Is it time for evolution of Vulnerability Management?
We all know that vulnerability is a weakness in any type of system which can be exploited by hackers to achieve their objectives.
If we investigate any organization, each vulnerability could be affecting multiple devices which could be in tens, or hundreds or more. On top of that we must look for newly disclosed vulnerabilities as well. Since 2017, 300+ vulnerabilities are being disclosed every week. This makes, the remediation task a top priority, as longer it takes to fix a vulnerability the stronger are the chances of getting breached if the hackers start to exploit those.
As per a research, 39% of breach victims knew that they were vulnerable to hackers before they were breached and 60% of organizations were breached for a vulnerability which had a patch available.
The challenge faced by most of the organizations is not about HOW to patch the systems, but rather WHAT to patch first. If we look into the risk scoring system used by most of the Vulnerability Assessment and Management solutions, it is the traditional Common Vulnerability Scoring System (CVSS).
When it comes to remediation, most of the organizations focus on Critical and High severity first and then focus on others. However, what is the context of these vulnerabilities for any organization? CVSS is a global risk score for any organization around the world, which is independent of the industry sector and the location of the industry. And might not be the answer for it.
According to a study, out of the total open-source vulnerabilities published in 2019, 15% were scored Critical and 41% were scored High by CVSS V3.x scoring system. If over half of the vulnerabilities are scored as Critical or High severity, then prioritizing them for remediation becomes an inefficient process as it lacks a business context and leads to longer patch cycles. Not all vulnerabilities have an exploit available and not all are attractive to hackers.
If there are 10,000 vulnerabilities in an organization and out of those 3,000 are of Critical or High Severity, then we need to contextualize the risk score for them to prioritize which vulnerability needs to be patched first based on the context specific to the organization.
Now the question is, how it can be done? The answer is Vulnerability Intelligence! Threat Intelligence consumption from vulnerability perspective. Context around vulnerabilities should be gathered using Threat Intelligence to prioritize the vulnerabilities on an organization level. This will help in identifying the true risk score a vulnerability possess in an organization.
As per Gartner’s report on Top 10 Security Projects for 2020-2021: Risk based vulnerability Management is ranked number 2, it says: “Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.”
By using the power of Machine Learning and Vulnerability Intelligence HivePro Uni5 can do Risk Based Prioritization, Patch Prioritization, Threat and Attacks Prediction and more.
For more information on HivePro Uni5, click here.
“Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.”
References:
https://www.whitesourcesoftware.com/open-source-vulnerability-management-report
https://www.gartner.com/smarterwithgartner/gartner-top-security-projects-for-2020-2021
Author: Pulkit Saxena