This week I interviewed the CTO of Palo Alto Networks, who had some terse words about CISOs who aren’t prioritizing their infrastructures’ vulnerabilities to attack. Today I want to point to a column by an official from another security vendor, who argues infosec pros also have to prioritize imminent threat vulnerabilities from Common Vulnerability Scoring System (CVVS).
The column is by Torsten George, strategic advisory board member at NopSec, a vulnerability risk management software vendor. As such he arguably has an agenda to push. However, what he says makes sense: CISOs have to move from a model of reacting on the basis of highest CVVS scores and instead to a threat-centric model where infosec pros work on remediating CVVS vulnerabilities that are most important to their organization through patch management.
An imminent threat, he writes, can be identified by correlating vulnerabilities to their prevalence in the wild:
• Is a vulnerability being targeted by malware, ransomware, or an exploit kit?
• Is a threat actor leveraging the vulnerability and targeting organizations like ours?
He cites a Gartner report issued last year which noted that organizations are challenged to align the sheer volume of vulnerabilities that they identify with available remediation resources. Many CISOs have a strategy of what it calls gradual threat reduction, which can be condensed to something like “remediate 90 per cent of high severity vulnerabilities within 2 weeks of discovery.” But what if there are a large number of high severity vulnerabilities. Which ones should be patched first?
“Many vulnerability criticality rating schemes are based on the potential severity and impact of a vulnerability, but not their prevalence in the wild or the probability of exploitation by threat actors,” says Gartner. (You can download a copy of the report here from vendor RiskSense, which makes a solution in this space. Registration required)
Prioritizing vulnerabilities commonly targeted by exploit kits, malware, ransomware and threat actors provides the elimination of imminent threats, and provides a better assessment of the probability and likelihood of a vulnerability being exploited. This, in turn, will provide the breathing space to conduct gradual risk reduction with a reduced attack surface for adversaries and threat actors to target in the meantime.
What security managers should do, says the report, is build a vulnerability prioritization catalog based on vulnerabilities being targeted by adversaries and threats in the wild. High-risk organizations facing advanced targeted attacks should also include targeted imminent threat vulnerabilities derived from threat intelligence and focus on adversaries that are likely to target your organization. Where possible, automate vulnerability remediation prioritization.
“Traditional vulnerability management approaches practice gradual risk reduction,” argues George. They either focus remediation actions on the most severe vulnerabilities based on a high CVSS score or the value and exposure of an asset. “Unfortunately,” he says “both practices are often tied to reducing the most amount of risk with the least number of patches.”
The point is setting priorities in all fields of cyber security is essential for a CISO to be successful.