The situation described here does not come from the ivory tower; instead it comes from the real world and shows how to rapidly and efficiently address a zero-day vulnerability.

Last week there was some very unwelcome news for security engineers. Another Microsoft Internet Explorer (IE) zero-day vulnerability (2013-3893) was announced, with the double whammy that there were active exploits on the World Wide Web. The general recommendation – as you’d expect – was to:

  1. Patch
  2. Only visit trusted websites
  3. Avoid any websites that might be malicious

All very sensible and pragmatic.  But in reality, you are probably already overwhelmed with patching; you might have 1000’s of machines with this vulnerability, with 1000’s of users with possible click-happy tendencies. All of this adds up to a major security nightmare. Not only do you have all of those machines to patch, but you don’t know which ones might have already been exploited. On top of that you have a bunch of users to herd that are well meaning but uneducated, and you need  to prevent any further exploits from happening until you eventually get everything patched.


So you formulate a cunning plan:

  1. Email an alert to users saying ‘Please be careful’
  2. Scan your network for the vulnerability
  3. Embark upon patching the assets that have the vulnerability

And then you promptly recognize the following critical flaws in the cunning plan:

  1. 90% of your email alerts will get a cursory glance and then be consigned to the deleted folder
  2. The scan itself will potentially take several days
  3. Your patching schedule is already packed, how can you fit this in?

Thus leading to cunning plan B:

  1. Hope for the best until your next scheduled patch deployment


A more intelligent approach

Alternatively, you might be considering a more intelligent approach. We like to call it the Swiss Army Knife of Security.

It is a more comprehensive approach to help you manage vulnerabilities, and respond to security incidents in a fast and efficient way. An incident isn’t always an attack or some form of anomalous network behavior; it can often be the sudden realization that you have a significant security weakness in your network and need to respond to it as quickly and effectively as possible, such as an IE zero-day announcement.

A real-life experience

Let’s walk through a real-life experience of this intelligent approach. When the IE zero-day vulnerability was first announced, QRadar Vulnerability Manager (QVM) already knew which assets had IE installed based on a previous scan. QVM’s “early alert” functionality prevented the need to re-scan and detect the IE zero-day vulnerability. So when the zero-day was published, QVM knew there were approximately 1200 instances in the network. This may sound routine, but the customer didn’t have to wait a day or so to scan for the vulnerability, but any vulnerability scanning and management product worth its salt should have been able to do the same.

So it looks like the customer had to patch 1200 assets? Not so fast.  Of the 1200, the next thing to determine was if there had actually been any Web traffic to or from those assets in the last month or so that indicated IE was in use. When time is limited, you want to patch what is most likely to be exploited, and not waste time patching assets that are at low risk of exploitation. If an asset with a Web vulnerability is ever going to be low risk, it is one where there hasn’t been any web traffic to or from it.  With QVM the answer was just a click away. Why? Because it is part of the QRadar Security Intelligence Platform which can see all traffic on the network. It turned out in this case that nearly 20% of those assets didn’t have any web traffic in the last month. IE was installed but was never used.  Ironically a ‘stand-alone’ vulnerability product would typically tell you to patch those first because they would be ranked as most important.

Ok, so 1200 targets down to around 1000, Did the customer patch? No, QRadar Security Intelligence wasn’t finished yet. Not by a long shot.

The exploit for this vulnerability comes from malicious sites and IPs, so it was really important to know which sites and IPs were harmful, and which vulnerable assets had been communicating with them. IBM QRadar, thanks to our IBM Security X-Force team, has a continuously updated database of malicious internet IPs and Web sites. Also, because QRadar sees everything on the network through log and network flow analytics, it knew which assets had been communicating with those harmful IPs and Web sites.  So with a couple of clicks, QVM correlated the vulnerable asset list with the list of assets that had been communicating with the potentially malicious locations on the internet.

The result

The initial list of about 1200 assets that needed to be patched suddenly dropped to less than 50. And, crucially, these 50 are the most likely to be exploited.  This is a huge reduction in cost and risk, and a big improvement in efficiency. And it is possible because QVM is an integrated part of the IBM QRadar Security Intelligence Platform, and receives vital network context from QRadar.

Now imagine if all those vulnerabilities were automatically risk adjusted based on the above, and your recommended patching strategy was seamlessly updated as a result. Oh and what if you had access to a real-time monitoring system where those 50 assets automatically go on a watch list and are very closely monitored for anything that looked suspicious for the foreseeable future. Sounds like another job for QRadar.

Wouldn’t that be good? And very cunning indeed. And you can patch the other 1150 as time allows. Those are just some of the reasons I think the future is bright and we are here to help. If you have any questions just let me know in the comments below.


More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read