Criminal Sentencing, William F. Buckley, and Modern Vulnerability Prioritization
May 20, 2020
William F. Buckley, noted US author and frequent debater, once offered this gem during one of his political exchanges:
"... saying that the man who pushes an old lady into the path of a hurtling bus is not to be distinguished from the man who pushes an old lady out of the path of a hurtling bus: on the grounds that, after all, in both cases someone is pushing old ladies around."
I was reminded of this quote after reading a blog post by one of our competitors. The post promoted a paper they’d just released detailing how their vulnerability prioritization methodology would rank the most “dangerous” CVEs published in 2019.
At first I was confused by the headline; it made no sense to me. Here at Delve, we know that no CVE is inherently dangerous. No CVE is inherently innocuous. So how could such a list be made? At Delve, our vulnerability management philosophy would lead us to the conclusion that a list of the “most dangerous” CVEs in a vacuum has no meaning.
Now back to our William F. Buckley quote. Irrespective of whether or not one agrees with Buckley’s political positions, his clever mini-parable highlights the importance of context. Is someone who shoves old ladies a bad person? Probably...but not necessarily. It all depends on the context of the shoving behavior.
Similarly, context is the key to understanding the relative risk of a given vulnerability. The problem with the CVSS score, and also with our competitors’ vulnerability scoring methodologies, is that they deliver a fixed score for a given vulnerability, independent of its context on a specific enterprise network. This is why they can create a list of the most “dangerous” vulnerabilities of 2019; the vulnerabilities must have a fixed “level of danger” to create such a ranking. In reality, however, the risk of a vulnerability depends heavily on where it’s located on the network and the specific characteristics of its environment.
Certainly, there are some primitive factors that can help quantify the risk of a vulnerability, for example if it’s remotely exploitable or if there’s an existing exploit (or likely to be one) targeting it, but those represent just a cursory analysis of the vulnerability’s risk at best. What if a locally-exploitable vulnerability is located on a server that’s also running a web application, or a remotely exploitable vulnerability is on an isolated network subnet with no remote access? What about ostensibly low-risk vulnerabilities on business-critical assets, or low-scoring CVSS vulnerabilities located on the assets most attractive to attackers (we call them “outlier” assets at Delve).
Rather than view each vulnerability in a vacuum, Delve’s Contextual Prioritization assesses the relative risk of each vulnerability on the network in its own specific context (and continuously re-calculates these scores). Thus, vulnerability priority scores will not only vary from network to network, but from location to location on the same network. Using over 35 factors and Delve’s AI engine, Contextual Prioritization re-calculates the relative ranking of each vulnerability on a network every 5 minutes, so teams know which vulnerability represents the highest risk to the organization and needs to be addressed first, second, third, and so on.
Politicians and other public officials are notorious for a time-worn, go-to excuse when they’re caught saying something damaging: “My comments were taken out of context.” And although not the case often, at times, that defense is legitimate. Context matters. Our judicial system is defined by context. Sentences for killing someone vary widely; indeed, there are circumstances where killing someone is not even a crime (self-defense). Punishment is nearly always based on context.
The same goes for vulnerabilities. A one-size-fits-all approach doesn’t apply to CVE risk scores. This reality makes it much more difficult - impossible in our opinion - to write a blog about the top 10 most dangerous CVEs, but evaluating vulnerabilities in context will, on the other hand, intelligently inform your remediation efforts, assuring you’re genuinely maximizing your vulnerability risk reduction for every remediation resource spent.