Two C-Levels Hack the Hardest Parts of Prioritization
Share with Your Network
In an era of extraordinary threats, security leaders have their work cut out for them. Increasingly aggressive hackers, skyrocketing CVEs, complex hybrid workforces, expanding attack surfaces, and legacy systems are making vulnerability prioritization decisions both extremely difficult and extremely critical.
That’s why we’re revisiting a recent installment of the Super Cyber Friday Series. Host David Sparks invited Ed Bellis, CTO and co-founder of Kenna Security at Cisco, and Ben Sapiro, head of technology risk and CISO with Canada Life and a Kenna Security customer, to talk about how they weigh prioritization decisions when the stakes are high, and what factors determine which vulns are remediated and (equally important) which aren’t.
Between jaw-dropping data points, personal takes on industry events, and thoughtful beliefs around the duty of a security leader, some themes began to emerge. This blog highlights a handful of talking points that are influencing the future of vulnerability management programs and security operations.
Fighting the flaws in outdated strategies
Few security professionals would argue that a “patch everything” approach is effective, but not many know how much the data that backs this up. Lucky for us, Bellis is a wealth of heavily researched remediation knowledge. “You can ignore 60-70% of your vulns,” states Bellis, which is good news for organizations looking to manage the tsunami of new vulnerabilities published daily.
“We do a series of joint research reports with the Cyentia Institute. We analyzed all CVEs listed in the National Vulnerability Database to see how many of these have some sort of weaponized exploit, and/or that we are actually seeing successful exploits in the wild. Consistently, we see about 20-25% of all vulns have either weaponized activity or some sort of exploitation activity or weaponized code to exploit those vulns.”
Bellis also warns against a long-standing practice of using the Common Vulnerability Scoring System (CVSS) as a way to prioritize top fixes. With remediation capacity averaging about 15% for most organizations (30% for the top performers), the number of vulns deemed high-risk or critical according to CVSS far exceeds any team’s patching ability. “If you look at the distribution of CVSS, the average score of any vuln is 7+ which is considered high. If I’m fixing 30% of my vulns, trying to fix all of the CVSS highs, I can’t. I literally can’t.”
Sapiro agrees, pointing out that the logic behind CVSS is murky, at best. “There’s some math inside CVSS that shouldn’t be used to drive your decision-making because the math itself is sometimes a bit opaque to the average security practitioner.”
The hardest parts of prioritization
When asked about the most difficult aspect of vulnerability prioritization, the two security veterans had some interesting views. Because both are pioneers and practitioners of risk-based vulnerability management, prioritization challenges tend to be more strategic than tactical.
Sapiro for example mentioned his greatest challenge came when prioritizing the highest risk vulns among the highest risk. “Given that there are so many pieces of technology within an environment, sequencing the priority within the priority (can be the most difficult challenge). If you’re dealing with Microsoft Patch Tuesday, let’s say arbitrarily around the time of mid-dec 2021, you’ve got a whole bunch of high and critical dropping at the same time, so then how do you sequence within that?” But he reassures that “once you get out of those hairy situations, really then it’s an exercise in change management and scheduling.”
With risk always on the brain, Bellis cited the multi-tiered thought process behind whether to patch, when, and how much effort to dedicate to it. “One of the things I think about is in terms of how easy or hard something is,” explains Bellis. “Part of that process is all the stuff we’ve been talking about (threats, exploits, asset importance), but I think about two other aspects: How difficult is this to fix? What’s the operational risk? Those tend to go hand in hand.”
The two also had alternative views on the challenge behind “prioritization drift,” or when teams start off with a risk-based mindset but despite the best of intentions, end up filling their fix lists with inflated or highly publicized vulns that don’t have much of an impact on overall risk. Adjusting to a “less is more” attitude can take time, but it’s necessary, argues Sapiro. Succumbing to prioritization drift can feel like you’re doing more, but it also can be kind of siren’s call for security professionals. “If you’re using count of vulns as your measurement, it tells a great story but it doesn’t assess your risk. You’ve removed an amount of something from your pile of bad.”
But as Bellis points out, high-volume patching may not always be a bad thing. “There can be a positive to doing that even if it’s a low risk of exploitation. Months from now if a vuln comes out in that piece of software that is highly exploitable and I haven’t patched it for the last six months, that makes my job a lot harder. So, there are pluses and minuses.”
An evolution is underway
Risk-based prioritization is spreading rapidly, particularly among companies looking to future-proof their security and optimize their limited resources. Even federal entities like the Cybersecurity and Infrastructure Security Agency (CISA) are mandating that public sector organizations shift to focusing remediation efforts on vulnerabilities with active exploits.
More and more solution providers are scrambling to offer up simplified, risk-based security management tools to customers desperate to stem the tide of rising risks. But few are better positioned than Cisco to do so effectively. Cisco recognized this need, prompting the move to bring Kenna Security into the Cisco Secure fold and continue building its vision of security resilience for all.
Because Cisco and Kenna know that cybersecurity is inherently hard—but they also know it doesn’t have to be.
To hear more of the in-depth conversation between Ben Sapiro and Ed Bellis, watch the replay of Hacking Prioritization: An hour of critical thinking about which security holes need to be filled, and which ones don’t.