If you’re reading this, you’re in the all too common position that your business has more vulnerabilities than it can possibly remediate and you need to prioritise them to tackle the most critical first. With scanners reporting hundreds and in some cases THOUSANDS of new vulnerabilities each day, it’s tough to stay on top of it. But don’t worry, you are not alone in the struggle. In this guide, we are going to talk you through how best to prioritise vulnerabilities as well as what NOT to do.
(And if you are a small organisation that can currently remediate every issue that arises, congratulations but beware as you grow and more processes, systems and procedures are put in place, you may find it becomes too much to handle. You may also discover that even though you are able to patch everything, you don’t have to. And by choosing wisely, you may be able to save time and deploy resources elsewhere. In either case, bookmark this guide so you can come back to it later when you need it!)
As Chris Wallis, the CEO of vulnerability scanner, Intruder, says, “It has never been more important to prioritise vulnerabilities effectively. With nearly 20,000 being discovered each year, and hackers weaponising exploits faster than ever, teams must focus on fixing those most likely to lead to a breach – and fast, rather than always aiming for a clean slate.”
Let’s start with what correct prioritisation means.
Prioritising means ranking things or tasks in a certain order. And with vulnerabilities, we could rank in a number of ways:
There are many other ways you could choose to prioritise but the final one in the list above is the correct one. It doesn‘t matter if the CVSS score is 8+ if the vulnerability affects a system you don’t use. Instead, you need to look at the vulnerabilities that affect the platforms you do use. What is your business dependent on? Where do your weaknesses lie?
Before we move on, we know of many cases where IT security teams have prioritised in order of how easily or quickly a vulnerability can be fixed. And having worked in the industry and seen first-hand how difficult it is to measure a team’s performance, we understand why. The issue is that bad KPIs drive bad behaviours, and real thought and effort needs to be put into how an organisation sets targets for its teams. Closing more tickets might show productivity but it won’t help the business overall. It does not result in effective risk management.
If you’re finding it impossible to remediate all the new vulnerabilities that scanners identify, prioritising them manually won’t be a walk in the park either. In some cases, a team can spend more time on the prioritisation process than they do on responding to the vulnerabilities. This does not result in effective remediation management either.
So let’s go through all the options to help you prioritise the vulnerabilities facing your business.
Most companies opt for the industry-standard CVSS score when remediating vulnerabilities. While this may seem like a straightforward approach, it doesn’t take into account certain things which are important. I.e. how critical the particular asset that is vulnerable is within your environment. To one business it is core to its operations; to another, it’s irrelevant.
On that note, CVSS also doesn’t take into account the compensating controls you may have in place over that critical asset. In other words, if the critical asset is completely isolated and nobody can gain access to it, then there’s little risk i.e. Zero Trust.
Another concern with CVSS is that it relies on a company interpreting the score in the correct way and acting upon it appropriately. If a company has a committed, expert team then they’ll have strong processes in place but when team members leave, some of the processes may leave with them, get edited or simply become inconsistent.
Finally, there’s the severity vs risk factor. Only a small percentage of what’s considered a high, or critical CVSS vulnerability is ever really exploited in the wild. From past experience, it can be as low as 14%. This of course doesn’t mean you can write off the vast majority of vulnerabilities on your list; it just means you must remember that severity and likelihood are different things and you must not panic if you’re presented with a long list of highly critical vulnerabilities to remediate.
There are several companies that offer vulnerability prioritisation support by taking the list of vulnerabilities faced by a company, adding vulnerability intelligence to it, and then utilising what they know about the environment to try and help the organisation to prioritise it on a risk-based approach. While those technologies are great, the problem is that they’re very expensive. And if you’re reading this, they’re most likely charging more than you can afford.
Not only that, but the customisation is limited. This is why RankedRight was created – we wanted to provide a platform that allowed organisations to create their own rules with the intelligence that we can provide them, and at a good price.
MSSPs (or Managed Security Service Providers) can use the RankedRight platform to ensure their own view of a risk is reflected in your decision making as their customer. (If you are an MSSP, please do get in touch with us as we’d love to see how we might be able to work with you.)
There are also ITSM solutions that have limited built in technology to help with vulnerability prioritisation which can be used as a way of cutting costs if you are already using them within your IT environment . One issue with these can be that while the ticketing system is advanced, it is not purpose built for vulnerability management so you may find yourself with more work to do in trying to make it do what you need it to.
We’ve always said that the best people to prioritise the vulnerabilities facing the business are its own IT security team. Why? Because they have the best knowledge of the tools, processes and systems in place and will know what will have the greatest impact on the organisation.
However, there is a problem with a business doing manual triage entirely on its own. Aside from the time issue we mentioned above, there’s also the issue of inconsistency.
If a team creates its own prioritisation rules, it’s still likely that there will be inconsistencies within that team over what is most critical. Not only that but the objectives set for the team could be changed over time depending on the date of personnel appraisals or the company year end.
In this case, we’ve seen companies move their attention from the top of the list to the bottom, typically to the risks that are less risky and therefore actually less difficult to remediate. This is in order to look like they’re achieving more and hit a new KPI, even though they’ve done nothing to reduce the overall risk to the organisation.
In other cases, we’ve seen teams where one person starts at the top of the list, another person starts at the bottom, and they try to meet in the middle. We’ve even seen picking off vulnerabilities at random.
We mentioned before the issues that can be caused when staff leave, and this is because prioritisation rules aren’t always well documented. It’s often done by gut.
So, if the person in charge of ranking risks goes on holiday or is suddenly not available, neither is the ranking intelligence. Then the business has to start all over again.
So what is the best option?
As mentioned above, inconsistency is dangerous. By agreeing and documenting ranking rules you will already be a huge step forward in solving your problems.
This is another reason why we started RankedRight, and developed the Stored Ranking Profiles feature. To make full use of our automated triage, you simply create, build and save prioritisation rules for vulnerabilities, and then every time new vulnerability data is ingested, the results are automatically available prioritised the way you want them. And then assigned to the right person or tool.
Also, by documenting everything, it will be easier to track performance against SLAs as you’ll have better visibility over the action you’re taking, the reason behind it and the results.
Not only that, but by documenting everything, it will avoid you taking differing approaches to the same type of vulnerability which just feeds inefficiency over time.
Vulnerability management involves an incredibly large volume of data and lots of different vulnerability records. To be fast with it, you need to automate in some way.
But we’re not in a world where artificial intelligence or machine learning can take over the world. Everything is still human-driven. While you can definitely augment and utilise machine learning, artificial intelligence, and programmatic methodologies to help you get so far, there’s still the element of final sign-off, which we refer to as remediate, defer, accept. There are still situations where even though a particular vulnerability is prioritised high, you’re not in a position to be able to remediate it quickly. As a result, there needs to be that process in place that allows some sort of risk acceptance to push those tasks further down the line and consider, “If I don’t fix it now, how do I monitor to see if this vulnerability is actually being exploited?”
When we created RankedRight, we sought to blend the best elements of tech – automation and machine learning – with the best features of a human. In this case, insight and knowledge into the business, and reasoning. Vulnerabilities cannot be correctly (and completely) prioritised in order of criticality to the business without the insight and knowledge of its IT security team; nor without the speed of automation or consistency of a machine. That’s why we think they have to go hand in hand.
Book a demo to see for yourself.
The more context about your organisation’s vulnerabilities you have in real-time, the more data-driven and accurate your remediation decisions become. Scan data doesn’t contain all of the information you need to prioritise effectively: you need to use outside intelligence. This could be vulnerability intelligence or threat intelligence from various intelligence providers.
Vulnerability management is a really powerful way of identifying issues before an attacker does. A lot of organisations especially in enterprise are starting to realise that if they put smart, experienced people into their vulnerability management team and not just junior analysts and they start to utilise other tools that they have in place for other parts of their security programs like threat intelligence or threat hunting then actually it can drive better outcomes including prioritised remediation and intelligence-informed business impact decisions.
To stress the significance of an IT security team’s insight and knowledge, over the past decade or so, there have been several major security breaches, even since WannaCry, that have been down to risks being incorrectly prioritised. In one case, looking retrospectively at the incident, we saw a scanner identify a vulnerability that became very high profile because of the many exploits that were found for it a few months down the line. Despite the exploits, no change was made to how the vulnerability was prioritised so while it should have been moved to the very top of the list, it remained far below many lower risk vulnerabilities. An IT security team with its finger on the pulse would have spotted this and would manually change the prioritisation rules to address this. A machine might not.
Things to monitor include SecLists.org, vFeed, Project Zero, Packet Storm, as well as CVE. Keeping abreast of cybersecurity as a whole is massively important. Too often, companies rely too heavily on the scanner to identify an issue, when the reality is that the scanning companies are working, in some cases, as fast as you are. A good team should know about a vulnerability before they can even scan for it.
It doesn’t matter if you were the best in your team at your last job. If you’re new to a company, you’ve got a lot to learn about its environment before you will be firing on all cylinders when it comes to prioritising vulnerabilities in the right way. This is because vulnerabilities mean different things to different businesses. They depend upon the way that their network, environment, and estate is laid out, set out and secured. The actions your team has in place to battle security issues need to be taken into account because, otherwise, vulnerabilities that actually are not going to be an issue in your environment are still going to be within your scans, and you’re going to waste time and effort on trying to remediate them.
A lot of time can be wasted with false-positive data from the scanning tools. This is where scanners pick up a risk that doesn’t actually exist. There needs to be a focus on ensuring that the scan tooling is optimised to reduce the false-positive rate . If you’re utilising a managed security service provider, ensure they’re providing you with some kind of false-positive verification or data-validation type services before you then put it into your funnel for prioritising. This will avoid you wasting time triaging something that isn’t even there.
Hopefully this guide has helped you consider what you can change in your team and processes to ensure you’re better equipped for effective vulnerability prioritisation. If you’d like more advice or a demo of the RankedRight platform, why not contact us? We’d be happy to help.