Creating a formula for effective vulnerability prioritization

In this Help Net Security interview, Michael Gorelik, CTO and Head of Malware Research at Morphisec, provides insights into the business impact of vulnerabilities.

Gorelik discusses challenges posed by regulatory frameworks, incomplete asset inventories, and manual methods, while also exploring the role of automated systems, the future of vulnerability prioritization in the face of evolving cyber threats, and key factors organizations should consider in building effective remediation strategies.

How does understanding the business impact of vulnerabilities help in prioritizing them? Could you give an example of how this has worked effectively in a real-world scenario?

The remediation of vulnerabilities is a daunting task. As of Dec 2023, over 4,540 critical vulnerabilities have been published (CVSS ranking of 9+), however, less than 2% of those vulnerabilities are exploited. Over the same time period, just over 120 CVEs were listed on the CISA KEV database – the CISA Known Exploited Vulnerabilities (KEV) catalog maintains an authoritative source of vulnerabilities that have been exploited in the wild.

Organizations that drive patching efforts using CVSS scoring are likely not able to keep up with the pace of new vulnerabilities, since deploying security patches requires testing, compatibility checks, and risk assessments resulting in a lead time of 4-6 weeks (or more) to patch a vulnerability. This lengthy process arises from the need to avoid business disruptions due to the potential of installing software updates which may cause compatibility issues – a significant risk for organizations. Therefore, prioritization must be done according to the organization’s business context, with alignment to the most significant vulnerabilities to which they are exposed — this leads to a sustainable remediation process.

Organizations should understand which vulnerabilities have the potential of being exploited within their unique environment and which of the vulnerabilities potentially pose the highest business risk. For example, a vulnerability with proven exploitability or a high probability of exploitation existing within an active internet-facing business application is likely a higher priority than a vulnerability residing within an unused application in a well-protected environment.

In what ways does adhering to regulatory frameworks like GDPR aid in vulnerability prioritization, and how does this align with maintaining an organization’s credibility?

The management of vulnerabilities is a key component in many compliance and regulatory frameworks such as NIST CSF, PCI DSS (Payment Card Industry Data Security Standard), NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection), CIS (Center for Internet Security) critical security controls, GDPR (General Data Protection Regulation) and others.

The regulatory frameworks include components for data protection and privacy, and these indirectly address vulnerability management by requiring organizations to implement security measures to protect personal data. A loss of personal data can lead to a loss of credibility and imposing regulatory violation fines by regulators like the US SEC (Securities and Exchange Commission). A vulnerability management practice prioritized and driven by business context can define assets that process PII as critical. This can dramatically reduce the organization’s exposure to cyber-attacks and the exfiltration of protected data.

What do you think about automated systems for vulnerability prioritization? How do they address the challenges of manual methods?

Systems should operate continuously and collect live data to drive vulnerability prioritization efforts based on actual usage. Traditional vulnerability systems, on the other hand, typically collect information periodically – on-demand, weekly, and even monthly. However, the lack of current exposure context can lead to resourcing and security gaps. This causes a significant human resource overhead and creates security gaps since the information doesn’t present a current map of the organization’s exposure.

Automated and continuous prioritization adapts to a dynamically changing attack surface. In turn, teams gain greater accuracy with less reliance on manual data collection and analysis. Automated systems allow for greater capacity to digest more (and higher priority) data and better leverage existing resources.

In parallel, organizations should consider deploying patchless protection to reduce their attack surface until patches are deployed. Patchless protection protects known vulnerabilities that haven’t been patched yet while preventing unknown vulnerabilities from causing damage.

How do incomplete asset inventories and data affect the process of vulnerability prioritization, and what strategies can be employed to overcome these challenges?

Vulnerabilities cannot be remediated on shadow IT assets or assets that cannot be easily accessed by the organization. Not all assets can be fully mapped, and not all assets – for instance, those running mission-critical processes — can be updated. In this reality, organizations need a clear map that defines which applications and assets pose the highest risk to be able to allocate resources to map and create a broader inventory for the entire organization. In parallel, organizations should consider applying compensatory control, such as Automated Moving Target Defense, to protect systems running applications that cannot be patched.

What key factors should organizations consider when building their formula for vulnerability prioritization? How do these factors interplay in deciding the urgency of remediation efforts?

No two organizations are the same, and each may wish to drive prioritization based on different strategies. For this, vulnerability management systems should offer multiple options to drive efforts, including the grouping of computing assets by business context, factoring the exposure of entire hosts (computing devices), aggregating vulnerabilities on applications, and presenting exploitability and the potential of exploitability for vulnerabilities.

Organizations should therefore decide on their key prioritization driving points, for instance, focusing on business-critical applications, and driving remediation processes according to that strategy. Modern vulnerability remediation technologies should easily adapt to the organization’s strategy of choice.

Where do you see the future of vulnerability prioritization heading, especially with the evolution of cyber threats and technological advancements?

Standard vulnerability management practices driven by CVSS scoring have evolved into risk-based vulnerability prioritization. The next step will be a paradigm shift to exposure management, which is a much broader term encompassing an increasing number of elements that are key categories representing risk to an organization.

For example, in addition to application vulnerabilities, companies will be deepening their identification and risk-based assessment of misconfigurations, privileges, and assets specific to an organization. These elements will form the basis of an overall risk score, which will enable security professionals to better focus their limited resources on the areas that will drive the greatest reduction in risk.