Predictive Prioritization Focusing On What Matters First Elena Sergeeva Security Engineer
VULNERABILITY MANAGEMENT TODAY
Vulnerability Management In Brief A Assess – Legacy and A Modern Assets Remediate – Intelligent R Prioritization M R Manage – Measure M
TH THE M MODERN RN A ATTACK S CK SURF URFACE CE Industrial IoT ICS/SCADA Enterprise IoT IoT Cloud Container Cloud Web app Virtual machine Mobile Laptop IT Server Desktop Network infrastructure March 2019 5
Predictive Prioritization 5
THE THREE KEY QUESTIONS A R M Where are we Where should How are we exposed? reducing we prioritize exposure over based on risk? time? 6
BARRIERS Ponemon Institute, Dec 2018
IF EVERYTHING IS IMPORTANT – NOTHING IS 59% High or Critical Vulnerability Intelligence Report Tenable Research 8
Number of Vulnerabilities During the Past Decade Vulnerabilities Discovered Each Year 18000 16000 16555 14714 14000 12000 10000 8000 7946 6000 6610 6520 6484 6447 5632 5736 5297 5191 4935 4000 4652 4155 2000 2451 894 1020 1677 2156 1527 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
16,500 Vulnerabilities disclosed in 2018 63% of vulnerabilities 7% discovered in environments are 12% CVSS 7+ of vulnerabilities had an exploit available of vulnerabilities disclosed in 2017 were CVSS 9+ Vulnerability Intelligence Report | Tenable Research
Number of Vulnerabilities During the Past Decade * Gartner Market Guide for Vulnerability Assessment, Craig Lawson, Prateek Bhajanka, June 19, 2018
FOCUS ON WHAT MATTERS FIRST Research Insights ≈95% Data science based analysis of over 100,000 vulnerabilities to differentiate between the real and theoretical risks vulnerabilities pose PREDICTIVE Threat Intelligence 12 PRIORITIZATION Insight into which vulnerabilities are actively Reduction in vulnerabilities being exploited by both targeted and to be remediated with the same opportunistic threat actors . impact to the attack surface Vulnerability Rating The criticality, ease of exploit and attack vectors associated with the flaw.
Examples • CVE Age • Days since last • Days Since NVD Last • Distinct days with cyber ExploitDB entry Modified exploits • Days since first • Number of References • Days since last cyber ExploitDB entry • CVSS v3 Base Score exploit • Total ExploitDB • CVSS v3 Exploitability • Total cyber exploit entries Score events • CVSS v3 Impact Score • Days since first cyber • Total Affected Software exploit • Days since last cyber attack
Vulnerability Priority Rating – 70 days prior to CVSS score Linux Kernel Flaw
Top Five Vulnerabilities in 2018 CVSSv2 Score CVSSv3 Score Tenable (Acccording to NVD) (Acccording to NVD) (Vulnerability Priority Rating) 7.6 7.5 9.9 CVE-2018-8174 7.5 9.8 9.5 CVE-2018-4878 9.3 7.8 9.9 CVE-2017-11882 7.6 7.5 9.4 CVE-2017-8750 9.3 7.8 9.9 CVE-2017-0199 Extracted from the Recorded Future Report “Top Ten Vulnerabilities of 2018” 03/19/19
WE FIND THE NEEDLES 3% Vulnerability Priority Rating
KEY QUESTIONS • How many vulnerabilities do you deal with every month? • Do you patch every vulnerability? • What does that cost your organization? • How do you prioritize? • Do you use threat intelligence? • Could staff be more efficient? 17
SUGGESTIONS If you have limited resources and budget, • focus on vulnerabilities that are actually leveraged in attacks Leverage threat intel to identify “urgent” • and update your security policy to support remediating these ASAP Continue to work through less urgent • remediation work and update policy to support updated SLAs 18
Thank You
Recommend
More recommend