Managing an organization’s cyber security is not a job for the faint of heart. A single vulnerability can result in the theft of everything your enterprise truly values. At the same time, the number of potential adversaries you’re facing outnumbers your own team by orders of magnitude. Because they are legion, they are not constrained by the forces that limit you: Time, money, fatigue etc.
Even worse, attackers have the advantage. Like the white side in a game of chess, the attackers move first — and too many defenders are willing to accept being reactive.
The end result of this scenario is a VM team that is overwhelmed and demoralized by the need to play catch up with a ceaseless flood of vulnerabilities. It’s simply impossible to patch everything that needs to be patched. And this is a state of affairs that seems likely to persist indefinitely.
While that may be unnerving to read, we’re not here to harp on the problem — we’re here to propose a solution.
Using security intelligence to enable risk-prioritized vulnerability management.
Prioritization through a risk and security intelligence lens
On the battlefield medics are often overrun and overstretched — and unlike VM teams, they have to do their job under fire. Yet both parties have some similarities in terms of how they operate.
A combat medic or military surgeon may suddenly have more injured soldiers than he or she can treat. The only way to handle this situation is to triage: Allocating treatment in a way designed to maximize the number of survivors. Soldiers who are seriously injured — but not critically wounded — may have to wait for treatment while those in worse shape are prioritized.
VM teams are continually bombarded by new alerts, many of the high or critical variety. Yet unlike in medicine — where critical means critical — not every severe vulnerability should be prioritized in the same way. Sometimes a severe vulnerability poses no real risk to the most important, business-sensitive systems and assets. If you follow a vulnerability management strategy rooted in CVSS scoring without any regard for critical risk context, you often end up having your team devote precious hours toward patching security gaps that pose almost no real risk. In medical terms, you are doing the equivalent of sending a soldier with a hangnail to the front of the triage line.
That’s obviously a situation that everyone wants to avoid. Fortunately, the answer to the problem is very straightforward: You need to apply real-time threat intelligence and attack-centric risk context to ensure you are prioritizing protection of your crown jewel assets.
How do I ensure prioritization is done optimally?
One key to this puzzle is a better understanding of threat intelligence. Though the number of breaches and threats continues to surge each year, malicious actors are leveraging the same relatively small set of vulnerabilities. They are also moving faster; according to Gartner, the time span between the identification of a vulnerability and the appearance of an exploit has shrunk from 45 to just 15 days over the last decade. However, research also shows vulnerabilities that have not been exploited after three months likely never will be.
Understanding the broad strokes of the threat landscape can help teams begin to prioritize according to risk. It’s critical to focus on exposures that are exploitable, and that pose the greatest risk to sensitive systems and assets. Assessing internal vulnerability scanning data with external intelligence — and gaining a grasp of which vulnerabilities hackers are targeting and why — can also provide much needed context.
Ultimately, however, VM teams need better software tools.
The scan-and-patch approach to vulnerability management needs to be immediately consigned to the trash heap of information security history. Instead, we need tools focusing on the continuous identification, assessment, reporting and remediation of security gaps using critical risk context.
Organizations need to know more than the severity of a vulnerability. They need to know its relationship to critical assets and how that vulnerability is likely to be exploited. They need visibility into the most likely attack paths and tactics through which they will be targeted. They need to know the likely consequences should that exposure be successfully exploited. They need a process for accomplishing this that is automated and continuous — one that begins to even the deeply slanted playing field on which defenders and attackers are perched.
Such characteristics are found only in attack-centric exposure prioritization platforms that offer deep threat intelligence and precision-targeted prioritization of the vulnerabilities that pose the greatest risk to crown jewel assets.
Tools such as these allow VM teams to focus on the one-percent of exposures that are exploitable. By doing this, they eliminate 99-percent of the risk to business-sensitive systems — and no longer have to worry about wasting inordinate resources on patching vulnerabilities that pose no real problem.
Risk-prioritized vulnerability management isn’t a luxury. It should be an absolute imperative for all organizations. Without risk context, VM teams are fighting this battle with one hand tied behind their backs — and are often focused on the wrong foe.