Is a CVSS score of 10, really a 10 in your environment? Vulnerability Risk Management is a work in progress for most organizations. Having dealt with many customers in this space, we have seen it all – the mature folks who utilize asset management to define ownership to multiple remediation teams – all the way to the organizations that are just getting their feet wet with their first scanning platform deployment.
We all know that patching vulnerabilities is an absolute requirement, as a vulnerability is the unlocked door to your most precious assets. What we are unsure about, however, is what to do when we suddenly have tens of thousands of vulnerabilities in queue. Combine this big data issue with antiquated processes, staffing issues, and difficulty with tracking and reporting on the full vulnerability lifecycle, and suddenly you have yourself one big problem.
Today, organizations rely on CVSS scores to prioritize vulnerability remediation. The National Vulnerability Database, although helpful in benchmarking vulnerabilities at a knowledgebase capacity, lacks context around the assets on which these vulnerabilities live. Do I really need to patch that vulnerability found on my smart fridge? – and should that vulnerability be reflected in metrics shared with my C-suite executive? Moreover, should that vulnerability be treated as equal to the hole in SSL that feeds into my customer facing transaction database?
Here at RSA we have seen customers use ninja algorithms to manipulate CVSS scoring to make it more meaningful, some even looking to government organizations for methodologies such as the CARVER matrix. True vulnerability prioritization starts with CVSS scores and applies risk calculations to determine what the vulnerability means to your environment. By adopting a meaningful prioritization framework that massages data returned by scanners, one can prioritize and remediate the most critical vulnerabilities on the most important assets. This prioritization technique filters out the noise and enables you to capture metrics that reflect the true security risk posture of your environment. Without insight into your data, you lose track of truly how vulnerable you are.
Combine this approach with external threat intelligence and now there is a proactive way to measure and address security risk. Threat intelligence is a hot topic – but many of our customers wonder, how do I really use it to my advantage? Passively monitoring threat intel feeds is the first step in a phrased approach; applying this information to an environment is the next. Leverage the affected technologies data to turn threat information into threat intelligence and understand if these affected technologies live on devices in your environment. By combining this intel with asset criticality you can start to proactively address vulnerabilities before you even kick off a routine scan.
Vulnerability Risk Management is a large issue for most organizations. By adopting prioritization frameworks, cataloguing assets, maintaining criticality, and utilizing threat information effectively, organizations can start to build a sustainable program to measure risk and prevent vulnerabilities from turning into incidents – and preventative care is always best.
The post CVSS Scoring: Why your Smart Refrigerator does not need to be Patched (Yesterday) appeared first on Speaking of Security - The RSA Blog and Podcast.
