The Importance of Security Control Context in Vulnerability Prioritization

byKaustubh Jagtap

Product

For the vast majority of vulnerability management (VM) teams, the most pressing challenge is prioritization. Fundamentally, VM teams want to fix the vulnerabilities that pose the highest risk to the business first—but they lack the insights needed to do so.

This is an urgent problem too: On a routine basis, your security teams might have thousands of vulnerabilities in their environments. However, a cyber attacker only needs one vulnerability to breach the network and get access to your critical assets. How do these teams identify their organizational security control gaps and intelligently prioritize fixes? In this post, I’ll take a look at various vulnerability prioritization workflows and their relative strengths and shortcomings.



Traditional Vulnerability Prioritization

VM tools help teams understand which systems need to be patched, but they cannot help with determining which patches will have the biggest impact on the organization’s security posture. Vulnerability patch prioritization is key to successful VM efforts. VM tools identify vulnerabilities but lack insights into real-world threat exposure and, most importantly, lack the business-specific context needed to properly prioritize mitigation and remediation efforts.

Traditional vulnerability prioritization workflows tend to include the following steps:

  1. Assess the situation, scanning the environment for vulnerabilities.
  2. Prioritize vulnerabilities based on vulnerability severity (CVSS scores) and systems affected.
  3. Compensate, patching vulnerable systems.
  4. Forget about it. Once these efforts are complete, teams tend to forget about these efforts until the next yearly assessment, the next CERT alert, or the next high-profile breach alert.

The reality for most VM teams today is that there are far too many vulnerabilities across the enterprise’s various tools and products. Teams simply can’t resolve them all. Therefore, any patch prioritization efforts must be reflective of the organization’s risk exposure and tolerance. This is where traditional vulnerability prioritization falls short. In general, these efforts are heavily focused on vulnerability severity, meeting compliance requirements, being reactive, and using static intelligence.



Prioritizing Vulnerabilities with Threat Intelligence

A missed critical vulnerability can cause serious damage to an organization. But given the massive volume of vulnerabilities that security teams must wade through, finding that proverbial needle in the haystack can be an arduous task. Threat intelligence enhances vulnerability prioritization by providing a perspective on the vulnerabilities being exploited in the wild. It provides limited context into which vulnerabilities have the possibility of being exploited, offering a certain degree of improvement in vulnerability prioritization.

Threat intelligence-powered vulnerability prioritization workflows include the following steps:

  1. Assess the situation, scanning the environment for vulnerabilities.
  2. Prioritize vulnerabilities based on severity, affected systems, and threats associated with those vulnerabilities, regardless of compensating controls.
  3. Compensate, patching vulnerable systems.
  4. Forget about it. Teams tend to forget about these efforts until the next yearly assessment, the next CERT alert, or the next high-profile breach alert.

The one key thing to remember here is that threat intelligence can go stale fast. This intelligence can provide valuable in-the-moment context that can help with prioritization, but that may not always be enough.



Prioritizing Vulnerabilities with ML/AI Algorithms

To help security teams sort through large volumes of vulnerabilities, VM tools have started using machine learning (ML) and artificial intelligence (AI) to identify the highest priority vulnerabilities that need to be patched first. The use of ML/AI algorithms to prioritize vulnerabilities is still in its infancy. The use of these algorithms makes sense when there is a large amount of past vulnerability data that can help identify the tell-tale signs of a highly exploitable vulnerability.

Machine learning-powered vulnerability prioritization workflows include the following steps:

  1. Assess the situation, scanning the environment for vulnerabilities.
  2. Prioritize vulnerabilities based on severity and the algorithm-ranked likelihood of a breach.
  3. Compensate, patching vulnerable systems.
  4. Updating algorithms for future use.

What this approach primarily lacks is the enterprise’s environmental context—including the effectiveness of security controls and the external accessibility of the crown jewels. Because ML/AI algorithms depend on probability models to predict exploitability, the lack of environmental context can potentially generate false negatives or false positives, causing security teams to miss important alerts or waste time patching vulnerabilities that may not need immediate attention.



Using SafeBreach to Supercharge Risk-Based Prioritization

SafeBreach understands the importance of gaining contextual visibility into an organization’s security controls and their ever-changing configurations. It is this visibility that can enable security teams to successfully understand which vulnerabilities pose the biggest risk to their business and which need to be patched first.

By safely and continuously validating an organization’s security controls against real attacks, SafeBreach can determine asset exploitability and accessibility. SafeBreach enables security teams to map the external accessibility of critical assets to their business risk. As a result, security teams can gain the context they need to make smart prioritization decisions. SafeBreach allows teams to effectively manage their security posture by:

  1. Understanding the overall attack surface for the vulnerability.
  2. Determining the overall accessibility of the vulnerability.
  3. Assessing the impact of the vulnerability on their organization’s critical assets.
  4. Determining adversaries’ potential reach within their organization, considering the risk of vulnerability exploitation.



Summary

Through its integration with VM tools, SafeBreach sheds light on the actual posture of an organization’s environment in terms of accessibility and exploitability. By continuously and safely executing attacks in an enterprise environment, SafeBreach calculates the risk of both network and host attacks. By combining SafeBreach’s contextual insights with vulnerability scan results, VM teams can focus vulnerability remediation efforts on the locations that have the greatest risk of exploitation by a potential adversary.

To learn more about SafeBreach’s unique approach, be sure to read our new white paper, “Supercharging Vulnerability Prioritization: A Risk-Based Approach.”

Headquarters

  • 111 W Evelyn Ave
  • Sunnyvale, CA94086
  • USA
  • 408-743-5279

R&D Center

  • Yosef Karo St 18
  • Tel Aviv-Yafo,
  • Israel
  • +972-77-434-4506
© SafeBreach Inc. 2021
|