Assembling IKEA Furniture, Vulnerability Management, and Intelligent Prioritization
June 8, 2020
Have you ever purchased a piece of furniture from Ikea, got home, and thought to yourself "Wow I just got an amazing deal on a desk," only to spend the entire day tediously struggling to build the desk? What started as a simple project turns into an entire day of you second guessing your ability to operate a screwdriver. While Ikea furniture may look simple enough to build, anyone who's been a customer knows this frustration. Now, imagine you had to build the desk... WITHOUT instructions. You will eventually figure it out (maybe), but it will take you significantly longer than if you had directions.
This is exactly what it's like using vulnerability management solutions without intelligent prioritization. While you will have everything you need, just like in your Ikea box, the struggle of knowing what to do with the information provided is mind-numbing. Vulnerability information overload is extremely common. Most VM products produce an overwhelming amount of data and leave security teams struggling to figure out where to focus their immediate efforts. Intelligent prioritization features are the “instructions” for security and IT teams. By prioritizing each individual vulnerability, and pointing remediation teams to the assets that pose the most risk, organizations can be sure they’re focusing their work on efforts that maximize vulnerability risk reduction. The ability to cut through the noise that is tens of thousands of vulnerabilities is an invaluable time saver for already time-constrained security and IT operations teams.
Some of you reading this might be thinking to yourself “well, my solution does prioritization; it tells me which vulnerabilities are high risk, medium risk, or low risk.” This may be true, but unfortunately, it’s not enough to group vulnerabilities into three, or even four or five, categories. Such groupings are often determined by CVSS base scores. This generic scoring system does not take into account the environment - the context - of the vulnerability. As a result, many vulnerabilities’ groupings are unhelpful or even counter-productive. Vulnerabilities interact with individual networks in unique ways, so to think that a general classification of a vulnerability appropriately applies to your network the same way it would with any other network would be naive. The new standard is intelligent prioritization: the individual ranking of vulnerabilities based on their specific context on individual networks. Intelligent prioritization is possible and practical at scale thanks to technologies like machine learning. Such analytics are based on real-time and continually updated data (Delve’s Contextual Prioritization re-calculates vulnerability scores every 5 minutes). Having access to such data enables the platform to keep up with the ever-changing network environment. Establishing the ranking of each vulnerability begins with looking at the properties of the vulnerabilities itself as well as the asset on which it resides. Next are the characteristics of the network that house the asset, the organization and how critical the asset is to it. Lastly, external factors like available exploits or the likelihood one will be developed for that vulnerability, are added to the analysis.
Technology has continuously reminded us the best approach to tasks is to work smarter, not harder. CISOs have realized how unrealistic it is to cover every single security threat across their network. The best available approach is to tackle the tasks/threats that pose the greatest risk to their company. In doing so they reduce risk in the most efficient manner possible.
You wouldn’t buy unassembled Ikea furniture without directions.
Why would you purchase vulnerability management solutions without built-in, modern, intelligent prioritization?