Let’s face it: Vulnerability management is not what it used to be a decade ago. Actually, it is not what it used to be a couple of years ago. Vulnerability management is one of those ever-evolving processes. Whether it is because of compliance mandates, board demands, an overall desire to reduce risk, all of these objectives or none, almost every organization is taking a new look at their vulnerability management program. Although too often, they may only focus on scanning for existing vulnerabilities, which could yield a long list of issues without context or priority.

Please do not misinterpret that statement. Scanning is an important part of any vulnerability management program, and not just for traditional infrastructure. Cloud environments should also undergo scanning and vulnerabilities should be remediated regularly. Scanning, however, should walk down the aisle in holy matrimony with vulnerability ranking, ensuring teams are patching the most impactful issues first.

According to IBM X-Force Red’s vulnerability scanning data, about 1.7 million vulnerabilities are reported by scanners in each client’s environment. Out of those 1.7 million, 16 percent have associated public exploits. That means an attacker could exploit up to 272,000 of those vulnerabilities at any moment in time. And, as you have probably heard ad nauseam, it only takes the exploitation of one vulnerability for an attacker to compromise an entire organization.

How can security teams quickly find which of those vulnerabilities have associated public exploits? And out of that pool of vulnerabilities, how do they know which ones to fix first?

The screenshot below, which comes from an initial scan for vulnerabilities, shows the challenge. Even if you cannot see the specific Common Vulnerabilities and Exposures (CVE) numbers, you can still see the list is endless. How can anyone decipher what the data means and which actions to take next?

Figure 1: Vulnerability scan results prior to ranking of the issues detected in the scan (Source: IBM X-Force Red)

Scan, Then Rank!

Hence, the importance of ranking. Without ranking, that possible list of 1.7 million vulnerabilities produced by one scan is just a giant heap of CVEs. The findings are not actionable. Instead of giving the report’s recipients answers, the sheer amount of issues listed merely stresses them out, all while the most dangerous vulnerabilities may be left to stick around even longer, exposing sensitive assets to a motivated attacker.

You may be thinking, “I do rank. I prioritize our scan findings based on the assigned CVSS scores.” As I described in more detail in a prior blog post, ranking vulnerabilities based on the Common Vulnerability Scoring System (CVSS) alone is not enough, because the CVSS was never meant to be used on its own for prioritization. To briefly recap, the CVSS provides a technical score for the severity of a vulnerability, however, it lacks contextual information that is specific to each organization’s environment. In other words, it does not include key risk factors such as the value of the exposed asset to the organization or if the vulnerability can be exploited by attackers.

If ranking — based on those kinds of risk factors — is not subsequent to scanning, security leaders may find themselves wasting time on minimal risk vulnerabilities, false positives, stewing, not knowing where to start with remediation, or manually trying to figure out which vulnerabilities matter most.

Wed Scanning and Ranking in Your Environment

As you most likely know from the countless number of vendor pitches in your email inbox, different security companies have their own “secret sauces” designed to help manage vulnerabilities. But if you are not ready to purchase yet another solution, the best first step for your vulnerability management program is to understand your assets.

Which assets matter most to your organization, and what kind of data do they touch? Once you identify those basics, you can narrow the scope of your scan to only those assets. That may make it a bit easier to identify vulnerabilities exposing the most critical assets — those that, if compromised, may cause the most pain.

Rank Like an Attacker

X-Force Red, IBM Security’s team of hackers, believes in ranking through the eyes of an attacker. After every scan — whether it’s on a cloud or traditional IT environment, internet of things (IoT) or web application, host, container, or anything and everything else — the findings must be inputted into a ranking engine that factors in attacker-minded information. For example, can the vulnerability be readily exploited? Is a public exploit available? Oftentimes, many vulnerabilities on the list are not being exploited by attackers, which diminishes their immediate viability.

Scanners provide an enormous amount of data, and ranking enriches that data so it is actionable for reducing risk. The two should forever live in symbiosis.

To learn more about X-Force Red’s vulnerability ranking, check out how a security leader reduced the number of critical vulnerabilities in his environment by 60 percent in just four months.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today