Vulnerability Management Maturity Part Two: Training Day
Share with Your Network
It’s safe to say that most modern enterprises live and breathe data. But not all data is created equal. Take, for example, the data used in early stage vulnerability management programs.
Go beyond CVSS
Sure, they use data. When their scanners detect a vulnerability, it gets added to a spreadsheet. To estimate the risk that the vulnerability poses, they use the Common Vulnerability Scoring System (CVSS). Never mind that the system doesn’t actually measure risk of exploitation: For years CVSS was as good as it got. (CVSS, by the way, approximates ease of exploit and the impact of exploit. It does not measure the risk that a vulnerability will be exploited.) In fact, many vulnerabilities with high CVSS scores pose little to no risk of exploitation or weaponization.
The quality of a vulnerability management program is directly related to its ability to accurately quantify whether a vulnerability has been weaponized in the past, or is exploitable in the future. And while CVSS might not be the appropriate tool, there is data that can be harnessed to protect corporate networks.
Pull in the right data
When a hacker deploys an attack, or when a vulnerability is exploited by security researchers interested in creating a proof of concept, it creates a record – usually in server logs, but these can be found in other places.
Rather than relying on the theoretical risk of a vulnerability, data scientists can examine how hackers have operated in the past to detect well-worn behavioral patterns. Kenna Security intakes data from a sprawling list of sources, including scanners, penetration testing results, bug bounty programs, databases of vulnerabilities and exploit intelligence, and multiple threat intelligence feeds processed in real time.
Evaluate and score vulnerabilities
We’ve learned that certain vulnerabilities are more likely to be exploited than others. Certain variables, like which vendor made the application a vulnerability affects, or whether a proof-of-concept exploit has been published, tend to be more indicative of future weaponization than other variables. Conversely, a vulnerability that can lead to memory corruption in an asset is less likely to be weaponized.
All of these factors can be harnessed to quantify the risk any individual vulnerability poses to an organization. In aggregate, these risks can be used to create an overall risk score for an entire enterprise or for segments of it.
And you have RBVM
This process is known as risk-based vulnerability management, or RBVM. It has some interesting effects. Our research shows that with the right data, it can drive down risk more thoroughly than other rubrics. For example, some enterprises have protocols under which vulnerabilities with CVSS scores above 7 are patched. Data science suggests, however, that many vulnerabilities above that threshold pose little risk of exploitation. While some vulnerabilities that fall below that threshold pose even greater risk to the organization.
RBVM is the insight that enables truly modern vulnerability management. But to get the benefits of RBVM, organizations need a tool that can operationalize these insights.
To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.
