Security vulnerabilities are everywhere — in the software we use, in mobile apps, in hardware and in internet of things (IoT) devices. Almost anything can be hacked, and we can see that in the staggering numbers of vulnerabilities disclosed every year. In fact, there were 10,644 vulnerabilities disclosed in the first half of 2018 alone, according to Risk Based Security. This year will likely top that number, and there is no doubt in my mind the same will be written 12 months from now.
In a threat landscape so replete with opportunities for attackers to make a move, vulnerability management is a central activity that can help organizations reduce their exposure to the attack surface and mitigate risk. Vulnerability management solutions have been available for many years now, yet the process remains a challenge for many organizations today.
Effective and efficient vulnerability management requires the involvement of various stakeholders throughout the organization. They typically come from multiple teams, such as security, asset owners and IT operations, to name a few. It is not enough to scan for vulnerabilities and then send a report over the wall with a large number of issues that have to be addressed; this is a surefire way to waste precious resources and frustrate teams in the process. Worst of all, it can potentially leave some of the riskiest vulnerabilities unaddressed.
According to forecasts released by Gartner1 in 2018, around 30 percent of organizations will adopt a risk-based approach to vulnerability management by 2022, which could help them suffer 80 percent fewer breaches. Sounds like a promising forecast, but how can organizations adopt an effective risk-based approach that could yield such improvement in their security posture?
Let’s explore how connected security solutions can help security teams contextualize and prioritize vulnerabilities.
Risk-Based Vulnerability Management Starts With Prioritization
Vulnerability prioritization is a widely discussed topic in the information security domain. From the Common Vulnerability Scoring System (CVSS) to approaches based on asset value and exploit weaponization, asset value and its criticality and sensitivity are all fundamental elements of vulnerability remediation prioritization. Foregoing a vulnerability patch on a critical server, a production environment or the database that holds company secrets can result in high-impact damage to the business.
How do you prioritize the right patch? Which approach will result in keeping up with the business’ goals? There’s more to it than choosing one or the other. Let’s look more specifically into why and how patch management, security information and event management (SIEM) and network topology modeling can help prioritize addressing vulnerabilities.
Focus Your Efforts Through Patch Management
Imagine a traditional vulnerability assessment program that requires monthly scans. Every month, a scanning solution assesses potential vulnerabilities and completes remediation activities. During the next scan, those vulnerabilities are confirmed as remediated while new ones are identified, and the cycle continues.
But how many of those flaws will have been realistically patched before the next vulnerability scan? How much time will security staff spend looking at vulnerabilities to ensure they have been effectively patched? It would be wise for a vulnerability management process to require a specific scan to validate that a vulnerability has indeed been remediated.
Considering the resources available for investigation in a typical organization, knowing that a patch management solution has reliably applied or scheduled a fix can help security teams focus on the vulnerabilities that have not yet been remediated.
Look at Network Traffic Routes Using Network Topology Modeling
Now let’s shift our focus to network security. Fundamentally, the topology of a network can help define the opportunity for an attacker to exploit a particular vulnerability. Defenders should ask themselves where devices are placed on the network and whether that placement is conducive to optimizing the security they can offer. What rules have been configured on them, and what data drove their creation?
By gathering details on existing network security and the configuration of network devices, threat modeling solutions can help build a network traffic topology. This topology can provide answers to questions such as:
- Can users access critical/sensitive assets from the edges of the network?
- What subnetworks have a path to the organization’s crown jewels?
- Are there vulnerabilities on a particular port that can be exploited from the edge of my network?
Going through this process can help you use network topology to inform vulnerability prioritization. A high-risk vulnerability on a low-value asset in an area of your network that cannot be reached from the internet is likely less important than a medium-risk vulnerability on a high-value asset that is accessible from the internet. This is why network topology threat modeling can be a helpful tool for prioritizing which vulnerabilities present higher risk and which do not necessarily require immediate action.
While vulnerabilities don’t change in their definition, network configurations do. A network modeling solution should monitor security policies and adjust risk as the context changes.
Let’s say, for example, that a firewall rule has been added to allow traffic from the edge of the network to a low-value asset affected by a high-risk vulnerability. Defining the risk here may seem straightforward, but what if there were additional details to consider? The low-value asset has a network path to high-value assets, for instance. Now the risk associated with the vulnerability has changed, and this should be reflected in how the vulnerabilities are prioritized.
Inform Your Security Team Via Your SIEM
SIEM data can help inform security professionals about the context of the services associated with certain vulnerabilities.
Consider the example of CVE-2014-3566, known as the enabler for the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. According to IBM X-Force Exchange, “Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via the POODLE attack to decrypt SSL sessions and calculate the plaintext of secure connections.”
While an asset might be running a version of OpenSSL relevant to CVE-2014-3566, the only way for an attacker to “obtain sensitive information” is for that information to exist in the first place. Network flows may tell us that no SSL traffic was ever recorded to or from this service, or they may paint the picture of an HTTPS service used throughout the organization and from outside the organization’s network. Here we have two different scenarios associated with two very different risks that a vulnerability assessment solution alone cannot differentiate.
Using a threat feed, a SIEM solution can help determine not only whether there is traffic from the internet going to a vulnerable service on an asset, but also if that flow is indeed coming from an identified malicious source. This can raise an offense in the SIEM system and should also feed down to a vulnerability management solution to prioritize that particular vulnerability instance.
In addition, let’s say an intrusion detection system (IDS) identified an indicator of compromise (IoC) that clearly points to the exploitation of a vulnerability. Not only will this raise an offense in a SIEM solution for a security team to investigate, it will also be prioritized by a SIEM tool that is integrated with a vulnerability management solution. That particular vulnerability would clearly become a high-priority concern.
Connect Security Solutions to Keep Up With Evolving Modern Threats
While vulnerability management solutions have helped organizations mitigate risk for a couple decades now, cybersecurity threats are more prevalent than ever before. Systems have become increasingly complex, attacks are more sophisticated as a result and the volume of vulnerabilities is beyond the remediation capabilities of many organizations.
To stay ahead of attackers, organizations should consider vulnerability management solutions that integrate with SIEM tools, network and threat modeling capabilities, and patch management systems. Making the best of vulnerability management today means breaking down the silos of security and IT operations solutions and connecting them together.
1 Implement a Risk-Based Approach to Vulnerability Management, August 21, 2018, Prateek Bhajanka and Craig Lawson
Offering Manager - Threat Detection & Response