Remember back in precedented times when people questioned how long digital transformation would take and whether companies really needed to move to the cloud? Although business leaders may have asked those questions only a few years ago, today they recognize the seismic shift rippling across the technology, threat, and attack landscapes.
Vulnerability management teams act as the first line of security defense, remediating known security weaknesses that attackers try to exploit. However, over the last few years, the number of reported vulnerabilities has increased exponentially, making it difficult for these teams to apply patches fast enough to keep pace with today’s threats. Further, many vulnerability management teams lack the information needed to make risk-based decisions. When coupled with data silos across vulnerability management, security operations, and senior leadership, most companies struggle to create an effective and cost-efficient security program.
Prioritizing vulnerabilities requires quantitative business impact data so organizations can make meaningful decisions that drive cyber resilience.
What is Vulnerability Management Prioritization?
Vulnerability management prioritization is the process of scanning the organization’s assets to detect security weaknesses that threat actors can exploit during an attack and ordering them based on risk. To identify vulnerabilities, most organizations use a collection of tools, including:
Vulnerability scanners: automated tools that look for and report potential known vulnerabilities across network-connected devices, including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers
Vulnerability databases: platforms that collect, maintain, and share data about known computer security vulnerabilities, providing information about criticality or severity
Vulnerability testing/vulnerability assessments: manual or automated processes evaluating the organization’s software systems for weaknesses in procedure, design, implementation, or other controls
Vulnerability management prioritization is a fundamental step in a vulnerability management team’s process. At a high level, this process follows four basic steps:
Identification: determine which known vulnerabilities impact the organization’s systems, often incorporating threat intelligence as part of the research
Evaluation/Prioritization: determine which vulnerabilities are most severe or cause the most risk to the organization’s networks and systems
Remediation: apply patches or increase protections for the applications, devices, or networks starting with highest priority or highest risks first
Reporting: documenting detection, prioritization, and remediation activities
The prioritization step is key to the vulnerability management process because it enables the team to allocate resources effectively.
Why Prioritizing Vulnerabilities Is Fundamental to Security
As more attacks bombard organizations, vulnerability management teams and their prioritization strategies act as a first line of defense for most organizations. While vulnerability management teams and security operations centers (SOCs) often work independently from one another, they are really two sides of the same coin.
Similar to burglars finding an unlocked door into a home, threat actors use vulnerabilities to gain a foothold in an organization’s networks and systems. Vulnerability management teams work to lock as many doors as possible. Meanwhile, SOC teams monitor for any potential activity indicating that a threat actor gained unauthorized access prior to the security weakness being remediated.
By the raw numbers, security researchers reported 21,957 common vulnerabilities and exposures (CVEs) in 2020, representing a 19.6% increase when compared to 2020.
However, all of this goes beyond the sheer number of software vulnerabilities. According to the 2021 Verizon Data Breach Investigations Report, the action variety of “Exploit vulnerability” was up to 7% for 2021, doubled when compared to 2020. While the number of reported vulnerabilities increased, threat actors decreased the time it took to exploit them. For example, research found the average time to known exploitation in 2021 was 12 days, 71% faster than in 2020.
The intersection of vulnerability management and security is highlighted by research. For example, burnt-out SOC teams spend 22.4% of their time on vulnerability/compliance scanning and patching. This is only slightly more than the 22% that they say they spend on responding to security incidents.
When aggregating the research, one thing becomes clear. Prioritizing vulnerabilities is a key security initiative. The overwhelming number of vulnerabilities and threat actors’ ability to exploit them rapidly means that vulnerability management and security teams need a solution that works for both of them.
Mind the Gaps
Many organizations recognize the security implications associated with vulnerability management. However, they still struggle because they face gaps affecting the three building blocks of their programs: people, processes, and technology.
Visibility Gap
Many say that digital transformation changed cybersecurity by decreasing visibility. For vulnerability management and SOCs, the visibility gap is further complicated. Without visibility, neither team is able to create efficient, effective processes to mitigate risk.
The vulnerability visibility gap is a combination of two primary problems:
Vulnerabilities hiding in open source software
Exploitability
Free Open Source Software (FOSS)
While organizations can review their technology stack for CVEs connected to products, impact arising from the software supply chain is more difficult.
Nearly all software and application development teams use open source libraries and repositories. According to the Harvard Census II of Free and Open Source Software, research estimates that 98% of codebases incorporate FOSS across public and private sectors in nearly all industry verticals. The report further explained that developer account takeovers have increased as malicious actors look to expand their reach by inserting malicious code directly into the libraries. Without visibility into vulnerabilities embedded in these resources, organizations are unable to apply compensating controls or remediations.
For example, security researchers noted vulnerabilities in:
Python Packaging Index
RubyGems
PHP
Node Package Manager
Composer PHP Project
GoCD
Npm packages
With FOSS ubiquitous across nearly every software layer, including operating systems and firmware, organizations struggle to gain visibility into potentially risky code.
Exploitability
Even more difficult, many organizations may know that their technology stack faces a risk, but they lack the ability to determine whether threat actors can exploit the vulnerability. For example, in April 2022, the Cybersecurity & Infrastructure Security Agency (CISA) released a “2021 Top Routinely Exploited Vulnerabilities” list.
Although researchers discovered 21,957 CVEs in 2021, threat actors routinely focused on some more than others, including ones discovered as early as 2017. CISA listed the top 15 routinely exploited vulnerabilities, 3 of which were also routinely exploited in 2020. It also listed an additional 15 that malicious actors routinely exploited in 2021, including multiple vulnerabilities affecting internet-facing systems, with 3 routinely exploited in 2020.
Vulnerability management teams find themselves flooded with newly discovered security issues, but threat actors focus their exploits on a small portion of them. Without visibility into how attackers could use a vulnerability to cause damage in the organization’s unique environment, vulnerability management teams lack the ability to create efficient processes.
Talent Gap
Just as the visibility gap impacts every area of security, the talent gap has a similar effect. Across this vector, the outcomes are more quantifiable.
According to the (ISC)2 Cybersecurity Workforce Study, 29% of security professionals noted that “slow to patch critical systems” was one of the real consequences of the staffing shortage. Meanwhile, 27% responded that a real consequence was an “inability to remain aware of all threats active against the network.”
Without enough people to fill critical roles, organizations face a dual security issue. They lack the ability to apply patches rapidly. Meanwhile, they lack people able to research all threats active against the network. This makes it easier for malicious actors to leverage known vulnerabilities as a way to infiltrate systems and networks. Simultaneously, it makes prioritizing vulnerabilities more challenging for organizations.
Tool Gap
In an attempt to gain visibility and overcome the talent gap, many organizations turn to automation. In doing so, they feed the vicious security risk cycle rather than solve their problems.
Purchasing tools works only when organizations have the staff to maintain them. For example, vulnerability management teams can automate vulnerability scanning to detect possible weaknesses. However, these often provide false positives without the ability to confirm whether a malicious actor can exploit the vulnerability. Inability to combine this information effectively leads to inability to prioritize vulnerabilities.
To add context, organizations incorporate a configuration management database (CMDB) that uses data from configuration items (CIs) to add business context. Theoretically, this context helps teams prioritize and assign ownership for vulnerability remediation.
Unfortunately, organizations need people to maintain a healthy CMDB. For an effective CMBD, companies need to assign someone responsibility for monitoring and approving changes.
Ultimately, the organization either underspends, leading to security gaps, or overspends, leading to financial waste.
Prioritizing Vulnerabilities is a “Risky” Business
Attempting to overcome the challenges associated with vulnerability management, companies try to prioritize their activities using risk models. However, once again, many find themselves struggling.
Theoretically, risk calculations look easy:
Risk = Likelihood of a Data Breach X Impact
In reality, the likelihood of a vulnerability leading to a data breach and impact of a data breach remain quantifiably illusive.
Likelihood
The likelihood that a vulnerability will lead to a data breach is a multifaceted metric. As organizations try to streamline time-consuming vulnerability management processes, they need to incorporate the complete range of complex risk factors.
Vulnerability Severity and Exploitability
Most vulnerability scans use the Common Vulnerability Scoring System (CVSS) when ranking a CVE’s risk. CVSS scores range between 1 (information) and 10 (critical) taking into account:
Type of attack that could use it
Level of access required to exploit it
Overall complexity
The problem with using the CVSS as the only prioritization method is that it fails to take into account each organization’s unique environments. It informs the vulnerability management team about what could be done if attackers exploited a CVE without looking at whether an attacker could exploit it easily in that organization’s environment.
Exploitability gives the vulnerability management and SOC teams an idea of whether the vulnerability can lead to a successful attack in their environments. Assets exposed to the internet are easier for attackers to locate and exploit.
Consider the following two examples:
A moderate CVSS score on an asset exposed to the internet: less critical vulnerability overall but easier for an attacker to exploit directly
A critical CVSS score on an asset sitting three steps from the internet: a critical vulnerability but it takes a lot of effort for an attacker to exploit it
Comparing the real risk between these vulnerabilities is difficult. Even when including both factors, vulnerability management teams may not be able to distinguish one from the other. Meanwhile, security teams have to hope that the vulnerability management team remediates both or hope detections catch a malicious actor.
Total Assets Impacted
Another criteria many organizations use when prioritizing vulnerabilities is the total number of assets impacted. This makes sense because each asset can be used as an attack vector.
In a world where everything is connected, a threat actor only needs to leverage one device or application to gain a foothold before moving laterally across networks and systems. When a vulnerability impacts a lot of assets, teams need to incorporate additional context like exploitability and severity when prioritizing their activities.
In another trade off, many vulnerability management teams struggle identifying critical assets.
Critical assets are the systems and associated technologies whose security and service availability is critical to business operations and revenue. While many organizations have technologies that enable them to determine their critical applications, diving deeper into critical assets is challenging.
In highly connected IT environments, critical asset identification includes the technologies supporting the critical applications, including:
Devices
Servers
Databases
Routers
Switches
Cloud resources, like applications
The tactical side of understanding critical assets remains a manual and error-prone process. Typically, the engineers building a product list the databases and servers that the application uses. Unfortunately, the time-consuming process often leads to an incomplete list as the project moves forward and assets change.
Vulnerabilities impacting critical assets are riskier than others. For example, if an organization knows that a financial application earns $1 million/week in revenue, then that application needs to be secured first. Unfortunately, most organizations have only a basic understanding of their critical assets because they are unable to gain visibility into all connections across their complex environments.
Impact
Risk metrics used to prioritize vulnerability management should be focusing as much on impact as they do on likelihood. Calculating a data breach’s impact should incorporate:
Business interruption arising from service outages
Legal and compliance costs
Response costs
Notification costs
Customer churn
Often, organizations struggle gathering data to support the impact metrics. Publicly available information is scattered across multiple databases and reports which means many companies make estimations rather than using quantitative data.
In addition, without the ability to connect critical applications to all critical assets, many organizations lack insight into how the assets impact critical business processes and revenue. They use spreadsheets and time-consuming manual methods. Even though companies may use technologies that enable some visibility, they still struggle to correlate:
Data type
User privilege
Objective financial business impact data
Connections between assets
Often, this means that the data breach impact analysis is more qualitative than quantitative, undermining the organization’s ability to prioritize vulnerabilities.
Know Thyself: 5 Steps for Effectively and Efficiently Prioritizing Vulnerabilities
Most organizations start by looking at their environments through an attacker’s eyes. In reality, knowing your environment enables your vulnerability management and SOC teams to secure your systems and networks more effectively.
1. Use Business Impact to Identify Critical Assets for Visibility
From practical and compliance standpoints, every risk assessment starts by identifying assets. As a first step, you can use asset management tools to detect and catalog network-connected assets.
To enrich your risk and impact analyses, you need application-to-asset mapping, especially for business-critical applications. With visibility into data flows, you can calculate business impact, like revenue generation.
By using analytics-driven visibility into connected applications and components, you establish a risk-based vulnerability management program that enables your SOC and vulnerability management teams to operationalize the risk assessment. With this context, everyone better understands a vulnerability’s security impact so that they can prioritize their remediation more efficiently and effectively.
2. Use Objective Financial Data to Understand Impact
With a full-featured understanding of business impact risk, you can begin to quantify impact. Your senior leadership and Board of Directors are able to make more informed decisions as part of their compliance responsibilities. Meanwhile, your security and vulnerability management teams have better insight into how they should focus their time and effort.
To understand data breach impact, organizations should incorporate data breach actuarial data based on companies of similar size and industry.
Using this data, organizations can better quantify risk by assigning a dollar value to an asset’s:
Asset type: is it internal or external facing?
Connections: does it connect to a critical application?
Data type: Is sensitive data impacted?
Overall, by understanding the operational and financial business impact that a data breach can have, you create an organizational culture of security based on objective data rather than qualitative estimates.
3. Automate Manual Processes
By automating manual processes, you can overcome the talent and tool gaps that make vulnerability prioritization and remediation challenging. Instead of using spreadsheets to map critical applications to digital assets, automation streamlines this process giving you up-to-date visibility while saving time.
Additionally, automation ensures that your vulnerability management can focus on critical tasks instead of administrative ones. Instead of spending time cross-referencing and updating spreadsheets and the CMDB, your team can streamline remediation activities with at-a-glance visibility and leverage automation for updating records.
4. Correlate Severity and Exploitability
By understanding the assets connected to business-critical applications, companies can correlate vulnerability data and threat intelligence more effectively. Vulnerability severity is only as important as a threat actor’s ability to exploit it within a given environment.
By correlating the two data points, the vulnerability management team can better support the SOC team. This reduces both your organization’s risk and mean time to remediate.
5. Create a Single Source of Vulnerability and Security Information
Visibility and collaboration across all stakeholders is the key to a robust, efficient, and cost-effective security program.
Your vulnerability management team needs to know how to prioritize vulnerabilities to protect your systems and networks. Your SOC team needs to use threat intelligence effectively to understand potential attack paths across your systems and networks. Your leadership team needs financial impact data to allocate money for tools and staff.
To eliminate silos, you should aggregate all security and vulnerability data in a single location that ingests:
Network traffic data
Vulnerability scans
Security Information and Event Management (SIEM) data
Event logs
CMDB data
Identity and Access Management logs
Endpoint Detection and Response logs
When everyone has the same information, they have the same understanding of risk for enhanced cyber resilience.
KeyCaliber: Inside-Out Visibility for Prioritizing Vulnerabilities
Most security tools act as a mirror, allowing a company to look at itself from the outside. Key Caliber gives organizations the security equivalent of an MRI machine. Instead of diagnosing your security posture based on how others think you look, we enable you to look deep within your company’s systems and networks. This way you can understand connections between critical business applications and the assets that support them.
With KeyCaliber, you can create a closed feedback loop that continuously identifies critical assets using empirical business impact data and correlating assets to attack paths. As your environment changes, KeyCaliber updates the application-to-asset mapping, eliminating the need for time-consuming, manual, and error-prone processes. Armed with this data, leaders can appropriately allocate budgets so that teams have the tools and staffing required to protect sensitive data.
KeyCaliber’s asset identification and risk visibility solution increases cyber resilience. Our solution enables organizations to make data driven-decisions that reduce risk, re-focus resource allocation, and efficiently prioritize remediation activities. Our solution correlates financial impact, asset usage, user privilege, vulnerability risk, mitigating controls, and connections between assets for visibility into business impact.