerabilities across your network with a simple IAM or policy change.
Obviously, patching vulnerabilities will always be a good thing; but, until you come to an efficient way of patching and start to remediate the root of issues and find a streamlined way of doing it, you’ll be fighting a never ending tide of new vulnerabilities.
Some considerations into your actual risk score may come from a less technical source. For example, one factor you’re going to want to take into consideration is the rate and channel these vulnerabilities are being talked about.
The “hacker” community is a group that likes to share information and methods – meaning the popularity of some of these exploits may increase if they become well-known in this community and a normal tool in these experts’ libraries. One of the ways to track these kinds of vulnerabilities is to develop or source specialized threat feeds that not only track trending vulnerabilities, but also keep you up to date on other factors like new exploit methods, recommended policy changes, and other items to consider while prioritizing.
Leveraging best-in-class machine learning algorithms, NopSec Unified VRM analyzes billions of pieces of information to understand attack activity and likelihood in real time. With NopSec, your vulnerability risk scores are reprioritized based on insights from 30+ threat intelligence feeds for malware, ransomware, threat actors/campaigns, public exploit databases, social media, and more.
Schedule a demo today to see NopSec in action.