Ready to implement a Risk-Based Vulnerability Management approach?  
Download The Guide Now>
Contact Us
Talk to an Expert
Request a demo

Vulnerability Management Maturity Part Two: Training Day

Aug 20, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

It’s safe to say that most modern enterprises live and breathe data. But not all data is created equal. Take, for example, the data used in early stage vulnerability management programs. 

Go beyond CVSS

Sure, they use data. When their scanners detect a vulnerability, it gets added to a spreadsheet. To estimate the risk that the vulnerability poses, they use the Common Vulnerability Scoring System (CVSS). Never mind that the system doesn’t actually measure risk of exploitation: For years CVSS was as good as it got. (CVSS, by the way, approximates ease of exploit and the impact of exploit. It does not measure the risk that a vulnerability will be exploited.) In fact, many vulnerabilities with high CVSS scores pose little to no risk of exploitation or weaponization.

The quality of a vulnerability management program is directly related to its ability to accurately quantify whether a vulnerability has been weaponized in the past, or is exploitable in the future. And while CVSS might not be the appropriate tool, there is data that can be harnessed to protect corporate networks. 

Pull in the right data 

When a hacker deploys an attack, or when a vulnerability is exploited by security researchers interested in creating a proof of concept, it creates a record – usually in server logs, but these can be found in other places. 

Rather than relying on the theoretical risk of a vulnerability, data scientists can examine how hackers have operated in the past to detect well-worn behavioral patterns. Kenna Security intakes data from a sprawling list of sources, including scanners, penetration testing results, bug bounty programs, databases of vulnerabilities and exploit intelligence, and multiple threat intelligence feeds processed in real time.  

Evaluate and score vulnerabilities

We’ve learned that certain vulnerabilities are more likely to be exploited than others. Certain variables, like which vendor made the application a vulnerability affects, or whether a proof-of-concept exploit has been published, tend to be more indicative of future weaponization than other variables. Conversely, a vulnerability that can lead to memory corruption in an asset is less likely to be weaponized. 

All of these factors can be harnessed to quantify the risk any individual vulnerability poses to an organization. In aggregate, these risks can be used to create an overall risk score for an entire enterprise or for segments of it. 

And you have RBVM

This process is known as risk-based vulnerability management, or RBVM. It has some interesting effects. Our research shows that with the right data, it can drive down risk more thoroughly than other rubrics. For example, some enterprises have protocols under which vulnerabilities with CVSS scores above 7 are patched. Data science suggests, however, that many vulnerabilities above that threshold pose little risk of exploitation. While some vulnerabilities that fall below that threshold pose even greater risk to the organization. 

RBVM is the insight that enables truly modern vulnerability management. But to get the benefits of RBVM, organizations need a tool that can operationalize these insights.

To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.

Share with Your Network

Read the Latest Content

Risk-Based Vulnerability Management

Analysts Agree: The Future of Vulnerability Management Will Be Risk-Based

There’s nothing quite like respected industry analysts signaling that you’re on the right track. What’s even better is when they signal the groundbreaking path you blazed in risk-based vulnerability management (RBVM) is the one they think everyone else should now follow. This, we believe, is the thrust of many recent industry analyst reports outlining the…

READ MORE
Risk-Based Vulnerability Management

Are You Taking a Modern Vulnerability Management Approach to Cybersecurity?

One of my favorite quotes of all time is the definition of insanity. While there are several variations, they all boil down to doing the same thing over and over again but expecting different results. While these words can certainly apply to a wide range of topics, for me they are particularly reflective of the…

READ MORE

Uncategorized

Uncategorized

Are The Feds Going New School?

Probably not… As much as the headlines of a new bill in Washington grabbed my interest with a twinkle of hope, it turns out in some ways this may be a step away from a new wave of information sharing. It appears to promote information sharing regarding security breaches between the private sector and the government by blanketing companies with protections…

READ MORE
FacebookLinkedInTwitterYouTube

© 2020 Kenna Security. All Rights Reserved. Privacy Policy.