Which Hole to Plug First? Fixing Chronic Vulnerability Overload

Surcharge de correctifs de vulnérabilité News

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. However, witches are not allowed to work in cybersecurity because networks have so many weaknesses that they look like sieves.

For most people, maintaining the network’s viability requires a lot of hard work and constant compromises about which holes should be filled first.

The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to over 20,000. Software and network integrity have become synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than one in ten actually needs to be patched. How can we find out which patches are needed to keep our sieve from sinking?

This is why more and more companies are turning to Vulnerability Prioritization Technology (VPT). They seek solutions that filter out the flood of false positives generated by legacy tools and poorly-configured solutions and address only those vulnerabilities that directly affect their networks. They’re leaving traditional vulnerability management paradigms behind and shifting to the next generation of VPT solutions.

The Evolution of Vulnerability Management

It’s no secret that not even the most resourceful enterprise is able to identify, prioritize, and fix every vulnerability within their environment. That’s why the shift toward VPT started in the first place.

Vulnerability management (VM) was initially focused on scanning core networks and detecting vulnerabilities. Vulnerability Assessment was the original name for this process. The deliverable contained a long list of vulnerabilities, which was not practical and had no value to IT staff already stretched too thin.

To make VA more actionable, the next generation of VM tools included vulnerability prioritization based on each vulnerability’s global CVE scoring. This was further refined by adding another layer of prioritization based on estimations of potential damage, threat context, and, ideally, a correlation with local context to evaluate the potential business impact based on DREAD type models. This more advanced approach is known as Risk Based Vulnerability Management (RBVM) and was a giant leap forward from VA.

Yet even advanced VM tools implementing RBVM lag behind in sophistication and actionability. They can only recognize what they are familiar with, so misconfigured tools often result in missed attacks. They cannot evaluate whether security controls are configured to compensate for the severity of a given vulnerability according to its CVE score correlated with local context risk. This still results in bloated patching lists and also means that – just like with early-gen VA tools – patching often ends up at the bottom of the to-do list or is simply ignored by IT teams.

Leveraging Next-Gen VPT

Advanced VPT solutions are the next generation of VM – offering organizations a very different view of their unique cyber risks.

Building on traditional VA detection and more advanced RBVM capabilities, the latest generation of VPT solutions adds asset criticality context, environmental context, and multiple, pre-integrated threat intelligence sources. It effectively enhances vulnerability severity data by combining sophisticated analytics with in-context application. These analytical capabilities enable advanced VPT solutions to integrate highly granular threat validation – creating the next generation of capabilities that augment traditional VM: Attack Based Vulnerability Management (ABVM).

ABVM is a game-changer. Network stakeholders can validate real threats to their networks and then test the vulnerability of their environment based on exposure level and attack permeability. According to Gartner, the shift towards ABVM is crucial to better prioritization and assessment of vulnerabilities. It empowers security and risk management leaders to both generate recommendations and apply them directly to their security programs – addressing prioritized findings.

Leveraging ABVM, security stakeholders can identify all undetected attacks, generate data and use cases that enable continuous improvement of detection and response tool configuration, and map out potential end-to-end attack paths with detailed local context. Once these yet unsecured attack paths are clearly mapped out, patching is too because threat validation coupled with a deep understanding of attack paths enables laser-focused patching prioritization. With ABVM, optimizing scarce patching resources to plug only those holes that threaten to sink the sieve becomes straightforward.

The move from traditional score-based VA or RBVM approaches to ABVM can lower patching load by 20%-50% while markedly improving overall security posture. By preventing security drift, ABVM also helps streamline SIEM toolsets – improving tool configuration, eliminating overlap, and identifying missing capabilities.

The Bottom Line

By improving security, reducing costs, refining resource allocation, and strengthening collaboration between teams, ABVM offers a new horizon of productivity and efficacy for security teams. ABVM takes traditional VPT to the next stage. It solves vulnerability overload and allows networks to stay afloat in these increasingly dangerous waters.

Rate author