Let’s face it: Vulnerability management is not what it used to be a decade ago. Actually, it is not what it used to be a couple of years ago. Vulnerability management is one of those ever-evolving processes. Whether it is because of compliance mandates, board demands, an overall desire to reduce risk, all of these objectives or none, almost every organization is taking a new look at their vulnerability management program. Although too often, they may only focus on scanning for existing vulnerabilities, which could yield a long list of issues without context or priority.

Please do not misinterpret that statement. Scanning is an important part of any vulnerability management program, and not just for traditional infrastructure. Cloud environments should also undergo scanning and vulnerabilities should be remediated regularly. Scanning, however, should walk down the aisle in holy matrimony with vulnerability ranking, ensuring teams are patching the most impactful issues first.

According to IBM X-Force Red’s vulnerability scanning data, about 1.7 million vulnerabilities are reported by scanners in each client’s environment. Out of those 1.7 million, 16 percent have associated public exploits. That means an attacker could exploit up to 272,000 of those vulnerabilities at any moment in time. And, as you have probably heard ad nauseam, it only takes the exploitation of one vulnerability for an attacker to compromise an entire organization.

How can security teams quickly find which of those vulnerabilities have associated public exploits? And out of that pool of vulnerabilities, how do they know which ones to fix first?

The screenshot below, which comes from an initial scan for vulnerabilities, shows the challenge. Even if you cannot see the specific Common Vulnerabilities and Exposures (CVE) numbers, you can still see the list is endless. How can anyone decipher what the data means and which actions to take next?

Figure 1: Vulnerability scan results prior to ranking of the issues detected in the scan (Source: IBM X-Force Red)

Scan, Then Rank!

Hence, the importance of ranking. Without ranking, that possible list of 1.7 million vulnerabilities produced by one scan is just a giant heap of CVEs. The findings are not actionable. Instead of giving the report’s recipients answers, the sheer amount of issues listed merely stresses them out, all while the most dangerous vulnerabilities may be left to stick around even longer, exposing sensitive assets to a motivated attacker.

You may be thinking, “I do rank. I prioritize our scan findings based on the assigned CVSS scores.” As I described in more detail in a prior blog post, ranking vulnerabilities based on the Common Vulnerability Scoring System (CVSS) alone is not enough, because the CVSS was never meant to be used on its own for prioritization. To briefly recap, the CVSS provides a technical score for the severity of a vulnerability, however, it lacks contextual information that is specific to each organization’s environment. In other words, it does not include key risk factors such as the value of the exposed asset to the organization or if the vulnerability can be exploited by attackers.

If ranking — based on those kinds of risk factors — is not subsequent to scanning, security leaders may find themselves wasting time on minimal risk vulnerabilities, false positives, stewing, not knowing where to start with remediation, or manually trying to figure out which vulnerabilities matter most.

Wed Scanning and Ranking in Your Environment

As you most likely know from the countless number of vendor pitches in your email inbox, different security companies have their own “secret sauces” designed to help manage vulnerabilities. But if you are not ready to purchase yet another solution, the best first step for your vulnerability management program is to understand your assets.

Which assets matter most to your organization, and what kind of data do they touch? Once you identify those basics, you can narrow the scope of your scan to only those assets. That may make it a bit easier to identify vulnerabilities exposing the most critical assets — those that, if compromised, may cause the most pain.

Rank Like an Attacker

X-Force Red, IBM Security’s team of hackers, believes in ranking through the eyes of an attacker. After every scan — whether it’s on a cloud or traditional IT environment, internet of things (IoT) or web application, host, container, or anything and everything else — the findings must be inputted into a ranking engine that factors in attacker-minded information. For example, can the vulnerability be readily exploited? Is a public exploit available? Oftentimes, many vulnerabilities on the list are not being exploited by attackers, which diminishes their immediate viability.

Scanners provide an enormous amount of data, and ranking enriches that data so it is actionable for reducing risk. The two should forever live in symbiosis.

To learn more about X-Force Red’s vulnerability ranking, check out how a security leader reduced the number of critical vulnerabilities in his environment by 60 percent in just four months.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today