Too Many Vulnerabilities, Too Little Time

It is evident organizations are struggling with cybersecurity as security professionals are struggling to cope with the multiple threats - resulting in enterprises being two or three steps behind. Some might say, the lack of expertise and information available to effectively manage vast amounts of vulnerabilities means we are close to a tipping point of no return, while others may say we are already there. 

What is at stake is easy victory for hackers who are directing many of their ingenious attacks at the enormous number of vulnerabilities that are lurking within enterprise IT infrastructures and looking for any easy open pathway to launch an attack.

With limited resources, time and personnel, the patching and remediation process has become more of a needle in a haystack approach rather than a targeted extermination of the biggest risks. What’s worse, hackers are just scratching the surface as the danger for organizations is much more extreme and effects multiple layers of infrastructure.

However, when attackers are successful it’s because they’ve acted swiftly with roughly half of all exploits occurring within two weeks of CVE publication. The unfortunate reality is that an enterprise typically patches vulnerabilities 85 days after publication, leaving hackers plenty of time to launch a successful attack. Add on the daily discovery of new vulnerabilities and the previously mentioned lack of resources, security professionals are constantly playing catch up and misguided by CVSS severity rather than real risk.

In some cases, the damage has already been done in the form of alert fatigue. It is clear current vulnerability management (VM) solutions are not up to the task as enterprises are still being left exposed and security professionals are on the back foot.

Legacy VM and CVSS ranking needs a lift
As mentioned before, enterprises are remediating vulnerabilities in an almost knee-jerk fashion. Typically, vulnerability scanners use the CVSS severity ranking system to determine where to prioritize efforts. The system uses a 1-10 style of ranking, with anything above 7 labelled as severe.

Naturally, security professionals will be drawn to the most dangerous. While there is logic to this strategy, it can place unduly pressure and anxiety on fixing vulnerabilities that may never be exploited and pose no risk at all. Remember attackers do not care whether a vulnerability is severe or not, and will exploit any vulnerability that give them a foothold. All they are seeking is a gap within the systems to cause devastation.

This is why focusing on a metric like “time-to-remediation” may be misguided, depending on whether the team’s sights are set on prioritizing the right vulnerabilities.

To tackle this problem, which is rife amongst current vulnerability management programs, organizations should implement a predictive vulnerability management approach. This allows security analysts to prioritize the vulnerabilities most likely to be exploited in the wild based on threat intelligence. So, what technology will this leverage and how can CISO’s and security professionals embrace the new wave of VM? 

VM with added intelligence
Enterprises looking to leverage predictive VM must seek solutions that use VM scanning functionality as a foundation, and also take the next step by providing focused risk-based rating through a broad array of threat intelligence. This should be integrated within the solution to automatically identify data and enterprise assets and assess where risks may lie to correctly predict the probability of a vulnerability being exploited by hackers.

To ease the admin burden on IT and security analysts, risk-based scoring for all vulnerabilities identified will be reported in order of the level of risk posed so that the necessary remediation steps can take place in an efficient order. 

Merging Artificial Intelligence and machine learning with VM finally gives organizations the tools to make a stand and defend effectively against present and future threats. The risk-based data provided through this approach will enable security analysts to gauge which exploits attackers are most likely to weaponize by zooming in on the vulnerabilities that carry the biggest risk. In doing so, all lower false positives that are brought with the CVSS score are eliminated and effectively replaced with accurate, predictive modelling that surfaces the vulnerabilities that matter. 

Ultimately, it comes down to two factors: establishing organizations risk tolerance and allocating the right resource to mitigate against the most dangerous threats; both are key for effective risk management. 

By having more data on the attacker’s behavior and a greater view of exploits and risks, security professionals can make smarter and faster decisions to reduce vulnerability exposure for their company and, crucially, allows them to be a step ahead of the attackers.

We’ve seen that time to patch is critical to enterprise IT security and with increased risk context security teams can cut out the noise and make better informed decisions. 

What’s Hot on Infosecurity Magazine?