Risk based vulnerability management: reduce and prioritize remediation efforts with likelihood of an actual attack
Outpost24 Farsight provides our customers with the ability to focus their remediation efforts on those vulnerabilities that are mostly likely to be exploited in the wild and match their individual risk appetite, whether that’s a likelihood of greater than 1 or greater than 25 with exploit available.
To demonstrate the power of Farsight and its ability to help customers focus on real risks let’s take a look at the current (as of writing, February 2020) likelihood breakdown of the Outpost24 Vulnerability database.
Firstly, as our many customers know, we don’t track every vulnerability for every product. Our main criteria are Enterprise products and looking at the current totals we have 186,128 unique vulnerabilities in the database.
The sheer number already manifests the problem. And given vulnerabilities are not usually one off, but can be many instances of, that number can easily reach 100,000’s or even 1,000,000’s of vulnerabilities for large global organizations, making it impossible for security team to keep up and fix.
Can you teach an old dog new tricks?
With too many vulnerabilities to deal with and too little time (and resource) all you need is perspective. As Gartner put it nicely ‘a vulnerability is only as bad as the threat exploiting it and the impact on the organization’, the trick here is to prioritize remediations with a framework that focus on likelihood of an actual attack rather than perceived risk.
CVSS – the old answer
Organizations often focused on CVSS score to gauge the most critical vulnerabilities to address. Going back to our vulnerability database:
- CVE’s with CVSS score 9 or more: 32,843
- CVE’s with CVSS score 10: 17,916
When you add the second most tracked attribute, exploit available, it looks even better.
- CVE’s with CVSS >= 9 & exploit available: 4,412
On the surface this looks like the answer. By de-prioritizing anything with a CVSS score of less than 9 and focusing on these super critical vulnerabilities, the number is reduced to approximately 2.3% of all vulnerabilities being tracked. Less work, less time to remediate. But not so fast.
Why not? Because the risk is only real when a vulnerability is exploited. Hackers pay no attention to the scoring of a vulnerability and routinely exploit lower-ranked vulnerabilities. Just because the CVSS score is high does mean the vulnerability will be exploited. Case in point, when we look at the 150,000+ deprioritized vulnerabilities. Many of which have had exploits associated with them and would have been overlooked if you rely on CVSS as the primary attribute and exploit available as the second
- CVE’s with CVSS score less than 9 and have a known exploit: 11,671
This shows that ultimately CVSS is not the be all and end all strategy. You make assumptions that CVSS scores of a certain value post a risk to your organization and vulnerabilities with exploit available will almost certainly be exploited in the wild . A fact that we know to be untrue (see Only 5.5% of all vulnerabilities are ever exploited in the wild).
Focus on the likelihood of an actual attack – in practice
Let’s start with some basics and a quick reminder. When considering likelihood in Outpost24 Farsight, it represents the times more likely than the average that a vulnerability will be exploited in the wild. You can also look at it as the probability of successful weaponization.
Ultimately that is where the real risk lies. A vulnerability that will be weaponized and therefore used against one or more targets should be the primary focus of any vulnerability remediation strategy.
- CVE’s with a likelihood > 1: 43,644
Or approximately 9,000 more than the number of Vulnerabilities with a CVSS score >= 9
- CVE’s with a likelihood >1 & CVSS >= 9.0: 20,701: 9,625
Already we are down to below 10,000 vulnerabilities that have a high or critical CVSS score and are at a higher than average risk of exploitation. But typically, this represents an incredibly conservative risk posture. Gartner views vulnerability prioritization technology (VPT) as an enabler for a more aggressive risk strategy for vulnerability remediation.
The closer the likelihood score is to 38.5 the higher the overall risk of exploitation in the wild. Bear in mind that a 38.5 likelihood also includes those vulnerabilities that HAVE been exploited in the wild. Let’s go ahead and take a moderate risk approach – likelihood >= 20
- CVE’s with a likelihood >= 20: 18,043
- CVEs with a likelihood >= 20 & CVSS >= 9.0: 4,821 As you can see the closer to likelihood of 38.5 the smaller the number, as you would hope and expect to see. Arguably though 18,000 unique vulnerabilities is still a large number, so rather than focusing on CVSS let’s look at the impact of exploit available as an alternative.
- CVE’s with a likelihood >1 & exploit available: 7,888
Already we have taken the focus from approx. 23.5% of the total vulnerability database to 4.2%. Now focusing on a more aggressive risk posture and a likelihood of 20
- CVE’s with a likelihood >= 20 & exploit available: 5,838
- CVE’s with a likelihood >= 30 & exploit available: 5,526
Interestingly here we see very little difference in considering likelihood of 20 or 30. And adding CVSS score of 9.0 or higher only reduces the number down to 2,433. Which on the surface is very manageable 0.4% of the total database however it highlights that taking this approach would result in ignoring another 3,100 vulnerabilities that are highly likely of exploitation.
Farsight – putting you ahead of the threat actor
As you can see how you focus your remediation efforts has a bearing on the total number of addressable vulnerabilities, the trick is to reduce the number of vulnerabilities without exposing your organization to more risks. But one thing is clear - using likelihood as the basis of your vulnerability prioritization strategy allows you to focus remediation efforts on those vulnerabilities that are going to pose a risk in the future. This is especially true if you focus on vulnerabilities that DON’T have exploits available currently.
The flexibility of Outscan / HIAB and Farsight means you can create multiple dynamic target groups based on many different permutations of risk allowing you to focus your remediation efforts on the risks that are most important to you. As we develop Farsight in the coming months you will be able to identify exposed assets and assign business risk to further tune your risk focus. Our goal is to provide you with the tools to build the most flexible risk based remediation strategy possible.