As software vulnerabilities continue to be discovered at a regular — and often alarming — rate, security teams struggle to keep up with and mitigate these issues in a timely manner. Prioritization needs to be part of vulnerability management and remediation in order to intelligently manage the relentless flow of these vulnerabilities.
The Challenge Within Vulnerability Management
Security operations teams face multiple challenges as they shoulder the burden of developing and implementing a comprehensive vulnerability management program. The sheer volume is staggering: The National Vulnerability Database published over 18,000 vulnerabilities in 2020 alone, a quantity that’s higher than in previous years. Many vulnerabilities receive a severe rating based on the Common Vulnerability Scoring System (CVSS) — in 2020, more than half qualified as “critical” or “severe.”
SecOps teams often don't have the visibility into vulnerabilities that are relevant to their organization, and they typically lack the time and resources to attend to those vulnerabilities listed with a “critical” or “high” severity rating. The likelihood of addressing only those (notwithstanding the medium-to-low vulnerabilities) becomes a shrinking possibility for many organizations. With the average time to fix vulnerabilities hovering around 256 days, according to a 2021 Appsec Stats Flash report, teams are struggling to keep their organizations secure.
Then, there is the talent shortage. Globally, the cybersecurity field is staring down a skills gap of more than 4 million professionals, according to a 2021 (ISC)2 Cybersecurity Workforce study. When you combine time constraints and the small number of skilled professionals available, it is not surprising that SecOps staff struggle with addressing relevant vulnerabilities in a timely manner.
That is why prioritization is so essential to the vulnerability management lifecycle. Prioritizing vulnerabilities that are critical and hyper-relevant to an organization can make a dramatic difference in security posture. With appropriate prioritization, SecOps staff can efficiently make use of the small amount of time they have available for patching and updating, which in turn would offer a better chance at safe, secure environments.
Time to attend to alerts is not the only challenge — having the right amount of context matters too. While the NVD rating systems for critical or severe alerts serve a purpose, these lack context about whether they really matter to an organization. The ratings, unfortunately, are static. If a situation around a particular vulnerability changes for better or worse, the initial rating stays the same. Such unchanging ratings complicate the vulnerability management process for SecOps teams.
What staff needs is something more dynamic — a method that not only serves up the vulnerabilities relevant to their organization, but also does it by continually showing real-time information. As the data around the vulnerability changes, so should the rating. What IT teams need is intelligent prioritization.
An Intelligent and Dynamic Alternative
Fortunately, cybersecurity organizations are taking advantage of more advanced technologies such as artificial intelligence (AI) and machine learning (ML) and developing models that place vulnerability assessments and their associated ratings in a much more accurate and relevant context. SecOps can utilize the technologies offered by such organizations to get comprehensive and targeted visibility into the vulnerabilities that are specifically related to the systems within their own environments. They can see what directly affects their systems now, which severely rated vulnerabilities should be prioritized to address, and how all of it relates to adversaries and correlated threat intelligence.
This new view of prioritization shows how a dynamic AI model works. With this specific AI model, staff can quickly see what went into a severely rated vulnerability, relying on a host of intelligence data and sources. They can take the original CVSS rating into account and include very relevant threat intelligence and other important factors. The model augments SecOps teams, who can then focus their critical work on vulnerabilities that matter the most, instead of pointlessly playing a game of Whack-a-mole, applying patches and wasting time on vulnerabilities that might not be relevant to specific systems. If organizations are not incorporating advanced technologies, they suffer the risk of falling behind.
As CrowdStrike intelligence observed in 2021, repeat exploitation occurred with several newsworthy vulnerabilities relating to the Microsoft Exchange Server and web applications, and the Log4j vulnerabilities affecting Apache frameworks. SecOps must focus on their prioritization processes now. If not, the opportunity for nation-state and eCrime actors to gain access into important networks becomes all too attractive.
Intelligent prioritization is becoming increasingly important as it helps SecOps teams answer the question: “Which of these many vulnerabilities are really going to affect our organization right now?” With time and money of the essence, much hinges on the ability to ask that question — and on getting the answer right quickly. Prioritization helps reduce the fire hose of vulnerability assessments to a steady trickle that SecOps can attend to proactively and intelligently.