Vulnerability Management Blog

The Other Whistleblower... Vulnerability Risk Management

If I mentioned the word “whistleblower” these days in a conversation (especially in the US), how many people out of, say 1,000, would think of cyber security and vulnerability risk management...even in the middle of the floor at RSA in February, or at any other infosec event? 

I’m willing to bet none.

But a recent episode at Blue Cross/Blue Shield Minnesota might have us all rethinking our “whistleblower” word association. Tom Yardic, a cyber security engineer at the health insurance company was so concerned about the volume of unaddressed vulnerabilities on the company’s network - and what he considered to be systemic neglect - he notified the CEO and Board of Trustees as a “last ditch effort” to bring attention to the security situation (“Cybersecurity Engineer Turns Whistleblower: What We Know Right Now,” Bruce Sussman, Secureworld, December 17, 2019).

According to the piece, which references a story published in the Minneapolis Star Tribune, Yardic said there were approximately 200,000 “critical” or “severe” vulnerabilities on the network, most of which were identified years earlier with patches readily available.  

Given the value of medical health records to cyber criminals - “Social Security numbers sell for $ card info goes for up to $110...full medical records can command up to $1,000 because they're an identity thief's dream... - the episode at Blue Cross Minnesota is particularly disconcerting.

But is it uncommon?

Certainly, companies don’t make a habit of advertising their vulnerability totals publicly, but few cyber security professionals would be surprised to learn that a network servicing over 3,500 employees (Blue Cross Minnesota’s total) would have 200,000 vulnerabilities, so it’s not a stretch to assert this example is more typical than it is anomalous.  Further, reflexively indicting the cyber security team at Blue Cross Minnesota for negligent behavior is something that should be left to those in the media and government, entities with little appreciation for the challenges of security teams in today’s world, and specifically, those faced with battling the virtual vulnerability tsunami that results from today’s complex networks and countless software products and versions. (“More security vulnerabilities were publicly disclosed in the first quarter of {2019} than in any previous three-month period.”) 

In vulnerability risk management, Blue Cross Minnesota’s circumstance is likely driven less by negligence and apathy than exasperation.  Identifying 200,000 critical vulnerabilities is the relatively easy part. Confidently identifying the subset of those 200,000 that are meaningfully critical is, as Shakespeare put it, a horse of a different color.

With a hat tip to Bill Clinton’s campaign official James Carville, it’s about prioritization stupid.  Even those with no medical training know why emergency room doctors see the guy with chest pains before the one with the broken finger.  In that case, criticality is obvious. If there were 200,000 people in the emergency room lobby, however, the priorities would be somewhat less obvious.

So before we rush to judgement in the case of the Blue Cross vulnerability scandal, we should all probably take a peek out of our own cyber security  glass houses.  Many CISOs are likely reading this story with interest...with empathy...and most importantly, with a “there but for the grace of God go I” sense of relief.

What Should an Enterprise with Tens of Thousands of Critical Vulnerabilities Do?

We just walked through a real-world example of a major US enterprise - a household name - that counted over 200,000 severe or critical vulnerabilities on its network. That number rightfully sounds overwhelming, and it would appear that no vulnerability rating system could take a monstrous number like 200,000 and provide reasonable remediation plan recommendations. And until recently, that somber perspective would have appropriately represented reality and the state-of-the-art in vulnerability management.  Machine learning and automation, however, have changed the calculus for vulnerability management operations teams.

A collection of 200,000 critical vulnerabilities doesn’t tell the IT operations team much. That level of vulnerability rating granularity is unhelpful. Of those 200,000 critical vulnerabilities, one of them is most critical, presents the most risk to the organization.  One of them is the second most critical, and so on. When vulnerability prioritization tools place vulnerabilities in buckets, those tools are only helpful if the total number of vulnerabilities is small, and each bucket holds just a handful of vulnerabilities. State-of-the-art vulnerability rating tools don’t deliver buckets, but rather a numbered list of vulnerabilities ranked from the highest risk to the lowest, from 1 to n, so IT teams know which ones to remediation first, second, third, and so on so as to maximize risk reduction for a given amount of remediation resources. So to answer the question posed, an enterprise like Blue Cross Minnesota needs to deploy Contextual Prioritization as its vulnerability rating system, so it can identify, without human intervention, which of the 200,000 critical vulnerabilities is most critical.

What is Contextual Prioritization?

Contextual prioritization is a leading-edge vulnerability prioritization technology that uses machine learning to analyze every individual vulnerability in its own context on the network. That means the exact same vulnerability might score differently when located on different assets on the same network. This cutting edge vulnerability rating technique looks at over 40 factors for each vulnerability, and recalculates the risk score every 5 minutes. This results in an up-to-the-minute view of the highest risk vulnerabilities listed from 1 (the riskiest) to n (the least risky), providing IT teams a highly prescriptive report that can drive the most effective use of precious remediation resources.

What are Some of the Factors Contextual Prioritization Uses to Prioritize Vulnerabilities?

Although the total number of individual prioritization factors is over 40, they all fall into one of 5 broader analysis categories:

Individual Vulnerability - specific characteristics of the vulnerability itself, irrespective of its context on the given network, including its baseline CVSS score

Asset Context - details of the asset on which the vulnerability resides

Network Context - the environment of the asset on the network

Organizational Context - the importance of the asset to the organization

External Context - the external threat environment with respect to the vulnerability, for example, if an exploit is likely to be developed for it

Given this, contextual prioritization is the most meaningful, comprehensive, and valid vulnerability rating technology on the market today.  To learn more, download “Introduction to Contextual Prioritization.

Most Recent Related Stories

What is Risk Based Vulnerability Management?

Read More

Risk Based Vulnerability Management Product Update

Read More

Growing a Machine Learning project - Lessons from the field

Read More