How to Squeeze the Most Risk Reduction from Your Vulnerability Management
Share with Your Network
Over the past two years, record-breaking cybersecurity threats (both in volume and severity) have sparked a reshuffling of recommendations and best practices trickling down from influential security entities and governing bodies. These changes center around one critical ingredient: exploit intelligence.
After last year’s Colonial Pipeline attack rattled industry and government leaders, President Biden signed an Executive Order outlining wide-sweeping cybersecurity improvements. To strengthen shared threat intelligence, the EO stipulates timeframes and procedures for information and communications technology (ICT) service providers to report security incidents (a significant move given these groups were not previously incentivized to do so).
To that effect, the Cybersecurity and Infrastructure Security Agency (CISA) has started maintaining a catalog of known exploited vulnerabilities. This shared intelligence resource is designed to equip agencies with actionable threat and vuln intelligence, underscoring a shift in the security industry towards risk-based prioritization. In the same move, CISA also advised teams to look beyond CVSS-based strategies for VM prioritization, citing a lack of exploit context.
Perfectly-timed data on the benefits of exploit intel
When the latest installment of the Prioritization to Prediction (P2P) research series released findings of the vulnerability management (VM) benefits of exploit intel, security pundits took note. For the eighth volume of this biannual research series, we at Kenna Security (part of Cisco) partnered with the Cyentia Institute to answer the question posed at the closing of Prioritization to Prediction, Volume 7: “Is it possible to determine the relative exploitability or remediability of an entire organization?”
The findings in Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability reveal that yes, organizational exploitability can be measured. And even more promising, accurately measuring exploitability can help minimize it; great news for organizations heeding the calls for a stronger focus on exploit intel in the cybersecurity community.
Research-backed ways to reduce the most risk
Kenna Security’s Ed Bellis and the Cyentia Institute’s Jay Jacobs recently unpacked the latest report’s key findings and highlighted what security leaders can do to get the most risk reduction from their VM programs. They offered key, risk-reducing takeaways and sheds light on the research that supports them. Here are some highlights.
Stay focused (not fast). Risk-based prioritization has defined the direction of vulnerability management in recent years and for good reason. A stunning average of 55 new vulnerabilities were published every day in 2021. This statistic may send some into a patching frenzy, remediating what they can as fast as possible, but the truth is that’s not necessary, or even advised.
Figure 1: Number of vulnerabilities added to the CVE List annually with proportions that are observed and exploited.
Our research found regardless of size, organizations can remediate about 15% of the vulnerabilities present in their environment. However, if they stay focused on observed CVEs in their environment flagged as high risk, just over 4% of published vulns potentially real risk and needs attention (see the red portion in Figure 1).
“This is part of the challenge in the industry,” notes Jacobs. “A very small proportion–like single-digit percentages–of CVEs are actually being exploited and taken advantage of. That’s where the big challenge lies.”
Harness exploit code intel. While a risk-based approach is paramount to staying focused on what matters most, we discovered if exploit intelligence is layered on top, your ability to reduce exploitability increases significantly.
To compare the impact of different prioritization strategies on exploitability, we leveraged Kenna’s real-world vuln intelligence plus EPSS to run a simulation (for anyone looking for a brush-up on EPSS, check out What Are the Odds? A Powerful Open Source Tool Helps Predict Exploits). We held the remediation capacity constant at 15% of its vulnerabilities in a given month. And there was no question as to which strategy won out.
Figure 2: Effect of vulnerability prioritization strategies on organizational exploitability.
Figure 2 depicts the resulting exploitability scores of each organization sampled (represented by the blue dots) for the different prioritization methods. The yellow dots indicate the median exploitability score.
If the visuals weren’t telling enough, how about the quantitative findings? The data reveals that prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS for minimizing exploitability. CVSS, in fact, is only marginally better than picking vulnerabilities at random and just a step above taking no action whatsoever. Even Twitter mentions fared better than CVSS-based prioritization.
Bellis mentions this particular research point supports previous P2P findings. “Once an exploit gets published, the odds of that exploit being used in the wild goes way up. In Volume 7, we discovered there really is no good scenario, at least as a defender, for publishing exploit code.”
Capacity can give you an edge. The research establishes that if forced to choose, strategy takes precedence compared to capacity. However, if an effective prioritization strategy is in place and an organization has the resources to direct towards increasing capacity, the payoff could be big.
Figure 3: Exploitability reduction achieved by improving remediation strategy and capacity
Figure 3 breaks down high and low capacities when applied to a CVSS-based approach versus an approach based on exploit code intel. And the gains are nothing to sneeze at. Combining an exploit-code-based prioritization strategy with high remediation capacity can achieve a 29X reduction in exploitability. (Gesundheit!)
Bellis stresses both strategy and capacity matter. “What we’re finding is that remediation strategy gives you a bigger dent in terms of exploitability in risk than capacity, but by combining them you can really get the most effectiveness and efficiency out of your vulnerability management program.” Uncovering automation opportunities, tightening existing workflows, and leveraging intuitive reporting and dashboards can help you and your teams ramp up remediation capacity and lower the most risk possible.
Get your priorities straight
Even with risk-based prioritization in place, our research reveals there are still opportunities to refine your remediation response and gain ground in risk reduction. If historic events and industry shifts provide a glimpse into the future of the threat landscape, ensuring your VM program is as robust as possible now will set you up for success later.
Download your copy of Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability to discover more ways to boost your vulnerability management. Interested in an expert walk-through? Watch this on-demand webinar.