By Starting With the Threat You Can Easily Prioritize Vulnerabilities and “Embrace the Grey”
For years the security industry has been talking about the importance of patching as a basic security measure to prevent attacks. The Equifax breach is the latest reminder of what happens when organizations lag in this effort. It’s a safe bet that Equifax isn’t alone.
Research by Enterprise Strategy Group (ESG) finds that improving the ability to discover, prioritize and remediate software vulnerabilities is a top priority for cybersecurity professionals – second only to detecting, containing and remediating actual attacks. On the flip side, the research also points to patching as among the most time-consuming security operations tasks.
A lack of skilled cyber security professionals is often behind our inability to patch in a timely manner. It is not just the number of vulnerabilities; it is the process needed to patch – testing, deploying, verifying, planning for downtime, etc. We simply don’t have the people, infrastructure, tools and, ultimately, time available. But what we often fail to recognize, is that this isn’t an all or nothing scenario. In fact, nothing is when it comes to cybersecurity.
As Neil MacDonald of Gartner eloquently puts it, “The truth is we’ve had a binary view of the world that no longer exists. Black or white, good or bad the answer is we don’t really have certainty in either extreme. It could be either. It can be both. Ambiguity is the new reality. Embrace the grey.”
But wait a minute. Either there is a patch or there isn’t. And if a vulnerability has a patch, then you should patch it, right? That seems fairly black and white. So where is the grey?
The grey is a prioritized list of vulnerabilities based on the threats to your organization. Key here is your organization; this list will be different for each company based on their environment and risk profile, so you need to be able to set your own parameters to determine what is more important and a higher priority. If you start with analyzing and gaining a deeper understanding of the threat, you’ll soon realize that you don’t have to patch everything. And, in fact, you probably shouldn’t. If you did, you’d likely be wasting precious resources that could be allocated to higher value tasks.
So how do you decide which vulnerabilities you need to address? Chances are, you already have part of the answer in the threat feeds you already subscribe to from commercial sources, open source, industry and your existing security vendors. You just need to dig a little deeper.
You need to start by aggregating and correlating these threat feeds with internal data and events into a central repository, translating the data into a uniform format for analysis and action. Then you can augment the data with additional external and internal context to provide understanding of the who, what, where, when, why and how of an attack. With insights into adversaries’ methods, including specific processes, applications, operating systems and vulnerabilities they target, you can use this context to prioritize the threats, calculate the risk and determine which are the highest priority vulnerabilities to patch.
Here is a simplified example. Let’s say you hear about three new vulnerabilities to relevant applications to your environment. Which ones should you patch? In what order? With threat intelligence you understand that:
● Vulnerability A has no known adversaries using it or associated indicators of compromise (IOCs). Although it is a vulnerability, it may not be exploited in the real world.
● Vulnerability B is related to a specific adversary campaign and IOCs. Checking internal data and events, a few of those indicators have been seen in your SIEM and/or ticketing system.
● Vulnerability C has related threats and IOCs. However, those threats have been known to target a specific industry you are not in.
Where do you start? Do you need to do all three? The answer is clear. Vulnerability B needs to be addressed immediately because there are sightings in your environment already! Vulnerability C may be next on your priority list. Although it is not relevant to your industry, you may decide to patch based on your risk profile. And lastly, since vulnerability A is not being exploited, it probably doesn’t make sense to allocate resources now when your plate is already overflowing.
Of course, you can’t do this once and forget about it. This is just in a single point in time, but adversaries change their tactics, techniques and procedures (TTPs), systems and applications evolve, and their usage within your business environment does as well. Prioritization needs to be done on a continuous, ongoing basis.
As the threat landscape dynamically changes along with your internal environment, you need to keep adding more data and context to your repository as well as learnings about adversaries and their TTPs. Through continuous threat assessment you can automatically
recalculate and reevaluate priorities to learn, understand and focus on patching the vulnerabilities that are most relevant to your organization. In the above example, what if vulnerability A does get exploited in the wild a few days or weeks later? Through continuous threat assessment and automated reprioritization you will know when it may be time to act.
By starting with the threat you can easily prioritize vulnerabilities and “embrace the grey.” This will allow you to effectively and efficiently mitigate your organization’s risk, and position your team to address other high-value activities – like detecting, containing and remediating actual attacks, and even anticipating potential threats.