Vulnerability management is a challenge for many organizations. If not done efficiently and effectively, it can lead to a data breach. However, it is simply impossible to patch and mitigate every software vulnerability present in an enterprise network. And, in fact, you probably shouldn’t. If you did, you’d likely be wasting precious resources that could be allocated to higher value tasks.

Based on the patching behavior of hundreds of organizations, Verizon’s 2019 Data Breach Investigations Report (DBIR) finds that more than 50% of vulnerabilities remain unpatched after 90 days. How much of that is purposeful and how much is simply due to a lack of resources and competing tasks? The report authors conclude, “Vulnerability scans will always yield findings…The key is to prioritize the important ones and have a plan for the remaining actionable vulnerabilities; and to be able to defend acceptance of unaddressed findings.”

So how do you do that? In a recent webcast, “Leveraging Threat Intelligence for Effective Vulnerability Management,” ThreatQuotient’s Anthony Stitt and Robert Streamer show how ThreatQ can help. 

Historically, most organizations haven’t factored threats into the equation when thinking about vulnerability management. They’ve largely been focused on assets and risk. But in the last few years organizations have started to consider the links between threat actors, CVEs and other indicators. The ThreatQ platform lets organizations bring threat intelligence into the vulnerability management process to connect the dots using both a top down and bottom up approach. 

Acting as a central repository, the platform allows you to aggregate internal threat and event data with external threat feeds and normalize that data so that it is in a usable format. By augmenting and enriching information from inside your environment with external threat intelligence about indicators, adversaries and their methods, you can map current attacks targeting your company, industry and geography to vulnerabilities in your assets. 

Taking a top down approach, you can narrow down the millions of indicators typically collected, to a manageable subset of high-priority CVEs scored using an algorithm based on parameters you set. These parameters are driven by multiple factors, including: indicator source, type and attributes or context, as well as adversary attributes. The scores are completely independent of the CVSS scores from the National Vulnerability Database, which don’t necessarily correlate to the risk of threat actors using that vulnerability to compromise your environment. With high-priority CVEs identified, you can then query against your vulnerability scanning tool, directly from the ThreatQ console, to determine if a particular CVE is currently in the environment and if it still needs to be addressed. 

ThreatQ also lets you take a bottom up approach to vulnerability management. With ThreatQ Investigations you can see events in your environment, for example an MD5 hash, and then pivot to external intelligence to understand more about the indicator, the threat actor group using it, and associated malware and CVEs. In this case, conducting a scan will likely reveal CVEs that are a priority for patching since the MD5 hash has already been identified, indicating an attack is in progress.  

Watch the webcast on demand and see the 20-minute demo of how to: 

• Visualize threat data related to the vulnerability
• Query internal vulnerability scanning data 
• Determine susceptible assets and prioritize vulnerability patches
• Automatically harden security infrastructure to mitigate risk

A platform that enables the use of threat intelligence to drive both a top down and bottom up approach to vulnerability management, allows you to heed the advice in the Verizon DBIR: Prioritize the important vulnerabilities, have a plan for the remaining actionable vulnerabilities, and be able to defend acceptance of unaddressed findings.