By Ubong Kingsley-Udoh
The severity of vulnerabilities in the network is alarming these days and organisations are getting overwhelmed. In 2019, a total of 17,313 new vulnerabilities were disclosed – this means that security teams had to deal with 47 new vulnerabilities every day. As modern networks become more nimble, diverse and bigger, so is the attack surface becoming more expansive and fierce.
Irrespective of how large your organisation or war chest is, you will never have enough resources to remediate every vulnerability across your cyberattack surface. We are dealing with more vulnerabilities today than ever before. It is imperative for security teams to understand vulnerabilities in context and effectively utilise that data to make informed decisions. Being short on time and resources, prioritisation is needed.
Traditional IT can’t withstand the threats of today. With the advent of cloud computing, the modern attack surface has expanded. While legacy infrastructures are geared to scan for vulnerabilities in traditional IT environments, risk-based vulnerability management assists security teams in putting vulnerabilities in context and enables them to focus on the issues that pose the greatest risks to the organisation.
LEGACY PRIORITISATION METHODS ARE INEFFECTUAL
Employing methods like the Common Vulnerability Scoring System (CVSS) in prioritising vulnerabilities to be remediated has become somewhat ineffectual in an age where the sheer number of vulnerabilities has tripled. According to Carnegie Mellon University, “CVSS is designed to identify the technical severity of a vulnerability. What people seem to want to know, instead, is the risk a vulnerability or flaw poses to them, or how quickly they should respond to a vulnerability.”
The CVSS is an ineffectual method in remediating vulnerabilities. Its metric table shows that High Vulnerabilities do have a (CVSS Score of 7 and higher) and Critical Vulnerabilities do have a (CVSS Score of 9 and higher). According to research by Tenable, 56% of vulnerabilities are assigned a CVSS score of 7 or higher. This means for every 150,000 disclosed vulnerabilities, the security teams will have to remediate 84,000 of it. Given the fact that most big organisations have a lot of vulnerabilities to quell, CVSS is quite ineffective.
CVSS AS A POOR INDICATOR OF ACTUAL RISK
It is a fact in the industry that the CVSS method is risk-unaware. Most CVSS scores are assigned within fifteen days of the vulnerability being discovered, and the scores approach risk from a theoretical view of how potentially dangerous a vulnerability could be. This means that security teams end up chasing the wrong issues and also waste their time in the process. Focusing on the wrong issues could portend great dangers as many critical vulnerabilities end up being unattended to.
USING DATA SCIENCE TO PREDICT VULNERABILITY OUTCOMES
It has been heralded for about a decade now that data is the new oil. The ability to glean datasets for actionable insights is a worthwhile process that turns data into decisions. Due to the large volume and scale of vulnerabilities these days, employing machine learning-based technologies will help in automating the process. The model will take into consideration past threat patterns, CVSS data, exploit codes, past threat sources, to mention but a few and outputs a risk-based score, thereby enabling organisations security teams focus on what’s truly important and mission-critical.