Prioritization is Key to Effective Vulnerability ManagementPOSTED BY JON WARREN
Most cyber criminals exploit known vulnerabilities to launch attacks. They take the path of least resistance, reusing exploits and tools that have been effective in the past, making slight deviations to continue to evade detection and exploiting known security weaknesses. Recently, MITRE released an update to its Common Weakness Enumeration (CWE) list, adding 137 new entries to its database which now includes more than 806 security weaknesses and a total of 1177 entries. The update also included significant changes to 534 entries. This is just one of numerous sources security analysts can access as they gather data they can use for effective vulnerability management.
According to research by ESG, improving the ability to discover, prioritize and remediate software vulnerabilities is a top priority for cybersecurity professionals – second only to detecting, containing and remediating actual attacks. On the flip side, the research also points to patching as among the most time-consuming security operations tasks. It’s not just the number of vulnerabilities but the process needed to patch – testing, deploying, verifying, planning for downtime, etc.
Security teams simply don’t have the people, infrastructure, tools and time available to patch every vulnerability fast enough, and that opens you up to risk. To improve vulnerability management, you need the ability to focus your resources on addressing the known security weaknesses in your environment that adversaries are using in their current campaign to compromise your organization.
That’s where the ThreatQ platform comes in – helping you identify the vulnerabilities that leave your organization most exposed, so you can focus your vulnerability management resources where the risk is greatest.
With ThreatQ you can aggregate, contextualize and prioritize both threat and vulnerability data from multiple internal and external sources based on the Common Vulnerabilities and Exposures (CVE) standard. By incorporating vulnerability information into the ThreatQ Threat Library™ you can identify exploits involved in current ongoing campaigns and correlate them to known vulnerabilities within your organization.
But this is just the first step in overcoming the vulnerability management challenge! ThreatQ also correlates external data on threats, adversaries and indicators with events and associated indicators from SIEMS or log repositories inside your environment. Linking vulnerabilities to alerts or indicators provides the context you need to understand and prioritize vulnerabilities for patching.
Here’s a simplified example:
- Vulnerability A has no known adversaries using it or associated indicators of compromise (IOCs). Although it is a vulnerability, it may not be exploited in the real world.
- Vulnerability B is related to a specific adversary campaign and IOCs. Checking internal data and events, a few of those indicators have been seen in your SIEM and/or ticketing system.
- Vulnerability C has related threats and IOCs. However, those threats have been known to target a specific industry you are not in.
Clearly, you prioritize Vulnerability B for patching. Vulnerability C may be next on your priority list based on your risk profile, or you may wait until intelligence indicates it is targeting your industry. Since Vulnerability A is not being exploited it probably doesn’t make sense to allocate resources to it now.
This example also points to the fact that prioritization needs to be done on a continuous basis as adversaries change their tactics, techniques and procedures (TTPs), systems and applications evolve, along with their usage within your business. As new data and events come into the Threat Library, ThreatQ can automatically recalculate and reevaluate priorities, learning and understanding so you can focus your vulnerability management resources on patching the vulnerabilities that are most relevant to your organization.
With examples like Spectre and Meltdown as harsh reminders of how threat actors use vulnerabilities to their advantage, organizations can’t afford to lag in this effort. A risk-based approach to prioritizing vulnerabilities allows you to focus on the vulnerabilities that are actively being exploited and would have the greatest impact on your organization if leveraged by a threat actor. With this information you can make better investment and resource decisions to address vulnerability management and strengthen security posture.
To learn more, download our Vulnerability Application Note.