Prioritization is for Everyone
September 8, 2019
This series of blog articles will explain in various detail our perspective with regards to vulnerability management and prioritization. This post presents our dissatisfaction with the current state of the industry and our proposed solution. In part 2, we will discuss in more depth some specific implementation details that clearly differentiate our approach from the rest of vulnerability management solutions. The final article in this series will present our approach to self-improvement, how we greatly reduce the amount of false positives and the way we avoid some common pitfalls in using machine learning technologies.
Exploitability prediction is something, context prediction is everything
The sheer complexity of IT systems that security teams have to deal with most often prevents them from mastering their technology stack. This results in a huge amount of exposed application services and a likely array of convoluted and misconfigured infrastructure, leaving doors open for potential attackers to come in and have a feast.
Vulnerability management is a key aspect of any serious cyber security strategy [CIS][NIST]. It is also one of the first steps to consider for SMBs [CIS]. In recent years, thanks to the public disclosure of major breaches in a variety of both public and private organizations, it has become an increasingly important part of the cyber security commercial landscape.
As such, all this media coverage has grabbed the attention of major vendors and incentivized the focus on so called Zero Days and the development of cutting edge tools to predict the exploitation of very fresh vulnerabilities. We think that this strategy is actually missing the point, at least for the majority of organization needs.
Predictive exploitability has been the topic for many published papers [Bullough 2017][Sabottke 2015]. It comes as no surprise that it is the current state-of-the-art in the incumbent vulnerability management tools. But most of the time, it is not through Zero-Or-Even-Fewer-Days that companies get breached, even with fresh exploits being published. It is simply by leaving poorly configured old and forgotten resources to be exploited by time established and easily accessible techniques [HPE fig. 11].
Unfortunately, the sole focus on predictive exploitability as a strategy for remediation prioritization continuously diverges the attention of already scarce resources.
A question of strategy
It’s important to understand that finding vulnerabilities is not the problem of this industry, it is the “easy” part [Gartner]. The problem comes from the overload of such vulnerabilities encountered in a company’s technology stack, and the inevitable need to manually research and prioritize low risk before starting any remediation.
An efficient and simple remediation strategy should therefore focus on:
- Discovering and understanding what is valuable for the organization (context)
- Identifying what is a plausible target
- Filtering through this information overload
- Correcting the remaining obvious threats
Only upon completion of these fundamental steps should a mature organization shift its focus on resolving advanced vulnerabilities at the far edge of technology, but that is a long journey. Where should we begin?
We present our solution: Contextualized Prioritization. The way to do it correctly and efficiently: Artificial intelligence. Let’s take a quick look at how this is done by Warden to enable efficient vulnerability management for any kind of organization.
Understanding context: scrutinize, recognize, prioritize
Reiterating the problem, most companies today face the same challenges: too many assets and not enough resources and people to address the security issues efficiently. Moreover, traditional vulnerability assessment tools generate too much data, most often off the mark, inaccurate or simply wrong. What is implicit here is that the reporting of vulnerabilities is inherently of little value if we can not put these vulnerabilities into context. Inferring context is knowingly difficult and seldom done correctly, if done at all.
Understanding context is a very human and intuitive thing to do. It is also the holy grail of artificial intelligence. Understanding the context of an object means inferring the situation in which our object exist. More than that, it means being able to put in relation the object and its environment.
Philosophy aside, in the context of vulnerability management, context means not only finding a security issue, but understanding the implications of this issue. The context is the use of the underlying asset, the potential vectors of attack to enter this hole, the surroundings of this asset, the business line affected by a potential breach, etc…
Unfortunately, inferring all of the specific attributes at each level of abstraction throughout an organization is probably an impossible task. What if we could approximate this with a sufficient level of accuracy? One accurate enough to enable an efficient remediation prioritization strategy, and of course do it systematically, without the need for a very expensive consultant or a team of security experts?
The solution to this problem, developed by our team of machine learning and security experts, is to combine a strategy of vast cross-sectional aggregation of data with automated statistical analysis, backed by domain expertise.
One useful analogy is the impressionist style of painting. Take a look at Vincent Van Gogh’s “The Starry Night.” Even though any local point is not depicting a perfectly accurate element of reality, when we take in the whole picture, it is possible to understand and get a feeling of the object in perspective.
Contextual prediction works the same way. By aggregating specific facts from individual models about different remediation behaviors, comparing various naming schemes, website content and network pattern complexity, asset and tool usage… It is then possible to paint a realistic picture of what should be important for a given organization. All this without active human interaction.
Putting it all together
After the aggregation step, we can correlate this knowledge with industry-wide practices for similar organizations, our other clients and in-house security expertise. Once this is done we can, for example, differentiate between an interesting target and what is surely not, which asset is underestimated or overestimated, which has most probably been forgotten or intentionally left unresolved. We can infer elements such as network context, business line priorities, likely or unlikely scenarios of attack. It even allows us to assess and improve our own detection reliability.
With such knowledge of the vulnerabilities and business context in hand, the path to remediation becomes a lot simpler.
In this short article, we have discussed the problem of vulnerability information overload, and presented the solution devised by Delve Labs to enable an efficient remediation strategy by using our AI models to help organization prioritize efforts and filter out white noise. In our next article, we will take a deeper look at a few such specific factors, how they work and how we include them in Warden to make smart predictions. Namely, we will investigate how to find important and outstanding network assets, how to correlate combinations of vulnerabilities with common attack patterns, and how Warden enables security experts to combine their own specific knowledge with others in a global expertise base.