Organizations of all sizes are bombarded with a seemingly endless stream of security advisories on a daily basis. The challenge for many is figuring out whether a given advisory actually impacts their organization.
At the Black Hat US 2021 event, Allan Friedman, director of cybersecurity initiatives at NTIA, US Department of Commerce, and Thomas Schmidt, ICS and advisory expert, Federal Office for Information Security (BSI) in Germany, outlined an emerging approach to help solve the challenge of being overwhelmed by security advisories.
"How do we communicate that a device or piece of software is not actually exploitable?" Friedman asked. "The answer is a new idea called the Vulnerability Exploitability eXchange, or VEX."
The VEX concept actually builds on several other key ideas, including having an automated machine-readable format for security advisories. VEX will identify whether a particular version of software is impacted by an advisory and what action needs to be taken. Friedman emphasized that he wants VEX to be what he referred to as a “negative” security advisory. Whereas a normal security advisory conveys what products are impacted, the goal of VEX is to communicate what is not affected.
Automation is the Key to VEX
A real challenge with security advisories today is that there is a lot of manual effort required by organizations to assemble, analyze and understand them.
Schmidt noted that what's needed to make security advisories effective is automation. That's where an effort known as the Common Security Advisory Framework (CSAF) comes into play. CSAF is an open standards approach to providing security advisories that are in a machine-readable format.
With CSAF, humans in an organization no longer need to parse though security advisories with various formats to try to figure out what's important to them. Schmidt emphasized that CSAF can reduce the workload for overburdened IT staff.
"We don't have to search this boring stuff for advisories; we see only the relevant advisories, as it is machine readable," Schmidt said. "You don't have to worry about corporate design stuff, so it's scalable across vendors, and you can do your risk assessment based on your own environment."
Friedman noted that VEX, in turn, is a profile in CSAF. As part of a CSAF deployment, organizations should also have some form of asset management in place, where they know what software and devices are running. In the ideal scenario, an automated CSAF advisory can be ingested by an organization that can then automatically map that to their own assets and, with VEX, know immediately that they are, or are not, at risk.
"We can provide real value for our users, not just in which vulnerabilities they should pay attention to, but which ones they shouldn't," Friedman said.
One particular industry that can potentially really benefit from VEX is healthcare. Friedman noted that patching and security updates impose real costs as organizations often need to take things offline that they may not want to do on a live network. For example, without knowing for sure if a given device is vulnerable, a hospital might have to figure out a way to care for a patient while they take a critical device offline to update it.
"The more efficient and automated we can make updates, it's going to bring real benefits not just for security, but for human health and safety," Friedman said.