The discipline of vulnerability management has been around for decades and the way we assess risk, based on severity and likelihood of exploitation, has remained fairly constant. However, there are challenges in how this formula is usually applied that narrow our perspective on risk and our mitigation strategies. In a recent ThreatQ Cyber Forum session, “Risk-based Vulnerability Management,” ThreatQuotient’s Haig Colter moderated a discussion with Alex Heid, Fellow and VP of Threat Intelligence Research at SecurityScorecard and Nathan Wenzler, Chief Security Strategist at Tenable to explore this topic. 

Following are a few key takeaways from their conversation. We encourage you to watch the session on demand for all the details. 

How severity and likelihood of exploitation influence vulnerability prioritization.

As a baseline, attackers go for the lowest hanging fruit – what’s easily exploitable on the network perimeter. So, when it comes to prioritization, network-facing vulnerabilities have a higher likelihood of exploitation, and the consequences can be severe. 

However, we also need to look at severity and likelihood within the context of the organization’s environment, business, and architecture. For example, there may be a lot of attacks exploiting a vulnerability in an Oracle database. But if an organization only has a couple of those databases in a lab for testing it isn’t really a threat.  

Ultimately, we need a combination of technical information, looking at the low-hanging fruit criminals are focused on, and business information, taking into account the context for how that exploitation applies to your environment and business, so we can come up with an actionable plan. 

Why external threat intel is important for vulnerability prioritization and some potential sources. 

It’s important to understand what attackers are focusing on right now and which exploit kits are easily available, so that we can consider what’s happening in the real world that could affect the organization. Start with public sources of threat intel that are available and free. 

• The Common Vulnerability Scoring System (CVSS) continues to mature and now includes more granularity and specific metric groups to allow scoring for some degree of context. 
• In the U.S., government sources like NIST and CISA are also helpful, but data can be old by the time it is published. 
• Open source options, for example using Twitter and searching on key words, can provide very timely data. And you can even create a dashboard to get alerts by going to Tweetdeck.twitter.com. Other forums and Telegram groups may have data on threat actors targeting your industry, but often organizations need personnel with specific skills to get value from those sources. 
• Additionally, a lot of commercial security solutions now have some level of threat intelligence built in, so ask your vendors. They may be able to help you jump start a program. 

How threat intel can assist in mitigation. 

Threat intel doesn’t help with actual patching. But it can help organizations make better business decisions when they’re in a situation where there’s a zero-day and no patch available, or the fix isn’t easy and they have to do something. This is reflective of the change we have seen happening as vulnerability management moves from being a pure IT function focused on technical risk to a business function under the broader umbrella of risk management. Threat intel can help you weigh tradeoffs between trying to fix it yourself, withstanding an attack, or relying on cyber insurance to cover you. It augments the risk management decision-making process so you can devise a mitigation plan with the best interests of the business in mind. 

How to use automation for vulnerability prioritization. 

Automation can help with technical risk prioritization and definitely has a role to play from a remediation standpoint. But where it gets tricky is context. We have ways to score business context and automate that. But there’s a certain amount of manual heavy lifting needed to understand business workflows and translate IT risks into business risks. Human involvement is required to understand the context and determine what needs to happen in order to apply automation effectively. So, let’s automate what we can, and know that we must balance automation with the human element. That’s the mindset we need to build in order to be successful. 

Interested in learning more about risk-based vulnerability management? Watch the session for all the insights Alex and Nathan shared. You can also download our new whitepaper, “A Data-Driven Approach to Risk-Based Vulnerability Management with ThreatQ.”