A recently published Security Navigator report data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch.
Good vulnerability management is not about being fast enough in patching all potential breaches. It’s about focusing on the real risk using vulnerability prioritization to correct the most significant flaws and reduce the company’s attack surface the most. Company data and threat intelligence need to be correlated and automated. This is essential to enable internal teams focus their remediation efforts. Suitable technologies can take the shape of a global Vulnerability Intelligence Platform. Such a platform can help to prioritize vulnerabilities using a risk score and let companies focus on their real organizational risk.
Getting Started
Three facts to have in mind before establishing an effective vulnerability management program:
1. The number of discovered vulnerabilities increases every year. An average of 50 new vulnerabilities are discovered every day so we can easily understand that it’s impossible to patch them all.
2. Only some vulnerabilities are actively exploited and represent a very high risk to all organizations. Around 6% of all vulnerabilities are ever exploited in the wild[43]: we need to reduce the burden and focus on the real risk.
3. The same vulnerability can have a completely different impact on the business and on the infrastructure of two distinct companies, so both the business exposure and the severity of the vulnerability need to be considered. Based on these facts we understand that there is no point in patching every vulnerability. Instead, we should focus on those that pose a real risk based on the threat landscape and the organizational context
The concept of risk-based vulnerability management
The objective is to focus on the most critical assets and the assets having a higher risk to be targeted by threat actors. To approach a risk-based vulnerability management program we need to consider two environments.
The internal environment
The Clients’ landscape represents the internal environment. Companies’ networks are growing and diversifying and so is their attack surface. The attack surface represents all components of the information system which can be reached by hackers. Having a clear and up-to-date view of your information system and of your attack surface is the very first step. It is also important to consider the business context. In effect, companies can be a greater target depending on their business sector due to specific data and documents they possess (intellectual property, classified defense…). The last key element to consider is the unique context of the company, individually. The objective is to classify assets according to their criticality and to highlight the most important ones. For instance: assets that if not available would cause an important disruption to business continuity, or highly confidential assets that if accessible would make the organization liable to multiple lawsuits.
The external environment
The threat landscape represents the external environment. This data isn’t accessible from the internal network. Organizations need to have the human and financial resources to find and manage this information. Alternatively, this activity can be externalized to professionals who will monitor the threat landscape on the organization’s behalf.
Knowing the vulnerabilities which are actively exploited is a must since they represent a higher risk for a company. These actively exploited vulnerabilities can be followed thanks to threat intelligence capabilities combined with vulnerability data. To have the most efficient results, it’s even better to multiply the threat intelligence sources and correlate them. Understanding attacker activity is also valuable since it helps anticipating potential threats. For instance: intelligence concerning a new zero-day or a new ransomware attack can be actioned on a timely basis, to prevent a security incident.
Combining and understanding both environments will help organizations define their real risk, and pin-point more efficiently where preventative and remediation actions should be deployed. There is no need to apply hundreds of patches but rather ten of them, selected ones, that will drastically reduce an organization’s attack surface.
Five key steps to implement a risk-based vulnerability management program
- Identification: Identify all your assets to discover your attack surface: a discovery scan can help having a first overview. Then launch regular scans on your internal and external environments and share the results to the Vulnerability Intelligence Platform.
- Contextualization: configure your business context as well as the criticality of your assets in the Vulnerability Intelligence Platform. The scanning results will then be contextualized with a specific risk scoring per asset.
- Enrichment: The scan results need to be enriched using additional sources provided by the Vulnerability Intelligence Platform, such as threat intelligence and attacker activity that will help to prioritize considering the threat landscape.
- Remediation: Thanks to the risk scoring given per vulnerability, which can be matched with threat intelligence criteria like “easily exploitable”, “exploited in wild” or “widely exploited” for instance, prioritizing remediation effectively is much easier.
- Evaluation: Monitor and measure the progress of your vulnerability management program using KPIs and customized dashboards and reports. It’s a continuous improvement process!
This is a story from the trenches found in the 2023 Security Navigator report. More on vulnerabilities and other interesting stuff including malware analysis and cyber extortion, as well as tons of facts and figures on the security landscape, can be found in the full report. You can download the 120+ page report for free on the Orange Cyberdefense website. So have a look, it’s worth it!
Note: This informative story was expertly crafted by Melanie Pilpre, product manager at Orange Cyberdefense.