Assembling IKEA Furniture, Vulnerability Management, and Intelligent Prioritization
June 8, 2020
Have you ever purchased a piece of furniture from Ikea, got home, and thought to yourself "Wow I just got an amazing deal on a desk," only to spend the entire day tediously struggling to build the desk? What started as a simple project turns into an entire day of you second guessing your ability to operate a screwdriver. While Ikea furniture may look simple enough to build, anyone who's been a customer knows this frustration. Now, imagine you had to build the desk... WITHOUT instructions. You will eventually figure it out (maybe), but it will take you significantly longer than if you had directions.
This is exactly what it's like using vulnerability management solutions without intelligent prioritization. While you will have everything you need, just like in your Ikea box, the struggle of knowing what to do with the information provided is mind-numbing. Vulnerability information overload is extremely common. Most VM products produce an overwhelming amount of data and leave security teams struggling to figure out where to focus their immediate efforts. Intelligent prioritization features are the “instructions” for security and IT teams. By prioritizing each individual vulnerability, and pointing remediation teams to the assets that pose the most risk, organizations can be sure they’re focusing their work on efforts that maximize vulnerability risk reduction. The ability to cut through the noise that is tens of thousands of vulnerabilities is an invaluable time saver for already time-constrained security and IT operations teams.
Some of you reading this might be thinking to yourself “well, my solution does prioritization; it tells me which vulnerabilities are high risk, medium risk, or low risk.” This may be true, but unfortunately, it’s not enough to group vulnerabilities into three, or even four or five, categories. Such groupings are often determined by CVSS base scores. This generic scoring system does not take into account the environment - the context - of the vulnerability. As a result, many vulnerabilities’ groupings are unhelpful or even counter-productive. Vulnerabilities interact with individual networks in unique ways, so to think that a general classification of a vulnerability appropriately applies to your network the same way it would with any other network would be naive. The new standard is intelligent prioritization: the individual ranking of vulnerabilities based on their specific context on individual networks. Intelligent prioritization is possible and practical at scale thanks to technologies like machine learning. Such analytics are based on real-time and continually updated data (Delve’s Contextual Prioritization re-calculates vulnerability scores every 5 minutes). Having access to such data enables the platform to keep up with the ever-changing network environment. Establishing the ranking of each vulnerability begins with looking at the properties of the vulnerabilities itself as well as the asset on which it resides. Next are the characteristics of the network that house the asset, the organization and how critical the asset is to it. Lastly, external factors like available exploits or the likelihood one will be developed for that vulnerability, are added to the analysis.
Technology has continuously reminded us the best approach to tasks is to work smarter, not harder. CISOs have realized how unrealistic it is to cover every single security threat across their network. The best available approach is to tackle the tasks/threats that pose the greatest risk to their company. In doing so they reduce risk in the most efficient manner possible.
You wouldn’t buy unassembled Ikea furniture without directions.
Why would you purchase vulnerability management solutions without built-in, modern, intelligent prioritization?
There are two basic reasons for an investment in vulnerability management. The first is to check the compliance box if the organization is subject to regulations that require a vulnerability management program or process. More often, however, forward-thinking organizations that are serious about reducing the risk of an information security breach are investing in robust vulnerability management solutions in an effort to genuinely reduce their networks’ vulnerability risk.
And that makes sense. For example, a 2019 Ponemon Institute study found that “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” This implies that a solid vulnerability management program can reduce the risk of a breach by more than half. Moreover, when cyber criminals attack a network and successfully penetrate it, they often leverage unpatched vulnerabilities to move about the network in their relentless search for credentials to compromise. Thus, an organization committed to vulnerability hygiene is not only more difficult to breach, but also more challenging to exploit a successful initial network penetration.
What constitutes a robust vulnerability management program?
We used the phrase “robust” vulnerability management in the previous paragraph, and a reasonable question that would follow would be “what constitutes a robust vulnerability program?” The answer stems from an organization’s security philosophy. Those that are engaged in vulnerability management perfunctorily, simply to generate reports for auditors and senior management are typically more interested in the scanning aspect of vulnerability management. They may know where all their vulnerabilities lie, but are less enthusiastic about remediation them. This is completely understandable, as the number of vulnerabilities on a corporate network can number in the hundreds of thousands, and the thought of remediating them can be daunting.
However, a solid vulnerability management program will include intelligent vulnerability prioritization, so organizations serious about vulnerability management can leverage modern technology to understand which of their vulnerabilities must be addressed right away, and which can wait, without compromising the organization’s cyber security.