"Does this vulnerability pose risk to my organization?" Arriving at the answer to this question isn't easy. Indeed, the answer, at least partially, is a measure of your own internal visibility into the technology in use inside and, in some cases, outside your network.
It all comes back to how well you know the technology you rely on every day. Put simply, you can't mitigate a threat if you don't know it's a threat.
Indeed, before any (or much) attention can be paid to threat reporting and vulnerability disclosure, security professionals must spend a great deal of effort to gain thorough visibility into their networks, systems and data. A number of automated tools can reach into the depths of your network to help with this process, but, as with anything in the IT world, success depends on an effective combination of people, processes, and technology.
OK, now that we have complete visibility into our technology and data, we can get started evaluating the latest Microsoft vulnerability, right? Not even close.
What is your scale of risk? How about your mitigation plan? How does your actual risk relate to applied ratings from vendors? Is there a difference?
In the past, organizations have used a number of risk metric formulas, methodologies, and other "plug and play" methods for creating a vulnerability management system. The problem is that technology and business evolve, and in the last decade they have evolved at a dizzying pace. Vulnerability rating and management systems should be evolving at the same pace and along the same paths (think cloud computing, mobile, and so on), but they often don't.
One of the biggest challenges companies face is reconciling their metrics with those of a particular threat intelligence group, standard, or vendor.
Let's take a look at the Common Vulnerability Scoring System, which is used by Mitre's Common Vulnerabilities and Exposures, or CVE, a dictionary of publicly known information security vulnerabilities and exposures. One of the first things you'll notice about the CVSS is that it isn't just a simple matrix of connecting dots. Rather, it comprises multiple scoring categories that are compiled to produce an overall score. These categories take into account variables regarding vulnerability, threat, and risk.
The base metric group includes data such as impact to the CIA triad (confidentiality, integrity and availability) and the vectors in which the vulnerability applies. These variables tend not to change.
The temporal metric group focuses on variables that will change over time.
The environmental metric group is geared toward components that will be unique to each company or organization. This is where your time will likely be focused when applying a risk rating system for your own network.
To see how the CVE rating system differs from those of Microsoft and others -- and to find out how you can use these rating systems to help you prioritize your response to newly disclosed vulnerabilities -- download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.