A vulnerability is a flaw or weakness in a system that, if exploited, would allow a user to gain unauthorized access to conduct an attack. Vulnerability management is the process of identifying, prioritizing, and remediating these vulnerabilities to reduce an organization’s overall risk. Prioritization of vulnerabilities is essential because not all vulnerabilities are going to have the same level of impact on your business operations.
A risk-based approach to vulnerability management prioritizes remediating vulnerabilities based on the impact they will have on your business, as well as the likelihood that that exploitation will take place. This is compared to other approaches such as compliance-driven vulnerability management, which focuses more on checking the boxes necessary to meet regulatory requirements, as opposed to analyzing the overall threat landscape. This doesn’t mean that compliance is ignored, it is just integrated into a larger evaluation of a business’s overall risk tolerance instead of being the deciding factor in remediation.
Here’s how you can move away from legacy vulnerability management strategies and implement a risk-based vulnerability management approach.
Defining the Attack Surface
One of the characteristics of a risk-based vulnerability management approach is that it takes a holistic view of the entire attack surface when determining which vulnerabilities are going to have the most significant impact. To be able to do this, however, you first have to have complete visibility into your assets, including third-party assets like vendors with access to internal environments. The tools you’re using for vulnerability management should be able to provide you with a complete picture of all of the assets (servers, desktops, mobile devices, applications, etc.) in your network, in one location. When a vulnerability is detected, you need to know exactly which systems are going to be affected, so you can determine how widespread the vulnerability is, and whether it is present in any critical systems. This process of being able to connect vulnerabilities to the assets that contain them is called vulnerability asset mapping. Without it, you won’t be able to effectively judge the breadth of a vulnerability’s impact.
One way to do this is through a configuration management database. These tools provide the benefit of helping you keep track of your configurations to avoid compliance errors and data leaks but can also help you keep track of the software (and version of the software) deployed in your environment so you’re able to determine whether or not assets with a vulnerability are actually in use. Knowing the products used, the version, and their location can reduce your reliance on multiple vulnerability scanning tools, and help you more efficiently prioritize remediation.
Another important factor in effective risk-based prioritization is how exploitable a vulnerability is. You may determine that a particular vulnerability is present in key assets throughout your network, but if the conditions required to exploit it are such that exploitation is highly unlikely, this vulnerability poses less real risk to your organization and might be prioritized lower than other more exploitable vulnerabilities.
The only way to know this information is by integrating real-time threat intelligence data into your vulnerability management system. The base CVSS score doesn’t take into account exploitability or the version of systems it impacts, and the environmental and temporal metrics which attempt to factor in some threat intelligence, are not updated in real-time as new information is available, which means the CVSS score may not always accurately reflect the severity of a vulnerability. Take for example Heartbleed, which had a CVSS score of 5/10 but became one of the biggest vulnerabilities of 2014. There are numerous vulnerabilities that either exceed their CVSS expectations or turn out to not be the firestorm first predicted, demonstrating that relying solely on these scores is not always the most practical approach.
Assigning a Risk Score
Since the CVSS score doesn’t show the complete picture of a vulnerability, you need another way to quantitatively assess which vulnerabilities to prioritize. Assigning a risk score to your assets can help provide this standard metric. A risk score is based off of the asset value, threat likelihood, and vulnerability exposure. Asset value refers to how important the asset is to the business. Would an exploited vulnerability in that asset result in downtime or leaked sensitive information? Threat likelihood is simply how likely is it that that asset would become a target. This is based off of observed patterns of threat actor behavior. Having intelligence integrated into your vulnerability management system is again helpful in evaluating the risk of your assets. Finally, vulnerability exposure refers to how vulnerable the asset is. Does it have a number of known vulnerabilities and, what are the severity scores of these vulnerabilities? If you already have risk scores assigned, it will be easy to filter for your most at risk assets to prioritize them when a vulnerability is discovered.
Implementing a Risk-Based Vulnerability Management Program
In reality you’re probably already using at least a little bit of a risk-based approach to vulnerability management, even if you have not formalized it. Back to the Heartbleed example, if you hadn’t initially prioritized it based off of its ratings, you surely prioritized it once the extent of its potential damage became known. The difference between organizations that have formalized risk-based VM and those that have not, is the speed in which they can address the vulnerabilities that are truly critical to their organization. If you already have an asset inventory with accurate indications of the software used and the risk score of the asset, you’ll be able to react much faster to the next big vulnerability. Similarly, utilizing intelligence in your prioritization from the start can help you stop wasting time on critical vulnerabilities with little real-world impact. Formalizing your risk-based program should begin with an evaluation of your assets and your VM technology. You won’t be able to achieve a true risk-based program without tools that can incorporate threat intelligence and utilize automation and machine learning to help prioritize and execute remediation workflows.
RH-ISAC members have access to vetted threat intelligence, as well as assistance setting up integrations to maximize the value you get from our data. Learn more about the benefits of RH-ISAC membership on the RH-ISAC website.