The vulnerability management process in cybersecurity is complex and involves part art and part science. There\u2019s also a lot to consider, including impacts to the business, customers, compliance regulations and the health of critical systems.<\/p>\n\n\n\n
Vulnerability Scanning Vendor Prioritization<\/h2>\n\n\n\n
Given the complexity of vulnerability prioritization, there really are no standards for determining how you should prioritize. Industry analysts like Gartner or training groups like the SANS Institute do provide some guidance. Most agree that taking a risk-based approach to prioritization is best, but even that has nuances such as the size of your risk appetite and how you define risk.<\/p>\n\n\n\n
Vulnerability scanning vendors can provide detailed information about identified vulnerabilities, including their severity and exploitability. However, they tend to only review assets you tell them to scan, often by providing an IP address or other location information. Additionally, they also are typically limited to very few contextual details about the affected asset. Contextual details include things like what software or services are running, what other assets it technically links to, if it is connected to data and if the data is sensitive.<\/p>\n\n\n\n
While vulnerability scanning vendors can provide value, it\u2019s important to understand how they find assets and how they align to your organization\u2019s goals for prioritizing vulnerabilities. <\/p>\n\n\n\n
Why Vulnerability Prioritization is Important<\/h2>\n\n\n\n
Prioritizing and remediating crucial security vulnerabilities is important because it helps reduce the attack surface exposures attackers can use to exploit sensitive data, cause service disruptions, violate compliance requirements or cause reputational harm.<\/p>\n\n\n\n
Vulnerability prioritization also helps to ensure resources are focused on the right issues and the most critical and high vulnerabilities are being addressed. Some compliance frameworks require a vulnerability management program and vulnerability prioritization in cybersecurity is an essential part of this process.<\/p>\n\n\n\n
How Does a Vulnerability Prioritization Matrix Work?<\/h2>\n\n\n\n
A typical vulnerability prioritization matrix is a tool used by security teams to consider the cross-section of vulnerability factors to prioritize according to their risk tolerance. A basic prioritization matrix can be made by considering the intersection of both severity and probability.<\/p>\n\n\n\n
Assigning severity or probability can be based on a single factor or a formula that assigns weights to several factors. It\u2019s important that the formula you use aligns to your organization\u2019s business and systems.<\/p>\n\n\n\n
Severity<\/strong> considers the technical severity, such as CVSS (common vulnerability scoring system) score, which assigns a 0-10 numerical value to compare the severities. CVSS also looks at if the vulnerability would enable the attacker to propagate across systems.<\/p>\n\n\n\n Probability<\/strong> considers how easily the vulnerability can be exploited by attackers. When considering ease, how complex the vulnerability is or if it requires privileges to exploit can be primary factors.<\/p>\n\n\n\n A vulnerability matrix based on severity and probability might look like Figure 1 below. Severity is the X axis and the columns align to CVSS ratings from Low to Critical. Probability is the Y axis and the rows are Top to Bottom.<\/p>\n\n\n\n This example of a vulnerability matrix shows that while there are 345 vulnerabilities with a critical severity score, only 120 are top priority. Focusing on these top priority critical severity vulnerabilities helps focus immediate attention on the top 35% of critical vulnerabilities. Regardless of the priority, the vulnerability matrix helps to make more informed decisions.<\/p>\n\n\n Figure 1: A vulnerability prioritization matrix with two factors, severity and priority.<\/em><\/p>\n\n\n\n Impact <\/strong>is commonly a formula that considers the potential damage to a particular system or how many systems could be affected.<\/p>\n\n\n\n A vulnerability matrix can be expanded to consider a third factor. In Figure 2, we show an example of adding the factor \u201cImpact\u201d with values of \u201cHigh\u201d, \u201cMedium\u201d and \u201cLow\u201d. The formula for Impact accounts for the potential damage a vulnerability could cause to the organization.<\/p>\n\n\n Figure 2: A vulnerability matrix with three factors: severity, priority and impact.<\/p>\n\n\n\n Let\u2019s take a look at how to calculate some other factors and what they mean.<\/p>\n\n\n\n A vulnerability score is a combination of factors, typically calculated based on a formula of weighted attributes. Typical factors in calculating the score include the severity of the vulnerability, its potential impact, and how easy it is to exploit.<\/p>\n\n\n\n The score is a numerical value that assesses what the asset exposes, including sensitive data the asset contains or critical systems it can provide access to. An asset risk score can be used to identify assets that need greater protection or deeper security assessment like dedicated penetration testing. <\/p>\n\n\n\n Risk attribute weights help to assign relative importance to various factors. When considering the vulnerability score and the asset risk score, the overall score should be weighted using a formula to properly balance the importance of the asset at risk, be that it contains sensitive data or is a critical system. Highly important and sensitive asset risks may warrant higher prioritization even if the vulnerability is considered low or unlikely.<\/p>\n\n\n\n Manual vulnerability prioritization is time consuming and error prone. And once prioritization is done, you\u2019re then off to manage the remediation process, which we discuss in more detail in\u00a0this blog on vulnerability remediation.<\/a><\/p>\n\n\n\n The tables mentioned earlier quickly become complex with just a third factor added. As we\u2019ll discuss shortly, keeping prioritization up-to-date is important yet hard to do with today\u2019s constantly changing IT infrastructure.<\/p>\n\n\n\n CyCognito provides an attacker\u2019s perspective of your attack surface to help uncover unknown, unmanaged assets and uses active security testing to discover vulnerabilities. With CyCognito\u2019s automation, information about the vulnerability, the asset, and attacker insight and other factors contribute to vulnerability priorities. They are also kept up-to-date and assessed on a routine, even weekly cadence.<\/p>\n\n\n\n Previously we discussed using a vulnerability prioritization matrix to assess the intersection of a few factors. Now let\u2019s consider a few other prioritization techniques.<\/p>\n\n\n\n Vulnerability disclosure date.<\/strong> Each vulnerability with a CVE number has a disclosure date. Some vulnerabilities that exist in your environment may have been disclosed several years ago and thus, a cut-off based on disclosure date could establish which vulnerabilities to prioritize. <\/p>\n\n\n\n Compliance requirements. <\/strong>Governing bodies establish requirements and they typically apply to specific industries. Health Insurance Portability and Accountability Act (HIPAA) is a federal law designed to protect the privacy and security of patient health information and Payment Card Industry Data Security Standard (PCI DSS) is a set of standards for payment cardholder data security. These are just examples and there are others. Most compliance requirements mandate scanning for and remediating vulnerabilities and some may require specific security controls to be in place.<\/p>\n\n\n\n Application type or system architecture. <\/strong>Certain infrastructure inherently has a high likelihood of attack. Web applications, for example, are generally accessible to anyone with an internet connection and can be the front door for attackers to reach sensitive data. When prioritizing vulnerabilities of a particular type of asset, consider if there are common configuration issues that could be addressed by a team training for asset owners. Figure 3 shows how web apps are viewed in the Cycognito platform.<\/p>\n\n\n Figure 3. Some types of assets, like web applications, benefit from having their vulnerabilities evaluated and prioritized separately. CyCognito\u2019s Web Application Risk dashboard examines and prioritizes just vulnerabilities affecting web applications.<\/em><\/p>\n\n\n\n Ease of remediation. <\/strong>Prioritizing vulnerabilities based on how easy they are to remediate might be the best way to reduce the overall vulnerabilities fastest and possibly with less resources. This could mean focusing on vulnerabilities that are better-documented or don\u2019t require special expertise to remediate. Some vulnerabilities require a hardware upgrade whereas ones that just need a patch could be faster, cheaper and more immediately beneficial to remediate.<\/p>\n\n\n\n These are just examples of techniques that can help your prioritization strategy. Keep in mind that combining factors and techniques makes the biggest impact. A word of caution: while it\u2019s easy to focus on reducing the overall number of vulnerabilities, make sure you\u2019re prioritizing risks to the business. The primary goal is to safeguard your organization\u2019s core intellectual and electronic assets. Better understanding the parts of the business assets support and what information they connect to can play a critical role in vulnerability prioritization. Once your vulnerabilities are prioritized, read our\u00a0blog on vulnerability remediation<\/a>\u00a0to understand the next steps to take action.<\/p>\n\n\n\n Some of the biggest challenges in vulnerability prioritization are driven by having incomplete asset inventories, having incomplete data about assets or not prioritizing based on the right factors. The data below shows the impact of these challenges.<\/p>\n\n\n\n For the worse. <\/strong>Helpful stats on past breaches reveal that 60% of breaches occurred because of vulnerabilities that went unpatched,3<\/sup> even though a patch was available. It\u2019s been commonly reported that attackers are exploiting CVEs that were disclosed as many as 7 years prior. These statistics demonstrate that assuming old vulnerabilities don\u2019t matter is bad practice and that prioritizing what really matters is a tough challenge.<\/p>\n\n\n\n For the better.\u00a0<\/strong>There is hope:\u00a0a recent report by CyCognito<\/a>\u00a0explained that additional context beyond simply the CVSS score helped lower the priority on 35% of issues. A small 2% were given increased priority. With the right context, your prioritization efforts can go beyond the severity of the vulnerability and look at the actual exposed risk. The result can be fewer high priority issues, saving time and resources while keeping the organization safe. Figures 4 and 5 show some of the ways the CyCognito platform helps to view vulnerabilities.<\/p>\n\n\n Figure 4. The CyCognito platform\u2019s Issue Dashboard shows several ways to evaluate issues, including severity, status, and exploitation complexity.<\/em><\/p>\n\n\n Figure 5. The affected environment or location may also inform vulnerability prioritization.<\/em><\/p>\n\n\n\n Let\u2019s consider five important key factors to consider when building your formula for vulnerability prioritization should include:<\/p>\n\n\n\n Weighing these criteria as part of your scoring system formula can help effectively prioritize vulnerabilities for accelerated remediation.<\/p>\n\n\n\n Attackers are looking at your organization trying to find weak spots or vulnerabilities that allow them a way in. Most often, attackers are looking for the easiest way in and that path might not be the front door. It might be through a separate business unit, a branch location or recent acquisition.<\/p>\n\n\n\n This is why the CyCognito platform maps your external attack surface and helps you identify your externally exposed risks.<\/p>\n\n\n\n Maintaining an accurate inventory of assets is difficult; a recent report by CyCognito findings discovered Fortune 500 organizations are\u00a0unaware of 10% to 30% of their own business units, brands or branches.<\/a><\/p>\n\n\n\n CyCognito\u2019s discovery begins by mapping the entire organization. The next step is to discover all assets associated with each entity, identifying all assets across your entire external attack surface.<\/p>\n\n\n\n Identifying vulnerabilities can be done a number of ways, but not all are equal. It\u2019s important to assess all your assets on a regular basis. The CyCognito platform helps you more thoroughly assess vulnerabilities by performing\u00a0active security testing<\/a>\u00a0across all live assets.<\/p>\n\n\n\n An important consideration is how frequently you are assessing your attack surface because the size of environments fluctuates larger and smaller,\u00a0as much as 10% per month.<\/a>\u00a0Bear in mind that cloud environments can change rapidly, often daily.<\/p>\n\n\n\n To assess asset risk, it\u2019s important to have contextual information about the asset including the applications, operating system or services that are running on it and what data it might provide access to. This context will help you assess the exposed risk created by the vulnerability.<\/p>\n\n\n\n CyCognito helps you to\u00a0prioritize vulnerabilities<\/a>\u00a0according to risk exposure they create. CyCognito\u2019s\u00a0Exploit Intelligence<\/a>\u00a0enhances risk prioritization by incorporating threat intelligence to understand attacker activity on the exploit in the wild.\u00a0<\/p>\n\n\n\n Mitigating risk exposure and fixing vulnerabilities takes communication and coordination. As you read our\u00a0blog on vulnerability remediation,<\/a>\u00a0pay close attention to techniques to implement a program using best practices and metrics to help monitor the effectiveness of your program.<\/p>\n\n\n\n CyCognito helps automate remediation steps<\/a>\u00a0to accelerate the process by integrating with ticketing systems, SIEMs and various vulnerability management platforms. Step-by-step guidance to fix the vulnerabilities and evidence of findings are automatically made available to help teams resolve issues quickly with confidence.<\/p>\n\n\n\n Once the vulnerabilities are resolved, it\u2019s important to retest and revalidate the vulnerability is no longer there. By continuously assessing your external attack surface management, you can monitor for any new vulnerabilities as changes are made throughout your organization, be that in the cloud, at a remote location or anywhere IT assets are made available to the internet.<\/p>\n\n\n\n Explore the CyCognito platform with a self-guided, interactive dashboard product tour. To speak with one of our experts to discuss how the CyCognito platform can help you prioritize your vulnerabilities according to your external risk exposure, schedule a\u00a0vulnerability prioritization demo<\/a>\u00a0now!<\/p>\n\n\n\n Vulnerability prioritization is the process of identifying and ranking vulnerabilities in order to focus efforts on the most important vulnerabilities.<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6,53,18,52,50,49,47,54,40],"class_list":["post-131","post","type-post","status-publish","format-standard","hentry","category-perspectives","tag-attack-surface-management","tag-common-vulnerability-scoring-system","tag-easm","tag-exploit-intelligence","tag-risk-mitigation","tag-vulnerability-management","tag-vulnerability-prioritization","tag-vulnerability-prioritization-matrix","tag-vulnerability-remediation"],"yoast_head":"\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/A-vulnerability-matrix-based-on-severity-and-probability-1280x347.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/A-vulnerability-matrix-with-three-factors-severity-priority-and-impact-1280x343.png\")
<\/figure><\/div>\n\n\nCalculate Vulnerability Score: Unraveling Digital Weakness<\/h5>\n\n\n\n
Calculate Asset Risk Score: Decoding Digital Peril<\/h5>\n\n\n\n
Risk Attribute Weights: Balancing Cyber Defenses<\/h5>\n\n\n\n
Automate Vulnerability Prioritization: Unleashing Efficiency<\/h5>\n\n\n\n
Examples of Adapting to Vulnerability Prioritization Techniques<\/h2>\n\n\n\n
![\"Some](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-19.png\")
<\/figure><\/div>\n\n\nVulnerability Prioritization Challenges<\/h2>\n\n\n\n
![\"The](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-17.png\")
<\/figure><\/div>\n\n\n![\"The](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/image-18.png\")
<\/figure><\/div>\n\n\nKey Factors for Effective Vulnerability Prioritization<\/h2>\n\n\n\n
\n
How to Prioritize Vulnerabilities Properly<\/h2>\n\n\n\n
Identify Critical Assets<\/h5>\n\n\n\n
Identify Vulnerabilities<\/h5>\n\n\n\n
Categorize and Prioritize Vulnerabilities<\/h5>\n\n\n\n
Implement Fixes & Mitigations<\/h5>\n\n\n\n
Monitor and Retest for Vulnerabilities<\/h5>\n\n\n\n
Learn more about how CyCognito can help you prioritize vulnerabilities.<\/h2>\n\n\n\n
Sources:<\/h5>\n\n\n\n
\n