Managing vulnerabilities and threats has never been more difficult. Today, with the widespread decentralization of the workplace, access to information and corporate resources from any device and from anywhere, it is no longer enough to simply scan and patch the multiple vulnerabilities that are continually emerging in this environment. It is impossible to keep up with such a frenetic pace.
To effectively minimize their own attack surface, predict potential threat scenarios in advance, and manage their patches and vulnerabilities, companies will need to resort to risk-based scanning procedures.
But neither compliance-oriented vulnerability management nor patch management are able to keep up with the pace and aggressiveness of attacks. Unfortunately, it is still common practice for IT teams to close vulnerabilities solely based on the severity level defined by the software provider. This alone is not enough, and in many cases it does not reflect the real risk that a vulnerability represents for our company.
Currently, it happens that when a vulnerability potentially classified as risk is made public, it is already being actively exploited, so it is essential to take into account other risk parameters to correct them.
Therefore, a prioritization of vulnerabilities that incorporates risk-based factors offers a significantly higher level of protection, but also requires an entirely new model.
‘Risk-based’ vulnerability management model closes security gaps
The correct approach is to identify, prioritize and mitigate all vulnerabilities related to the criticality of the company’s systems. This risk-based prioritization focuses Informatic security across a wide range of parameters, rather than focusing on the severity of a provider as the sole criterion. This primarily includes data centers where the highest risks to an environment are classified, such as vulnerabilities being exploited for attacks.
Furthermore, observing and analyzing trends among threat actors help set priorities for detection. Thus, to ensure rapid removal of the most dangerous threats, it is important to become familiar with current and past attack patterns. For example, in recent years, 95% of the time, cybercriminals have used remote code execution and privilege escalation to inject a malicious code or extract data. Also part of this security approach is the precise analysis of the context of an attack; In this sense, discussions in forums or on the dark web offer interesting clues.
Expert prioritization that incorporates these types of risk-based factors offers a significantly higher level of protection, but it also requires a radically new approach: it is an effective process of collecting and integrating information about relevant threats, encompassing a ecosystem of different information sources that are intelligently aggregated. This also includes the results of penetration tests or regular vulnerability scans and, as a next step, it is decided which vulnerabilities should be scanned first. This approach tends to increase the workload for IT security, even though specialized tools provide this type of data, as it is often already integrated into automated patching routines.
Analyze threat data in a structured way
Until now, it was barely possible to compare vulnerability information between infrastructures and applications, since applications often use Common Vulnerabilities and Exposures (CVE) or Common Weakness Enumerations (CWE) as the basis of data. Service providers such as Ivanti RiskSense solve this problem by developing advanced index scores, which are significantly more meaningful than the simple CVSS v3 score. To determine this cybersecurity score, the various data are normalized and the impact of a vulnerability is merged with the context of the threat and the current exploits, in order to estimate the probability of being exploited. An algorithm is used that intelligently filters and highlights the most risky vulnerabilities. To do this, it takes into account vulnerability and threat data, as well as human validation of exploits by penetration testing teams. Cybersecurity risks are thus deciphered from the broadest possible perspective. In this way, the criticality is evaluated at the moment a vulnerability is found, and at all times it is known how it is exploited.
Building a bridge to patch management
But it is not enough to know the trouble spots. The next step is to incorporate the findings from the vulnerability risk analysis into patch management. This allows IT teams to have an overview of the patches that need to be applied immediately. The rule of thumb is as follows: vulnerabilities in highly critical systems should be remediated on a priority basis, which means that currently unexploited security holes with lower risk potential can remain open.
Beyond “silo” thinking
A risk-based security model requires more than ever that security and IT operations communicate with each other. However, in many organizations, one team is responsible for vulnerability scanning and penetration testing, another team is responsible for setting priorities, and the IT team for remediation. As a result, there are sometimes serious gaps or too much time lag between security findings and IT remediation. Also, the IT department rarely has visibility into the results of their efforts. When IT and security share responsibility and work together to address cyber risks, remediation is much more successful and increasingly effective.
In the past, cyber risk management focused primarily on the number of patches applied, a model that is no longer useful. Accurate measurement of risk exposure requires a qualitative assessment adapted to the systems of each organization. To do this, an effective TVM*1 solution must have the ability to display results that are understandable to both IT and security teams as well as the executive level of the company, without the need for interpretation.
On the other hand, establishing a cybersecurity priority score for vulnerability management in an organization allows the effectiveness of the risk-based approach to be measured. This simplifies planning and eliminates the need to use purely activity-based metrics to address vulnerabilities.
Likewise, it allows security teams to run what-if scenarios that give an idea of the actions that will have a positive impact and how they can be aligned with the available resources and the sensitivities of the business. The bottom line is that threat and vulnerability management coverage must keep pace with business dynamics. Therefore, it is critical to evolve from one-off compliance-based assessments to those that are more time-sensitive and require a sense of urgency, due to the high potential risk they pose to an organization.
Managing a vulnerability requires a huge amount of data, something that can fluctuate depending on the type of scanner and the type of provider. To make sense of such a level of complexity, it is ultimately necessary to establish a common prioritization based on threats, which includes all assets. The selection of the appropriate tools can contribute to this, mainly because they allow attacks to be predicted. They should include the following features:
CVS´s reference evaluation
Industry standard threat data sources, such as the National Vulnerability. Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE). Common Weakness Enumeration (CWE) and the OWASP Top 10. Selected threat sources, providing extensive coverage and updates on the most active exploits
Direct input from the industry’s leading penetration testing teams on new validated exploits
Daniel Gonzalez. Senior Key Account Manager. Ivanti