The Vulnerability Management Doctor will See You Now
October 14, 2019
Contextual Prioritization in Vulnerability Management
The risk threat vulnerability of a typical exposure to date has largely been the same no matter where the risk threat vulnerability lies. The risk or threat of a given vulnerability can vary greatly from company to company, network to network, and even from location to location on the same network. But until recently, the risk threat vulnerability has been the same for a given vulnerability no matter its context...until now. In the following paragraphs we draw an analogy to the healthcare system to demonstrate the absurdity of scoring the same risk threat vulnerability genetically across companies and networks, and discuss how Delve is turning risk threat vulnerability scoring on its head.
Imagine a healthcare system in which physicians treated all patients without regard to their individual circumstances. Heart disease, for example, is a recognized, widespread threat to the health of a large slice of the American population. It’s dangerous and prevalent. In this imagined world, all Americans would thus be prescribed medication to treat heart disease.
In the real world, no cardiologist would treat their patients without taking into account myriad factors: family history, weight, age, lifestyle elements like exercise habits, diet and smoking, to name a few, not to mention the results of cholesterol and other tests. Risk factors are different for each individual, and therefore treatment methods will vary with each patient’s risk. And, of course, most Americans will need no heart disease treatment at all.
As absurd as this little trip through an alternative healthcare universe may seem, today’s vulnerability management celebrity technology - predictive exploitability - views vulnerability risk management similarly to a cardiologist that treats every member of the population identically.
Predictive Exploitability attempts to predict if an exploit will be available at some point in the future for a newly discovered risk threat vulnerability,, and if such an exploit is developed, how serious its impact would be. The technique attempts to classify each new vulnerability into existing categories, and then use that, and other factors, to predict if an exploit for it will be developed and become available. Much like the time-worn CVSS score, Predictive Exploitability scores are completely independent of the asset or the network - or the location and environment of the asset on the network - on which the vulnerability resides.
When a doctor exams you, and asks you endless questions in the process, she is gathering information that enables her to treat you in context. It’s something the medical profession takes for granted, as do we as patients. But sadly, evaluating vulnerabilities and building remediation programs - “disease treatment plans” in the lexicon of this increasingly strained analogy - using the context of the vulnerability is a next-generation concept in our current legacy vulnerability management world.
A vulnerability’s risk to an enterprise is based on so much more than whether or not an exploit for that vulnerability exists, or will exist in the future. Relevant factors number in the dozens, and include, for example, the use of the underlying asset, the potential vectors of attack that could result in a successful compromise, the surroundings of the asset, the business line affected by a potential breach, the asset’s importance to that business, other services running on the asset, whether it’s internet-facing, and many others. To put it bluntly, it is impossible to meaningfully quantify the risk threat vulnerability without accounting for its context.
Predictive Exploitability’s alternative - contextualized prioritization - is vulnerability threat intelligence which accounts for external factors like Predictive Exploitability, but combines that general threat environment insight with critical information about the vulnerability’s environment on your network. That combined, comprehensive view of risk results in a meaningful vulnerability risk score that’s tailored to your circumstances, so your remediation plan is unique to your environment, not one-size-fits-all.
To learn more about contextual prioritization in vulnerability management, check out the white paper, “Contextual Prioritization: An Introduction to Ranking Vulnerability Priority Based on Their Individual Environments”.