Why Are We Still Worrying About Vulnerabilities?
May 13, 2020
Over the past week, multiple Linkedin posts have caught my attention, albeit for different reasons. The first was a short demonstration video of an image recognition and temperature scanning technology designed to screen entrants to a facility in the age of Covid-19. Those wishing to enter the facility paused for a few seconds, and an automated system confirmed they were wearing a mask and they weren’t feverish. When those two criteria were satisfied, they were granted entry. No human with a hand-held thermometer in a hazmat suit was required. The system was a perfect example of how technology - including machine learning - can be deployed to address contemporary challenges to minimize cost and health risk.
The insightful post just described contrasted starkly with at least 5 posts that read like they were written a decade ago, posts that laboriously detailed the nuances of newly-introduced software vulnerabilities. One post advertised an upcoming webinar that would shed light on Microsoft’s Patch Tuesday’s list of new vulnerabilities. Another linked to a blog where a large vulnerability management vendor discussed a recent collection of Cisco appliance patches. Yet another fanned the hype flame for a just-discovered critical vulnerability that the manufacturer implored users to patch “as soon as possible.” More than 20,000 new vulnerabilities were disclosed in 2019. 20,000 new vulnerabilities..on top of the hundreds of thousands published in years prior and still largely unpatched on countless networks. Does anyone believe it’s a good use of time to attempt to understand the nuances of even a fraction of 2019’s 20,000 vulnerabilities?
When you hire an electrician to wire your house, you don’t study wiring codes. When you visit a restaurant, you don’t learn the preparation details of the dish you’re ordering. If you had to invest that kind of time, why would you ever hire the electrician or the chef in the first place? Shouldn’t vulnerability management product companies add at least as much value as your electrician or your favorite restaurant?
When it comes to vulnerability management products, shouldn’t the gory details of every new vulnerability be at least somewhat irrelevant to the user? A user needs to know what vulnerabilities on their network require attention, and in which order. That’s it. Vulnerability A on Asset B is #1, Vulnerability C on Asset D is #2, and so on. When a new vulnerability is introduced, the vulnerability management product should automatically determine if that new vulnerability should be considered a priority for the user, and if so, where in the remediation priority list it should reside. It might present an extraordinary risk to the user, or it might be utterly innocuous on a given network. Either way, the VM product user shouldn’t have to attend a webinar, read a blog post, or subscribe to vulnerability alerts to know if they need to worry about it or not.
Some tasks should be automated, while others have to be. When dealing with an ever-growing mountain of enterprise vulnerabilities, automation is not negotiable. With 20,000 new vulnerabilities published in 2019 and the typical enterprise network housing hundreds of thousands at any given time, the VM challenge begs for intelligent automation that culminates in prescriptive output.
At Delve, we don’t write blog posts about specific vulnerabilities. We don’t host webinars that promise “Everything you need to know…” about the latest catastrophic security hole, and we don’t encourage or contribute to vulnerability hype. All of that kind of knowledge and insight is built into our product, a product that intelligently automates vulnerability management operations, and delivers a list of your enterprise vulnerabilities prioritized from 1 to n based on your network’s specific context. When a new vulnerability is discovered, our product will let you know if it’s a priority for you or not. That’s our job.
In short, let us worry about what you need to worry about. If your vulnerability management vendor can’t do that, you might want to ask, what did you hire them for in the first place?
We just discussed how Delve is changing the way organizations think about and interact with vulnerabilities and vulnerability management. And, as part of that discussion, we talked about how Delve is using AI (more accurately, machine learning) to remove the need for our customers to dive into the details on every newly-published vulnerability. So, what are some ways we’re doing that?
Ultimately, the goal of a modern, AI-driven vulnerability management platform is to eliminate the burden on the user of trying to understand which of the countless vulnerabilities on the network they need to pay attention to, and which ones they can either ignore altogether, or can be deprioritized. If the vulnerability management solution can’t do that, what kind of value is it actually providing, especially in an era where inexpensive, basic scanners are plentiful. The following are some examples of how Delve machine learning is automating vulnerability management operations.
Exploit Publication Prediction
When a new vulnerability is released, it would be very helpful for any vulnerability management professional to have some feeling for whether or not that vulnerability will eventually have an exploit published for it. Moreover, it’s important to know that before exploits are published. Highlighting that second part may sound silly, but there are products on the market now that “predict” whether a vulnerability will have an exploit published when they already exist. Delve’s EPP (Exploit Publication Prediction) score uses machine learning to genuinely predict the likelihood an exploit will be published for newly-released vulnerabilities before any such exploit exists. A score of between 0 and 100 is generated for all newly-released vulnerabilities, and some of that data is even exposed publicly on Delve Vulnerability Threat Intelligence feed. This is one of over 40 factors Delve accounts for when delivering our Contextual Vulnerability Prioritization score.
Vulnerability Trend Score
Which vulnerabilities are being discussed on the dark web and in other open source forums can also provide insight into the prioritization of remediation efforts. Attempting to process the reams of social media and chat data to determine which topics are trending is a task that would be impossible for any human, or even a large collection of humans working manually. Machine learning, however, can help. Another one of Delve’s 40-plus prioritization factors is the Vulnerability Trend Score or VTS. The Delve solution collects data from a number of sources, identifies trending topics, and then identifies vulnerabilities that are closely related to those topics. Knowing which vulnerabilities are trending can help guide remediation priorities, again, in concert with the other 40 factors.
Identification of “Outlier” Assets
Penetration testers have known for years that assets on a network that appear out of place for some reason or another (for example, a Linux machine on a subnet with primarily Windows machines) are often the best targets for compromise. To defend against such attack tactics, it’s very helpful for organizations to know which of their assets an attack might consider an “outlier,” and therefore a juicy target. Delve uses machine learning along with a mathematical model of each asset on the network to identify outlier assets that are likely to draw the attention of attackers. Thus, a vulnerability hosted by an outlier asset is likely to be prioritized by the organization over the same vulnerability on an asset not considered an outlier.
There are many more examples of how AI and machine learning can help automate vulnerability management, and we encourage you to contact us or review other material on our site to learn more. One white paper in particular will be helpful: 7 Ways AI Can Automate and Improve Vulnerability Management Operations.